The Deal Team’s Blind Spot – Cyber Risk in Value Creation

In my last article, The CEO’s Missing Advisor, I explained why cyber risk belongs at the CEO’s table alongside the CPA, attorney, and insurance broker. That seat is still empty in most boardrooms.

But CEOs are not the only ones with this blind spot. Private equity buyers are missing it too. And the cost of ignoring it is even higher.

 

Cyber is the Top Business Risk

The Allianz Risk Barometer 2025 ranked cyber incidents as the number one global business risk. Thirty-eight percent of executives placed it ahead of natural catastrophes and traditional business interruption.

The supporting data is clear.

• 58 percent of organizations experienced a breach in the last two years (Ponemon/Optiv 2025).
• The average U.S. data breach cost is $10.22 million (IBM 2025).
• Ransomware remains one of the leading causes of intrusions and downtime (Verizon DBIR 2025).

And ransomware has changed. With generative AI fueling a $10 trillion cybercrime economy, the game is no longer just about stolen data. It is about disruption, downtime, and forcing payments through operational paralysis.

That is why in some deals, diligence uncovers a ransomware event and suddenly your 90-day close becomes a 12-month nightmare while systems are rebuilt, insurers investigate, regulators step in, and customers waver.

That is not a delay. That is a deal killer.

 

From Both Sides of the Table

For Sellers: Cyber risk is existential.

• 80% of SMEs lack a cyber risk assessment or incident response plan.
• 62% are attacked annually.
• Ransomware and BEC attacks driven by AI are up 73%.
• Average disruption: 22–24 days.
• Average ransomware cost: $5.6M.
• Valuation erosion: 10–30%.
• Deal delays: 12–36 months.

For Buyers: Cyber risk is an inherent liability.

• Breaches discovered in diligence cut offers by 10–30%.
• Closings stall 12–36 months when incidents surface late.
• Post-close exposures bring regulatory fines, downtime, and reputational loss.
• One recent case: a buyer lost $8.5M, or 20% of valuation, when a breach was uncovered during final audits.

Whether you are buying or selling, the math is the same. Cyber risk destroys value if it is not surfaced and managed.

 

A Split in the Market

It is worth noting that not all private equity buyers are in the same place on cyber diligence. At the upper end of the market, progress is happening. A recent survey found that nearly 60 percent of large-cap transactions now include some form of cyber due diligence. Mega-funds and global players have the pressure of regulators, LPs, and insurers, and they have the resources to treat cyber like any other standard diligence track.

The mid-tier is another story. Many middle-market firms and regional buyers still treat cyber as an IT checkbox. They rely on seller disclosures, MSP contracts, or basic questionnaires. In other words, they manage cyber risk as if it were a line item in operations rather than a factor that can derail closings, cut valuations, or trigger post-transaction liabilities.

This creates a growing gap. Large-cap sponsors are moving ahead, embedding cyber diligence as part of their standard playbook. Mid-tier sponsors are falling behind, assuming they can engineer around the risk. The reality is that cyber does not respect deal size. The same ransomware kit that takes down a $200 million company can just as easily freeze a $20 billion one.

And here is the urgency. Over the next five to ten years, a wave of Boomer and Xer-owned businesses will hit the market as founders exit. These are exactly the types of companies that are most vulnerable: under-invested in cybersecurity, overly reliant on outsourced IT, and often blind to the real risks in their systems and processes. They will be the backbone of mid-tier private equity deal flow, and they will bring cyber blind spots with them.

Which means this is not just about best practices. It is about survival in a coming flood of transactions where those who manage cyber risk well will protect value and speed, while those who do not will pay in delays, haircuts, or failed deals.

 

Distress PE Loves vs. Distress That Kills Deals

Private equity firms pride themselves on thriving in distress. That is the essence of the playbook.

• Change management distress: legacy leadership, cultural inertia, slow adoption of new practices.
• Systems and process distress: outdated workflows, poor metrics, lack of throughput.
• Alignment distress: founder-led missteps, governance gaps, unclear decision rights in the first 100 days.

These are the problems PE was built to fix. Predictable. Quantifiable. And most importantly, responsive to structure. You can align leadership, install systems, coach culture, and drive measurable change within 12 to 36 months. That is where the value creation levers come alive.

Cyber distress does not fit the playbook.

• Change management? Irrelevant if ransomware freezes operations tomorrow. You cannot coach alignment when payroll is locked.
• Systems and processes? Useless if codebases are riddled with vulnerabilities or Shadow AI is leaking sensitive data into public models. That is not inefficiency. That is exposure.
• First 100 days alignment? Impossible if a breach surfaces post-close. Instead of building trust, management and sponsors start the relationship by pointing fingers.

Cyber distress is not inefficiency. It is chaos. It does not compress timelines. It blows them up.

PE firms can model bloat. They cannot model unpredictability. And when chaos hits in the form of ransomware or AI-driven breaches, the deal timeline does not slip by a quarter. It collapses by a year or more.

