CISO Redefined: Navigating Transactions and the Cybersecurity Landscape

Over the past few years, Cybersecurity and mergers and acquisitions (“M&A”) have been two of the most explosive growth drivers for FTI Consulting’s Strategic Communications Team. Our practitioners have deep expertise in navigating the opportunities and risks that these events present and have been involved with some of the highest profile transactions and cyberattacks in history.

It was when our teams began to find themselves working on the same projects more and more that we realized cybersecurity risk and transaction events seem to be correlated.

Key Takeaways:

Impact on Deal Value and Post-Transaction Targets: More than two-thirds of those who experienced a cyber incident during or after a transaction claim it had a negative impact on the transaction in some capacity. Nearly half claimed the deal value was reduced as a result of the cyber incident, and another 20% stated that the transaction was paused or delayed. A majority (58%) believe the incident impaired the company’s ability to reach financial targets after the transaction.

Minimized Role for CISOs in Decision Making: A plurality of CISOs do not have a seat at the table during transaction due diligence, with one in three indicating they do not believe they have the ability to kill a transaction if the risk to the organization is too high during or after a transaction.

Disconnect between Growth Goals & Cybersecurity Risk: Pressure to close deals quickly comes at the expense of carefully weighing cybersecurity defenses (or lack thereof) during the due diligence process, exacerbating the somewhat inherent tension between growth and risk mitigation.

Cyber Integration Post Transaction is a Significant Challenge: Most organizations struggle to align and integrate their cybersecurity protocols and procedures post-deal, with 84% of survey respondents citing challenges in harmonizing IT systems and policies.

Companies are Targeted and Potentially Exposed at a Critical Moment: One in four respondents admit that their organization experienced a cyber incident within 24 months after closing a transaction, revealing lasting, real-world consequences for those who do not coordinate their cybersecurity and deal teams.

Ignoring Cybersecurity Risk Impacts Value

Cybersecurity incidents can have direct and indirect financial impact on acquiring companies as they close a transaction and work to integrate the target. Nearly 1 in 4 executives has experienced a cybersecurity incident during or shortly after a transaction. Of the deals impacted by cybersecurity incidents, 2 in 3 of these were significant events like data theft, extortion, or vendor breaches that exposed confidential information.

Cybersecurity Is Seen As Important in Principle, but Is Often Sidelined in Transaction Practice

Alarmingly, 67% of heads of M&A and 76% of general counsels say the CISO is very critical to a transaction, but only 34% of CISOs say they are not heavily involved in contributing to decisions when executing a transaction. Additionally, our research determined that CISOs may also feel they lack the power to act, as one in three CISOs do not believe they have the authority – or are unsure of whether they have the ability – to halt a transaction, even if they believe residual risks are too high to ignore either during or after an acquisition. This disconnect between CISOs and company leadership on risk priorities during transactions mirrors how leadership recognizes cybersecurity as important in principle but fails to ensure it is implemented in practice.

Fast Deal Cycles Raise While Collaboration Falls Short

navigating transactions cybersecurity landscape figure 1

M&A transactions often create fast-paced, high-stakes environments, in which the terms of a deal can come together quite quickly. As part of this, the diligence process requires examining hundreds of documents, sensitive financial information and projections in a condensed timeline. But that risk doesn’t stop leaders from applying significant pressure on deal teams to close quickly. Our first edition of CISO Redefined I, reflecting results from a 2023 survey, underscores this disconnect, as we learned that 63% of CISOs believed their concerns were not aligned with senior leadership’s priorities, while over half did not believe these senior leaders were completely prepared for cyber risks. Cybersecurity leaders today face a clear challenge: they need to be viewed not as roadblocks, but as strategic partners in value creation. Earning a seat at the table requires more than technical expertise. CISOs need to show that they have business acumen and a deep understanding of other team members’ perspectives and goals – and a willingness to use their cyber expertise to support those goals. The most effective cybersecurity leaders demonstrate that they can propel a deal forward by helping to protect value, defend the critical assets being acquired, and unlock efficiencies when thinking ahead to integrating systems. In doing so, they redefine the cybersecurity function – it’s not a cost center; it’s a core growth driver and defender.

Many Organizations are Unprepared to Manage Cyber Risk After Deals

Against a backdrop of limited collaboration among CISOs, deal teams, and general counsels, many organizations are also unprepared to manage cyber risk once a transaction closes. Our research shows that approximately 40% of organizations lack a defined cybersecurity or IT integration plan after a transaction closes. There is this pressure to naturally move fast—but at the cost of implementing the plan securely. 84% report difficulties when aligning cybersecurity policies with another company.

ciso navigating cybersecurity risks transactions figure 2

navigating transactions cybersecurity landscape figure 3

ciso navigating cybersecurity risks transactions figure 4 

What’s particularly striking is how an organization’s proactive management of cybersecurity risk diminishes as a deal progresses. During a transaction, executives are evenly split between taking a fully proactive approach (50%) and not doing so. But, once a transaction closes, that proactivity drops sharply, with only 23% of executives saying they manage cybersecurity risks proactively post-close. When combined with the already significant challenges organizations face in aligning cybersecurity policies and systems, this decline in vigilance creates a meaningful exposure point for the organization. By making cybersecurity and risk management a proactive and integrated part of the transaction process, companies can protect value, meet financial goals, improve the integration process, and maintain trust with key stakeholders. Security, success and growth should be intertwined – not at odds with one another.

Methodology

To investigate these challenges, FTI Consulting surveyed 100 CISOs, 78 heads of M&A, and 100 general counsels across public and private organizations with at least 500 employees, representing a majority of companies with a market cap of $5 billion or more, to understand how key leaders collaborate with each other and weigh cybersecurity priorities during and after M&A deals. The survey was conducted online between August 12 – 26, 2025.

发布于

2026年3月17日

temp 主要联络人

Meredith Griffanti

Senior Managing Director, Global Head of Cybersecurity & Data Privacy Communications

Patrick C. Tucker

Senior Managing Director, Head of M&A and Activism Communications, Americas

James Condon

Managing Director, Head of Research, Americas, Corporate Positioning & Insights

下载

Most Popular Insights

  1. Beyond Cost Metrics: Recognizing the True Value of Nuclear Energy
  2. Finally, Pundits Are Talking About Rising Consumer Loan Delinquencies
  3. A New Era of Medicaid Reform
  4. Turning Vision and Strategy Into Action: The Role of Operating Model Design
  5. The Hidden Risk for Data Centers That No One is Talking About

注册获取FTI Consulting 市场洞察

订阅