Key Takeaways
- Cybersecurity is a direct threat to deal flow and value
- Cybersecurity is an increasing risk of material financial impact to private equity backed companies
- Mid-market and smaller private equity firms are under-developed in cyber risk governance
Kroll, the leading independent provider of global financial and risk advisory solutions, today released findings from its global report on safeguarding portfolio value in private equity (PE). The research, which surveyed 325 PE firm executives, reveals that cyberattacks cause significant value destruction across the PE lifecycle and are increasing in frequency.
Financial Impact of a Cyber Attack on the Deal Lifecyle
- On average, firms suffered $2.1 million in financial impact per incident, with a 53% chance that a PE firm will lose more than $500,000 and a 13% chance that financial impact will exceed $5 million.
- 94% of firms suffered some financial impact due to cybersecurity risk, including:
- Reduced valuation or exit price due to cyber incidents (26%)
- Increased ongoing compliance or cybersecurity training (62%)
- Indirect remediation or consultancy costs (46%)
Cyber Attacks Increasing in Frequency
- 80% of PE firms experienced disruption due to cyberattacks during the hold period, nearly a third (27%) of which suffered outright business disruption or downtime.
- Other disruption includes: unexpected remediation costs (44%), compliance or regulatory related litigation (29%) and IT system integration (30%).
- Almost 70% (68%) of PE firms report cyber incidents are increasing during hold period.
Dave Burg, Global Group Head of Cyber and Data Resilience at Kroll says, “Cybersecurity has evolved into a material transaction risk, becoming a direct threat to deal flow and valuation in private equity. It is not a coincidence that nearly 70% of our respondents have experienced cyber incidents during the hold period. Attackers are increasingly synchronizing when they strike and are using generative AI to amplify the impact and effectiveness of their actions.
The average financial impact is $2.1 million, but that’s just the tip of the iceberg. The real cost emerges in regulatory investigations, deal timeline delays and continuation vehicles triggered by post-incident governance gaps; and we’re seeing that maturity matters. Our call to action is that those in the private equity ecosystem need to monitor and challenge assumptions, including compliance, reputation and defense across their entire security perimeter.”
Small and Mid-Market PE Firms Especially Vulnerable to Deal Value Destruction
The research identified a clear divide in cyber risk management approaches between larger firms (>$25 billion AUM) and smaller firms (<$25 billion AUM):
- 55% of larger firms reported governing cybersecurity risk through a formal mandate to portfolio company managers, compared to 12% of smaller firms.
- 81% of larger firms report that cybersecurity due diligence is a standard part of the transaction diligence process, compared to 29% of smaller firms who said the same.
- 58% of larger firms have dedicated risk management platforms versus 9% of smaller firms.
- By comparison, smaller firms rely heavily on manual monitoring (50%) and managed service providers (53%) rather than dedicated platforms, leaving them more vulnerable to significant remediation costs and deal disruption.
- 52% of larger firms have a dedicated cyber risk leader versus 15% of smaller firms.
Eric Hasty, Managing Director of Cyber and Data Resilience at Kroll says, “Cybersecurity incidents can cause significant impacts to private equity portfolios of all sizes, making a focused and disciplined approach essential across the industry for firms to protect and maximize value. Our study shows that PE firms that implement a concise set of required cybersecurity controls, leverage dedicated platforms to monitor risk, conduct standardized diligence and establish clear accountability are far more effective at protecting value against cyber exposure in a cost–efficient manner.
With clients spanning the full spectrum of the private equity landscape, Kroll has seen firsthand that addressing this challenge requires a structured governance model supported by consistent, pragmatic best practices. Now is the time for PE firms to get ahead of this challenge in readiness for a rebound and wave of deal activity.”
2026 Outlook
- 96% of PE firms expect the importance of portfolio cybersecurity to increase over the next 12 months.
- Over half (53%) believe the financial impact of cyberattacks will grow in the coming year, and 54% expect cyber incidents to be more challenging.
Discover the latest trends and insights—explore the Business Insight Journal for up-to-date strategies and industry breakthroughs!
