CISO Redefined
Navigating Transactions & the Cybersecurity Landscape
Download Report
Reveals Cybersecurity Attacks Are an Increasing Threat to M&A
Deal teams need to account for cyber risk much the same way we think about leak risk. These unexpected disruptions can create confusion, shift value and slow negotiations. You can never eliminate the risk entirely, but the follow-on disruption from these events can be mitigated with speed and clarity of response.
Pat Tucker
Senior Managing Director
M&A and Activism Communications, FTI Consulting
Deal Cycles Rise Fast While Collaborations Fall Short
Our Experts
Meredith Griffanti
Global Head of Cybersecurity &�Data Privacy Communications�Senior Managing Director
NEW YORK, USA
Cybersecurity & Data Privacy Communications
Helping clients mitigate reputational risk, enhance trust, and protect stakeholder relationships before, during and after a cybersecurity incident.
As the largest specialized Cybersecurity and Data Privacy Communications practice in the world, we provide global expert crisis communications counsel and hands-on support throughout the entire lifecycle of an incident.
More than “Public Relations,” we serve as integrated partners to our clients’ incident response teams and approach cybersecurity issues with a multi-stakeholder lens, advising on impactful communications strategy that contemplates customers, partners, vendors, regulators, employees, boards, media, investors, and more.
Evan Roberts
Co-Leader of Americas Cybersecurity & Data Privacy Communications�Senior Managing Director
NEW YORK, USA
Jamie Singer
Co-Leader of Americas Cybersecurity & Data Privacy Communications
�Senior Managing Director
CHICAGO, USA
Pat Tucker
Americas Head of M&A and Activism Communications�Senior Managing Director
new york, usa
CISO Redefined III
While time has long been the silent killer of M&A deals, FTI Consulting’s CISO Redefined III research shows that speed itself may now be compromising security, valuation, and trust.
The third installment in FTI Consulting’s CISO Redefined series reveals a clear and growing correlation between transaction activity and cyber incidents — often with direct consequences for deal value, reputation, and integration success. By analyzing deal data, publicly disclosed breaches, and surveying senior CISOs, M&A leaders, and general counsels, our research shows how the speed and complexity of transactions can create prime opportunities for threat actors.
�Nearly half of executives surveyed said a cybersecurity event impaired valuation during or shortly after a transaction, yet many deal teams and security leaders still operate in silos when it matters most.
�So how can organizations protect value without slowing the deal?
�
CISO Redefined III goes beyond identifying the problem — it maps the solution. Our research illuminates how leading CISOs, M&A executives, and general counsels are rethinking their partnerships to address cyber risk throughout the transaction lifecycle, treating it with the same rigor as financial due diligence.
�Discover the data-driven connection between M&A activity and elevated breach risk, the specific vulnerabilities that emerge during different transaction phases, and the frameworks that enable security-first decision-making without sacrificing deal velocity.
In today’s deal environment, cybersecurity isn’t a technical issue — it’s a transaction risk.
Download Report
When Deals Move Fast, Cyber Risk Moves Faster
key takeaways
Impact on Deal Value and Post-Transaction Targets
Minimized Role for CISOs in Decision Making
Disconnect between Growth Goals & Cybersecurity Risk
Cyber Integration Post Transaction is a Significant Challenge
Companies are Targeted and Potentially Exposed at a Critical Moment
Impact on Deal Value and Post-Transaction Targets
More than two-thirds (69%) of those who experienced a cyber incident during or after a transaction claim it had a negative impact on the transaction in some capacity.
Impact on Deal Value and Post-Transaction Targets
A plurality of CISOs do not have a seat at the table during transaction due diligence, with one in three (33%) indicating they do not believe they have the ability to kill a transaction if the risk to the organization is too high during or after a transaction.
Minimized Role for CISOs in Decision Making
Disconnect between Growth Goals
& Cybersecurity Risk
Cyber Integration Post Transaction
is a Significant Challenge
Companies are Targeted and Potentially Exposed at a Critical Moment
SELECT Key takeaways
From limited CISO involvement in early diligence to the operational challenges of post-close integration, these dynamics compound throughout the deal lifecycle. The result is a landscape in which deal momentum often outpaces cyber resilience, exposing organizations to preventable risk at precisely the moment they can least afford it.
Nearly half (42%) claimed the deal value was reduced as a result of the cyber incident, and another 20% stated that the transaction was paused or delayed.
A majority (58%) believe the incident impaired the company’s ability to reach financial targets after the transaction.
69%
42%
58%
Minimized Role for CISOs in Decision Making
33%
Disconnect between Growth Goals & Cybersecurity Risk
Pressure to close deals quickly (41%) comes at the expense of carefully weighing cybersecurity defenses (or lack thereof) during the due diligence process, exacerbating the somewhat inherent tension between growth and risk mitigation.
41%
84%
Cyber Integration Post Transaction is a Significant Challenge
Most organizations struggle to align and integrate their cybersecurity protocols and procedures post-deal, with 84% of survey respondents citing challenges in harmonizing IT systems and policies.
24%
Companies are Targeted and Potentially Exposed at a Critical Moment
One in four respondents (24%) admit that their organization experienced a cyber incident within 24 months after closing a transaction, revealing lasting, real-world consequences for those who do not coordinate their cybersecurity and deal teams.
Download Report
Ignoring Cybersecurity Risk Impacts Value
Cybersecurity incidents can have direct and indirect financial impact on acquiring companies as they close a transaction and work to integrate the target. Nearly 1 in 4 executives has experienced a cybersecurity incident during or shortly after a transaction (24%). Of the deals impacted by cybersecurity incidents, 2 in 3 of these were significant events like data theft, extortion or vendor breaches that exposed confidential information.
