Let’s start with a simple question that most owners never get asked.
If a buyer’s diligence team walked in tomorrow and asked for proof that cyber risk is under control, what would you hand them in the first five minutes?
Most business owners carry the same picture in their head. One day, they sell the company, pay off the debt, and that wire becomes their retirement. For many Boomers and Gen X owners, 80 to 90 percent of their retirement is tied up in that moment. With millions of privately held businesses expected to change hands over the next decade, the most prepared owners will win on valuation and terms.
Cyber risk is one of the few things that can move that number by 10, 20, or even 30 percent, often in the last year before a deal. It shows up as lost revenue, higher costs, lower valuation, and deals that take longer or never close, not as a technical problem in the server room.
If you want to protect valuation, you have to start this journey two or three years before an exit. That gives you time to do an independent assessment, fix the obvious issues, and build the documentation and proof a buyer needs to see. That preparation is what prevents the checkbox haircut before negotiations even start.
Think of it this way.
On the sell side, my team is the contractor you hire to get the property ready for sale. We help you find and fix the things that will scare off a buyer or drive down the offer.
On the buy side, we are the home inspector. We walk the property with a flashlight and a clipboard. After almost 25 years and thousands of assessments, my team can spot a smoke screen quickly.
The earlier you bring that mindset into your business, the less of your retirement you leave on the table over something you could have proven and fixed in advance.
A typical conversation with a CEO or owner starts the same way.
“We are fine on cyber. Our MSP takes care of that.”
So I ask three questions.
That is usually where the answers slow down.
The numbers behind that silence are brutal. A large share of small and mid-sized businesses still have no formal cyber risk assessment or incident response plan. The percentage of SMEs being hit by cyber incidents has climbed steadily over the past decade and now captures a clear majority of firms. Only a minority of small and mid-sized businesses survive a major cyber event as a going concern.
For CEOs, those numbers are not “threat stats.” They translate directly into longer outages, higher out-of-pocket costs, valuation haircuts, and, in too many cases, a retirement that never materializes.
Most mid-market companies are not reckless. They are trusting. But trust without verification is not risk management, especially when your exit check is your retirement.
I am not anti MSP. For many businesses, outsourcing IT is the only practical way to keep systems running. Good MSPs and MSSPs are critical partners.
The problem is not that you use an MSP. The problem is that, in many companies, the MSP has quietly become “the security department” with almost no independent oversight.
You would never ask the CPA firm that does your books to also audit them. Everyone understands that independence matters in financial reporting. In the same way, you should not ask the same MSP who builds and runs your environment to be the only voice saying “you are safe.” Delivery and assurance have to be separate if you want a buyer, lender, insurer, or regulator to trust the result.
Right now, when I go into mid-market environments, I usually find the same patterns.
The question is not whether your MSP is technical enough. The question is whether, if something goes wrong, you can show a buyer, lender, insurer, or court that you understood the risk, set expectations, and verified performance. That is business and financial risk, not IT risk.
Cyber risk has never been about what you think or feel. It is about what you can prove. Most CEOs cannot prove very much.
From a deal perspective, the impact shows up in very specific ways.
Owners who cannot prove they have a real cyber risk program, with at least one independent assessment and some basic evidence, are already seeing haircuts on valuation. A 5 to 15 percent hit is not unusual, depending on industry and how critical the issues are. The middle of that range, in deal after deal, is right around 10 percent.
When you cannot answer the buyer’s cyber questions with real evidence, you should already expect that kind of haircut. The buyer has to price in unknown risk.
When you add a breach or ransomware event into the mix during diligence, the conversation changes completely. Now the buyer is not just dealing with unknowns. They are staring at a known incident, an unknown scope, and a real concern about what they might be inheriting. In those situations, it is common to see price reductions in the 25 to 30 percent range, along with tougher terms, higher escrows, and months of delay while their team digs through the rubble.
On a 20 million dollar exit, moving from a 10 percent haircut for weak answers to a 25 to 30 percent hit after a breach is the difference between losing two million dollars and losing five to six million. At 50 or 100 million, those same percentages are life-changing differences in what you and your family actually walk away with.
I know one CEO who learned this the hard way. His business was hit with a ransomware event that lasted more than 30 days. The breach came through his MSP. When the dust settled, he told me he had learned two things.
First. “No one told me cybersecurity was this critical to my business.” That means no one in his inner circle had a conversation that stuck.
Second. He no longer trusted his outsourced IT team. From his perspective, they had been the path in. That is not where you want to be a year or two before you try to sell.
And remember, many businesses never make it to the negotiating table at all after a truly major cyber event.
If you still think of cyber as an IT issue, you are looking in the wrong place. Cyber incidents hit revenue, cash flow, valuation, brand, and even regulatory exposure in one shot. They behave much more like a financial risk class than a technical nuisance.
That is why boards, regulators, and insurers now treat cyber as a core business and financial risk, not as a technology line item. It is showing up in risk barometers, insurance pricing, and loss data, not just in security dashboards.
So when M&A and PE professionals say “cyber is not critical to the deal,” they are really saying a financial risk that can move the price by 10 to 30 percent is not critical. That does not square with how insurers, regulators, and loss data see the world, and it certainly does not match what we have seen in 24 years of never once delivering a clean assessment.
I keep hearing the same line from M&A and PE professionals. “Cyber is not critical to the deal process. It is not really impacting anything.”
