42% of Deals See Value Reductions From Cyber Risk

I am not an M&A guy. I am a cyber risk guy. I have spent 24 years conducting independent cybersecurity assessments for organizations of every size, in every industry. Our work at NCX Group has been used in transactions for years, and we are seeing more demand for it than ever before.

But we are also seeing something that concerns me. The deal market is getting more sophisticated in almost every dimension of diligence. Except this one. When it comes to cyber risk, the structural process in mid- and lower-mid-market transactions remains fundamentally broken. And two pieces of research that came out in early 2026 put a number on exactly how broken it is.

The first is from FTI Consulting.

Their CISO Redefined III study, released in March 2026, surveyed 278 executives. CISOs, heads of M&A, and general counsel. Here is what they found:

20% of deals delayed or paused due to cyber issues

42% experienced significant value reductions

58% ended with impaired post-close financial targets

Nearly 6 out of 10 deals in which cyber risk surfaced ended with the buyer missing their financial targets. Not a tough quarter. Impaired targets. That is the kind of outcome that shows up in fund reviews and LP conversations.

The second is from SRS Acquiom.

Their 2026 Deal Terms Study analyzed 2,300+ private-target acquisitions totaling $569 billion. One finding stands out:

22% of deals in 2025 excluded a cybersecurity representation entirely. That is a 440% increase from just 5% in 2024.

So the market’s response to a risk that delays 20% of deals, reduces value in 42%, and impairs targets in 58% is to stop asking the question.

Something Does Not Add Up

The FTI data tells us what happens when cyber risk shows up in a deal. It is expensive. It delays closings. It impairs financial performance.

The SRS Acquiom data tells us the market’s response. And that response is to remove the very mechanism that would surface the risk before it becomes a problem.

Why would smart deal professionals do this?

Because the sellers cannot answer the question. So the question gets dropped.

This Is a Mid-Market Problem

Roughly 80% of lower mid-market companies have never had an independent cybersecurity assessment. Not a penetration test. Not a maturity evaluation. Nothing. The MSP that manages their systems has never been independently validated. The “security” section of the VDR is a self-assessment completed by the same people who built and run the environment.

So when the seller’s attorney is asked to warrant cybersecurity posture in the purchase agreement, the honest answer is: “We do not know what our posture is. We cannot warrant something we have never measured.”

That is not the seller being evasive. That is the seller being accurate. And rather than spend the time and money to find out, the rep gets dropped and everyone moves on.

Here is what bothers me about the 22% number. That is an average across all deal sizes. Large enterprises have CISOs, SOC 2 reports, and compliance teams. They can provide a cyber rep because the work has already been done.

A $30 million company with 200 employees and an MSP managing their IT has none of that. The real exclusion rate in the $10M to $100M deal market is almost certainly much higher than 22%. And the FTI consequences hit harder in that segment because the companies are less resilient, the deal teams are smaller, and there is less margin for error.

The Question Nobody Is Asking

Every deal has a Quality of Earnings report. The CPA firm that prepared the financial statements does not conduct the QoE. That would be a conflict of interest. An independent firm validates the numbers so the buyer knows what they are paying for and the seller can defend their valuation.

Every deal involving real property has an environmental assessment. The owner does not self-certify that the property is clean. An independent inspector examines the site, documents what they find, and quantifies the remediation cost.

Cyber risk has no equivalent process.

The company’s own IT provider is the one telling the deal team whether the environment is secure. The people who built the systems are the ones evaluating them. We would never let the firm that prepares the financial statements audit them. But we let the firm that built the technology environment certify it.

And then we wonder why 42% of deals see significant value reductions.

What This Means If You Are Selling

If you are a business owner preparing for an exit, these numbers matter. But not for the reason you might think.

The risk is not that you have cybersecurity problems. Every company has cybersecurity problems. In 24 years of conducting independent assessments, I have never found a company that was clean. Not one.

The risk is that you do not know what your problems are, you cannot quantify them, and your buyer will.

When a buyer’s diligence team discovers unquantified cyber risk midway through a transaction, the leverage shifts. You are no longer negotiating from a position of transparency. You are responding to findings you did not know existed, on a timeline you do not control, with a buyer who now has a reason to reprice.

The sellers who keep most of their proceeds are the ones who know their risk profile before the buyer does. Not because they have perfect security. Because they have documentation, quantification, and a plan. That is the difference between a negotiation and a surprise.

What This Means If You Are Buying

If you are acquiring mid-market companies without independent cyber validation, you are buying risk you have not priced.

The SRS Acquiom data suggests the seller may not be able to warrant their posture. The FTI data tells you what happens when that risk surfaces post-close.

You would not close on an acquisition without a Quality of Earnings. You would not buy a building without an environmental assessment. But most deal teams are still closing on companies that hold customer data, process financial transactions, and run critical infrastructure without anyone independently validating whether the digital environment is sound.

The information is always worth more at the negotiating table than in month three of ownership.

The Real Issue

The deal market knows cyber risk costs real money. The data proves it. And the market is simultaneously choosing not to look. Especially in the mid- and lower mid-market, where the risk is highest and validation is rarest.

That is not a technology problem. It is a process problem. And it will not get fixed until the people making deal decisions treat cyber risk the way they already treat financial risk, legal risk, and environmental risk. With independent validation. Before the transaction closes.

Not after. Before.

PS: The deal market’s answer to a risk that impairs 58% of post-close targets was to stop including the rep. That is not risk management. That is a decision not to look.

Mike Fitzpatrick is CEO of NCX Group and a Ponemon Institute Distinguished Fellow. He is currently leading a Ponemon Institute research study examining cyber risk assessment gaps in mid and lower mid-market M&A.