If you think you are buying cheap, you may actually be buying radioactive.

 

Cyber Risk Across the Value Creation Levers

Private equity playbooks talk about alignment, operational improvement, systems and technology, analytics, M&A strategy, and exit readiness. Cyber risk cuts across every one of them.

• Alignment: Boards and LPs expect visibility into risk. Cyber diligence is the only way to show execution timelines will not be derailed.
• Operational Improvement: Speed depends on availability. A ransomware freeze halts initiatives and burns ROI.
• Systems, Technology, and Software: Upgrades fail if the foundation is already compromised. This includes internally developed applications. Insecure code, outdated libraries, exposed secrets, or weak pipelines can turn every release into a liability. And today, companies are sprinting into AI adoption without guardrails. That creates Shadow AI: employees feeding sensitive data into unvetted models. It is like giving the keys of a sports car to a 16-year-old with a brand-new license. Quick, fast, and in a hurry, but one wrong move and the business is in a ditch. An AI Readiness Assessment now belongs in every diligence checklist.
• Analytics: Data only supports strategy if it is accurate and secure. Shadow AI use can poison analytics by leaking confidential data and corrupting trusted sources.
• M&A Integration: Add-ons multiply the attack surface. Without cyber, software, and AI validation, you inherit hidden liabilities.
• Exit Readiness: Buyers cut multiples when they see uncertainty. A weak cyber or AI posture raises the question: “What else don’t we know?”

For software and AI-driven businesses, the quality and security of code, pipelines, and AI governance are now part of enterprise value. Due diligence must evaluate not just tools, but the people and processes behind every release and every AI deployment.

 

The Overlooked Risk Window: TSAs

One of the most vulnerable phases of a transaction is the Transition Services Agreement (TSA). It is the duct tape between the buyer and seller systems. And it is often ignored.

Attackers know it. With AI-powered phishing and ransomware kits on the dark web, TSA periods have become prime hunting grounds. Weak segmentation, unclear roles, and unmonitored connections are the perfect targets.

If ransomware hits during TSA, you are not just negotiating integration steps. You are staring at a six to twelve-month closing delay.

 

TSA Cyber Risk Checklist

• 1. Roles and Responsibilities: Define ownership of detection, response, and communication.
• 2. Access and Identity: Migrate accounts quickly, enforce MFA, and eliminate shared logins.
• 3. Network and Connectivity: Segment connections and monitor TSA traffic.
• 4. Data and Backups: Clarify ownership and ensure tested, immutable backups exist.
• 5. Vendor Dependencies: Confirm contracts and security obligations transfer cleanly.
• 6. Compliance and Insurance: Ensure TSA period is covered by policies and frameworks.
• 7. Exit Plan: Establish milestones and penalties for TSA overruns.

Without these basics, the TSA is not a bridge. It is an open tollbooth for ransomware operators.

 

AI Readiness: The New Due Diligence

AI is racing ahead faster than governance can catch it. That makes AI Readiness Assessments essential in diligence. Following NIST AI RMF 100 and NIST AI 600, sponsors should demand evidence across these areas.

• 1. Governance– Is there board-level accountability for AI deployments?
• 2. Shadow AI– Has the company inventoried unapproved tools and risky employee usage?
• 3. Data Management– Are safeguards in place to prevent confidential data from leaking into models?
• 4. Security Controls– Are AI systems red-teamed, monitored, and integrated into SDLC?
• 5. Compliance– Is the company aligned with sector rules and upcoming AI regulations?
• 6. Workforce– Are employees trained on safe AI practices?
• 7. Exit Impact – Can management prove AI is an asset, not a liability, in a sale?

 

From Well-Read to Battle-Tested

The difference between being well-read and being battle-tested is experience.

After 25 years in cyber risk and conducting thousands of assessments for organizations ranging from global Fortune 50s to SMEs, across every major industry, we have developed a clear perspective on what truly drives resilience.

That perspective is exactly what private equity firms need to mitigate risk in transactions. We have seen ransomware incidents derail closings, valuation haircuts driven by undisclosed breaches, and successful exits accelerated because cyber diligence was handled the right way.

This is not theory. It is lived experience.

 

Cyber as the Missing Lever

Private equity firms love to claim sophistication. But cyber risk, and now AI risk, remain the lever behind all levers.

Ignore them, and you are not creating value. You are buying salvage titles, ransomware delays, and AI-driven surprises. Address them early, and you accelerate execution and protect valuation.

 

Closing

At NCX Group, we integrate cyber and AI due diligence, including application and code reviews, TSA safeguards, and AI Readiness Assessments, alongside financial and legal diligence. That allows deal teams to:

• Close faster.
• Reduce friction.
• Preserve exit value.

The only question is this. Will you address cyber and AI risk before the deal closes, or wait for the salvage-title surprise that teaches the lesson for you?

Mike Fitzpatrick

Founder & CEO, NCX Group

Distinguished Fellow, Ponemon Institute

www.ncxgroup.com