That narrative does not survive contact with reality. Cyber is consistently ranked among the top global business risks. Major incidents over just the last few years have generated many billions of dollars in losses. And in 24 years of assessing cyber risk at NCX Group, my team has never seen a clean assessment. Not one. There is always an unpriced risk sitting in the system.
If the top insurers in the world are calling cyber a top business risk, the largest incidents are burning through massive amounts of value, and independent assessors never see a clean environment, yet you are still being told “it is not moving deals,” someone is being misled. At best, sellers are being kept comfortable until the buyer’s diligence team uses that gap as leverage. At worst, limited partners are being told a risk is under control when it is not.
For owners, that is the core problem. You are betting the largest transaction of your life on a story that does not line up with how insurers, incident data, or independent assessments actually look.
There is no technology silver bullet for cyber risk. It is man-made, and what people build, people can break. Every new tool, platform, or “easy button” you drop into the environment just shifts the weak points. It does not remove them.
Too many owners are being sold the idea that they can buy their way out of this risk with one more product, one more dashboard, or one more managed service. That is not how this works. Cyber is a business process and governance problem first. Until you understand how the business actually runs, how decisions are made, who has access to what, and how you prove it, no amount of technology will turn this into a solved problem.
You do not need a Fortune 50 security team. You do need to change how you, as the CEO or owner, ask questions.
1. Get one independent look
Do one independent cyber risk and security assessment. Not a vendor’s “free scan.” A proper review of your environment as it is today, how your MSP is configured and what access they have, and the biggest business impact gaps that need attention before a deal.
Think of it like a quality of earnings report, but for your technology and cyber risk. Your MSP is your bookkeeper. You still need an auditor. That report becomes part of how you defend your number when someone challenges it in a deal room.
In 24 years of assessing cyber risk at NCX Group, we have never seen a truly clean assessment. Not one. There is always something to find, fix, and document. The question is whether you find and mitigate those issues on your terms, or a buyer finds them on theirs and uses them to cut your valuation.
2. Clean up the MSP agreement
Sit down with your MSP and make responsibilities and proof explicit. Spell out who owns patching, backups, MFA, monitoring, incident response, and incident response plan testing. Add a few evidence requirements, like reports on patch status, backup test results, incident response tests, and lessons learned, and a simple incident log you can review regularly.
Increase and align cyber insurance requirements so that both your policy and your MSP’s coverage match the financial exposure you are asking them to help manage. Clear responsibilities and higher insurance limits reduce the chance that a buyer sees your MSP relationship as unpriced liability.
3. Ask for a one-page owner’s view
You do not need another technical dashboard. Ask your MSP and your assessor for a one-page summary in business terms that covers how many key internet-facing systems you depend on and days since last patch, time since the last successful recovery test of a critical system, whether you have a real incident response plan, when it was last tested, tabletop or live, and what you learned from that test.
Add the number of admin accounts and when they were last reviewed, any critical findings still open and the plan to close them, and how much cyber insurance you carry today, along with how your MSP’s own insurance and contracts backstop the risk.
If you cannot understand it in five minutes, it is not an owner’s view. If you cannot see how cyber could move your revenue, cash flow, or valuation on that page, you are not yet managing it as a financial risk.
4. Make cyber part of deal readiness
If you expect to sell in the next few years, treat cyber and MSP oversight like you treat financial cleanup and insist on independent eyes, not just your MSP grading its own homework. Fix obvious issues and gather evidence before you go to market so you are not negotiating under the shadow of an incident or a bad diligence finding. Be ready to hand a buyer a short, credible story. “Here is how we run, here is what we found, here is what we fixed, and here is the independent firm that verified it.”
When you get close to an exit, you assume the hard part is over. You have survived the years of payroll stress, big decisions, and sleepless nights. You have assembled the team you trust to get you over the finish line. In that moment, unmanaged cyber risk is not a technical issue. It is black ice on an otherwise clear road. You do not see it until the deal is already skidding, the buyer is asking hard questions you cannot answer, and the number on the term sheet is heading in the wrong direction.
Your goal is simple. When a buyer’s team looks at cyber, they see a managed, independently validated exposure, not a reason to cut the price or increase escrow. A little preparation on your terms is cheaper than a fire drill on theirs, especially when the only voice in the room is your MSP trying to defend its own work.
In the enterprise, the story is a burned-out CISO carrying risk they do not fully control. In the mid-market, the story is different. There is no CISO. There is you, your MSP, and a lot of assumptions.
The most dangerous sentence I hear from CEOs and owners is still:
“Our MSP has it handled.”
That can be true. But your job is not to hope it is true. Your job is to be able to prove it when someone asks, especially when that someone is holding your retirement in a term sheet.
So here is a simple test.
If a buyer, lender, or insurer walked in tomorrow and said, “Show me how you know your MSP is doing what you think they are doing,” what could you put on the table?
If the honest answer is “not much,” this is your moment to stop trusting by default and start asking for proof. In 2026, cyber is not an IT line item. It is part of how the market prices your business and your future.
By Mike Fitzpatrick, Distinguished Fellow, Ponemon Institute, Founder and CEO, NCX Group, Cyber Risk Advisory
Visit: www.ncxgroup.com
PS: In nearly a quarter-century of doing this work, my team has never delivered a clean assessment. There is always a risk in the system. Your leverage comes from finding and mitigating it before a buyer does. If they find it first, it does not just become a security issue. It becomes a lower offer, a tougher negotiation, and a smaller exit check than the one you spent your career working for.
