The way M&A evaluates
cyber risk is broken.
Cyber risk is the number one business risk according to Allianz and Hiscox. Most deal teams treat it as a checkbox. That disconnect has a price — and it shows up in valuation, deal speed, insurance, and what you inherit after close.
See What It Costs YouWhat you need to know
These are not projections. They are the numbers that show up in deals, in insurance applications, and in post-close surprises for companies that skipped real diligence.
Over 80% of SMEs lack a cyber risk assessment or incident response plan. They assume their MSP has it covered.
The percentage of SMEs experiencing a cyber event has held steady at 62% annually for more than a decade.
Ransomware and business email compromise attacks on SMBs surged last year, fueled by AI-powered threat tools.
66% of potential buyers reduce their offer when cyber risks are identified during diligence. Do you feel lucky?
Average operational disruption after a ransomware event. At $10,000+ per hour, that is not a footnote — it is an existential number.
The average financial and operational disruption cost of a ransomware event for mid-market businesses.
Average percentage of business valuation lost due to a material cyber incident discovered during or after a transaction.
How long a business exit can be delayed when unresolved cyber diligence issues surface after the LOI is signed.
The problem with how deals handle cyber today
Most deal teams send a questionnaire. The target company answers it. Nobody validates a single answer. That is called a checkbox process — and it is the reason 53% of buyers discover material cyber issues after the deal closes.
A questionnaire tells you what a company believes about itself. An independent assessment tells you what is actually true. Those two things are rarely the same.
NCX Group provides the independent read. We have no financial interest in what we find or what gets fixed. That independence is the only thing that makes the findings credible when someone scrutinizes them.
The calculator below is built the same way we build a deal assessment.
It uses your actual business data, FAIR model loss probability, real deal term benchmarks, and the same remediation cost structure we deliver to buy-side teams. It is not a generic industry average. It is your number.
Run the NumbersYour numbers. Your deal. Your exposure.
Results mirror the structure of an NCX Group buy-side assessment: a deal recommendation, FAIR probability-weighted loss scenarios, specific deal term adjustments, phased remediation costs, and regulatory exposure by industry.
Enter in whole dollars. Example: 5000000 for $5M.
Mid-market typically 4–8×.
Typical mid-market: 15–25%.
Drives regulatory exposure, disruption multiplier, and insurance sensitivity.
What level of cyber exposure has been identified — or is likely present given no independent assessment?
Not a questionnaire. Not a score from a ratings tool. A real, evidence-based assessment by an independent firm with no financial interest in what they find or what gets fixed.
| Term | Recommendation | Basis |
|---|
| Phase | Timeline | Investment | Focus |
|---|
| Term | Recommendation | Basis |
|---|
| Phase | Timeline | Investment | Focus |
|---|
Methodology and sources
Ransomware as the primary loss event: For mid and lower-mid market companies, ransomware is the operational threat that shows up in deals. Disruption duration: 22–24 days average (Varonis/Statista 2024–2025). Operational cost floor: $10,000/hour for SMBs, scaled by revenue. Industry multipliers increase loss magnitude for healthcare (1.9×), financial services (1.7×), manufacturing (1.5×).
FAIR model framework: Severity tiers proxy for Loss Event Frequency. Loss Magnitude is calculated from annual revenue converted to an hourly rate, multiplied by disruption hours and a recovery overhead factor. Probability weighting follows the same scenario structure used in NCX Group’s actual buy-side assessments (ransomware: 40–45% probability; data breach: 25–30%; operational disruption: 15–20%).
Source: FAIR Institute (open standard); NCX Group assessment methodology
Valuation discount — two distinct cases: (1) Checkbox gap: inability to fully complete diligence documentation produces an 8–15% haircut, midpoint 10%. (2) Incident during diligence: 25–35% repricing or deal termination. Yahoo/Verizon: approximately 35% reduction. Escrow of 3–10% modeled for significant and critical findings.
Sources: FTI Consulting (2025); Reuters Legal R&W (2025); SRS Acquiom (2025)
Remediation cost structure: Phase 1 (critical stabilization, 0–90 days), Phase 2 (program foundation, 90–180 days), Phase 3 (full capability, 180–365 days). Cost basis: $325/hour fully burdened cybersecurity professional rate, consistent with NCX Group actual assessment findings. Severity scales the total investment required.
Source: NCX Group Secure24 buy-side assessment data
The validation adjustment: Companies with a completed, independent assessment reduce deal delay risk, support insurance underwriting, and narrow buyer uncertainty. The model reduces disruption exposure by 20–35% and deal delay by 25–40% when validated evidence is on record. The 80% unassessed figure comes from Ponemon Institute and Hiscox SMB research.
Why we do not use Kroll data: Kroll is an incident response firm. Their survey oversamples organizations that have already experienced a material event. We use IBM/Ponemon, Varonis, Statista, FTI Consulting, and FAIR Institute data for broader population baselines.
This is what we actually deliver to deal teams.
What you see above is the skeleton of a real NCX Group buy-side assessment — the same structure, the same FAIR model framework, the same deal term output. The difference is that a real assessment has your specific findings, your documented evidence, and your defensible numbers.
NCX Group has spent 25 years doing one thing: giving leadership an honest, independent read of their cyber risk. We do not sell tools. We do not do remediation. We do not grade our own homework — and neither should your MSP.