42%
Perhaps the most staggering statistic gleaned from our survey was that – of the executives who experienced a cybersecurity incident during or shortly after a transaction – nearly half saw deal value reduced (42%).
58%
More than half said financial targets were impaired (58%), while 20% said their deals were either delayed or paused due to a cyberattack.
86%
86% of CISOs say that experiencing a cyber incident during a transaction can lead to incurring additional indirect costs – namely reputational damage (41%) and greater regulatory or investor scrutiny (32%).
Download Report
Cybersecurity Is Seen as Important in Principle, but Is Often Sidelined in Transaction Practice
When the stakes are highest during a transaction, executives are forced to balance competing priorities while continuing to generate the momentum needed to carry the deal forward. Good cybersecurity practices are rarely thought of as a momentum driver by non-CISOs. According to our CISO Redefined II research conducted in 2024, the vast majority of CISOs feel their role is misunderstood by company leadership, and they struggle to communicate in a non-technical way that other executives can actually understand.
69%
Executives
of executives recognize the importance of cybersecurity in transactions
67%
Heads of M&A
say the CISO is very critical to a transaction
76%
General Counsels
say the CISO is very critical to a transaction
34%
CISOs
say they are heavily involved in contributing to decisions when executing a transaction
This disconnect between CISOs and company leadership on risk priorities during transactions mirrors how leadership recognizes cybersecurity as important in principle but fails to ensure it is implemented in practice.
Download Report
There’s a clear disconnect between acknowledgment and action. Even as deal and legal teams recognize the CISO’s critical role, too few CISOs are brought into the room when key transaction decisions are made. If a company truly wants to say it prioritizes
cybersecurity, that commitment must hold up during M&A. Cyber due diligence needs to serve as a true stage-gate, ensuring CISOs are not only heard but empowered with the authority and insight to act decisively.
James Condon
Americas Head of Research, Corporate Positioning & Insights, Managing Director, FTI Consulting
M&A transactions often create fast-paced, high-stakes environments, in which the terms of a deal can come together quite quickly. As part of this, the diligence process requires examining hundreds of documents, sensitive financial information and projections in a condensed timeline. But that risk doesn’t stop leaders from applying significant pressure on deal teams to close quickly.
Say faster timelines increase cybersecurity risks
1 in 3
Say cyber threats increased during the transaction period
2 in 5
Say leaders push to close deals quickly over conducting thorough cybersecurity due diligence
1 in 4
See tension between executive growth goals and cybersecurity risk tolerance
1 in 5
To confront cyber risk adequately, and ensure enterprise level preparedness, CISO’s need to be more than security experts. They need to be influencers, communicators and internal deal makers. We see clear anecdotal evidence supporting the idea that CISOs who invest in these skills achieve better security outcomes.
Evan Roberts
Co-Leader of Americas Cybersecurity & Data Privacy Communications, Senior Managing Director, FTI Consulting
Many Organizations are Unprepared to Manage Cyber Risk After Deals
Against a backdrop of limited collaboration among CISOs, deal teams, and general counsels, many organizations are also unprepared to manage cyber risk once a transaction closes.
Post-close IT integration creates a critical blind spot: newly combined systems and endpoints expand the attack surface precisely when organizations are most vulnerable, yet our research shows this risk is poorly anticipated and managed. Success requires more than harmonizing policies—it demands securely merging two distinct technical environments without exposing either organization to increased risk. Greater collaboration between cybersecurity, M&A, and legal teams throughout the transaction lifecycle can establish the alignment, milestones, and parameters needed to protect deal value and minimize emerging threats.
39%
39% of leaders don’t have an integration plan for when a transaction completes
84%
84% report difficulties when aligning cybersecurity policies with another company
23%
23% manage these risks proactively post-close
By making cybersecurity and risk management a proactive and integrated part of the transaction process, companies can protect value, meet financial goals, improve the integration process, and maintain trust with key stakeholders. Security, success and growth should be intertwined – not at odds with one another.
Download the Full Report
To investigate these challenges, FTI Consulting surveyed 100 CISOs, 78 heads of M&A, and 100
general counsels across public and private organizations with at least 500 employees, representing a majority of companies with a market cap of $5 billion or more, to understand how key leaders collaborate with each other and weigh cybersecurity priorities during and after M&A deals. The survey was conducted online between August 12 – 26, 2025.
CISO Redefined III
An FTI Consulting Report
Mergers & Acquisition
Protecting the certainty of a successful deal. Consistently ranked as the top M&A communication firm globally, FTI Consulting advises clients across every stage of the deal lifecycle to enhance the certainty of a successful close. From pre-announcement planning to transaction announcement and post-merger integration, our team provides an unparalleled combination of expertise in transaction communications, investor relations, public affairs, digital platforms and employee engagement.
Our experts approach each transaction as a multi-faceted campaign; we develop and drive positive deal sentiment across stakeholder groups while minimizing regulatory risk and threat of shareholder dissent and activism.
Garrett Muzikowski
M&A, Activism and Governance�Managing Director
new york, usa
Corporate Positioning & Insights
Our Corporate Positioning & Insights experts partner with leadership teams to design and execute multi-stakeholder communication campaigns that build, enhance or protect a company’s reputation. Our approach is grounded in using data and insights to deeply understand stakeholder perceptions and needs to ensure messaging resonates and communication campaigns drive positive business outcomes.
Brent McGoldrick
Americas Head of Corporate�Positioning & Insights�Senior Managing Director
washington dc, usa
James Condon
Americas Head of Research�Managing Director
new york, usa
Download Report