An intelligence and cyber security consultancy suggests a growing disconnect between private equity (PE) firm awareness of cyber threats and their ability to act on them. While cyber due diligence is now widely practised, spend is low and many firms lack clear post-deal strategies, leaving portfolios exposed to rising levels of cyber risk, according to S-RM.
The consultancy surveyed 100 PE people across the UK, Europe and the United States. It found that most, 72 per cent of firms had experienced a serious cyber incident across their portfolio within the past three years, underscoring the reality that attacks are no longer isolated events but systemic risks across entire investment chains.
Despite this, only 65pc of portfolio companies are required to report incidents to the parent firm at once, raising questions the consultants suggested around visibility and response readiness. The firm points to concern over threat actor groups such as Scattered Spider, which have moved beyond retail to target insurers and other service-heavy sectors.
Due diligence
The findings show that most, 70pc of private equity firms conduct cyber due diligence (DD) on every deal, suggesting the issue is firmly on the radar. However, one third still spend less than £16,000 per assessment, and cyber DD spend remains significantly lower than tech DD overall—by around 82pc. Moreover, while 89pc say that cyber maturity has influenced a deal decision, many respondents admitted they lack structured processes to carry those insights forward into post-deal remediation.
“Cyber due diligence is now the norm, but unless it feeds into both investment decision-making and post-deal remediation, it risks becoming due diligence theatre,” said Jamie Smith, Global Managing Director of Cyber Security at S-RM. “Doing so could lead to a revaluation, or even a no-go decision. But without post-deal follow-through, the benefits quickly evaporate.”
Gaps limit resilience
The research also highlights a lack of consistent cyber standards across portfolio companies. A bare half, 54pc of respondents said all of their portcos have a defined and tested incident response plan, while only 53pcsaid all of their portcos provide regular employee cyber security training. S-RM found that best-in-class firms standardise baseline controls across portfolios and use DD insights to prioritise uplift, training, vendor access and monitoring. These firms view cyber resilience as both a protection mechanism and a path to long-term value creation.
“Many PE professionals shy away from the perceived complexity of cyber risk, but getting cyber right is now a core investor responsibility,” said Felicity Loudon, Private Equity Practice Lead, Cyber Security at S-RM. “Even mature portcos are vulnerable without the basics. The strongest programmes focus on proportionate uplift – what’s achievable and impactful, not excessive. Cyber resilience isn’t about perfection, it’s all about readiness. That’s where real value is created.”
The paper, ‘From Awareness to Action: Cyber Resilience in Private Equity’ is available to download: www.s-rminform.com/cyber-risk-in-private-equity-whitepaper.
