An intelligence and cyber security consultancy suggests a growing disconnect between private equity (PE) firm awareness of cyber threats and their ability to act on them. While cyber due diligence is now widely practised, spend is low and many firms lack clear post-deal strategies, leaving portfolios exposed to rising levels of cyber risk, according to S-RM.
The consultancy surveyed 100 PE people across the UK, Europe and the United States. It found that most, 72 per cent of firms had experienced a serious cyber incident across their portfolio within the past three years, underscoring the reality that attacks are no longer isolated events but systemic risks across entire investment chains.
Despite this, only 65pc of portfolio companies are required to report incidents to the parent firm at once, raising questions the consultants suggested around visibility and response readiness. The firm points to concern over threat actor groups such as Scattered Spider, which have moved beyond retail to target insurers and other service-heavy sectors.
Due diligence
The findings show that most, 70pc of private equity firms conduct cyber due diligence (DD) on every deal, suggesting the issue is firmly on the radar. However, one third still spend less than ยฃ16,000 per assessment, and cyber DD spend remains significantly lower than tech DD overallโby around 82pc. Moreover, while 89pc say that cyber maturity has influenced a deal decision, many respondents admitted they lack structured processes to carry those insights forward into post-deal remediation.
โCyber due diligence is now the norm, but unless it feeds into both investment decision-making and post-deal remediation, it risks becoming due diligence theatre,โ said Jamie Smith, Global Managing Director of Cyber Security at S-RM. โDoing so could lead to a revaluation, or even a no-go decision. But without post-deal follow-through, the benefits quickly evaporate.โ
Gaps limit resilience
The research also highlights a lack of consistent cyber standards across portfolio companies. A bare half, 54pc of respondents said all of their portcos have a defined and tested incident response plan, while only 53pcsaid all of their portcos provide regular employee cyber security training. S-RM found that best-in-class firms standardise baseline controls across portfolios and use DD insights to prioritise uplift, training, vendor access and monitoring. These firms view cyber resilience as both a protection mechanism and a path to long-term value creation.
โMany PE professionals shy away from the perceived complexity of cyber risk, but getting cyber right is now a core investor responsibility,โ said Felicity Loudon, Private Equity Practice Lead, Cyber Security at S-RM. โEven mature portcos are vulnerable without the basics. The strongest programmes focus on proportionate uplift โ whatโs achievable and impactful, not excessive. Cyber resilience isnโt about perfection, itโs all about readiness. Thatโs where real value is created.โ
The paper, โFrom Awareness to Action: Cyber Resilience in Private Equityโ is available to download: www.s-rminform.com/cyber-risk-in-private-equity-whitepaper.
