A recent survey from cybersecurity consultancy S-RM highlights a troubling disconnect among private equity firms. While 89% report that a target's cybersecurity maturity influences their acquisition decisions, these same firms may be underinvesting in the cybersecurity due diligence necessary to gauge the acquisition target's cybersecurity maturity level and could even prevent costly breaches.
The research, based on a survey of 100 private equity professionals across Europe, Middle East, and Africa as well as the US, found 70% of firms conduct due diligence on every acquisition target, spend an average of $46,875 on technology due diligence per deal, yet only allocate $25,630 to their cybersecurity due diligence.
Ken Swick, senior security consultant at New Era Technology, noted that private equity teams and acquisition teams in general tend to prioritize their review of financials, organizational assets, and accounting systems over technology or cybersecurity programs. "They're mainly interested in what will help them grow or profit from the deal, and technical risks are seen as secondary," Swick said.
Swick added that there's also typically a short window of time during the pre-acquisition period to conduct due diligence. "Teams focus on those highest priorities, security assessments are often left for later or even skipped entirely," he said.
Wim Remes, founder of Wire Security, agreed that within the merger and acquisition process, technology and security evaluations often get deprioritized in favor of financial due diligence. "Given how central technology is to everything in business today, this opens these organizations up to significant business risk," he said.
Private Equity: A strong disconnect between words and actions
These results indicate potential underspending in the pre-acquisition due diligence phase at nearly $26,000 on average, as experts cite $25,000 to $100,000 as minimal due diligence costs depending on deal size with deals under $50 million being at the low end of the range and $100,000 (or more) for enterprise-sized acquisitions.
The results reveal a strong disconnect between awareness and action post-deal. While 63% of firms do require annual cybersecurity assessments of their portfolio companies, the results show basic security fundamentals remain inconsistently implemented. For instance, only 54% of respondents ensure all portfolio companies have defined incident response plans, while 47% acknowledge that not every company provides regular cybersecurity training to employees.
The survey uncovered that 72% of respondents have experienced a serious cybersecurity incident within their portfolio over the past three years. Surprisingly, only 65% of private equity respondents require their portfolio companies to immediately notify the parent company when an incident occurs, suggesting that the actual breach rate may be higher.
PE firms have indeed found themselves scathed in recent incidents. Earlier this year, venture capital and private equity firm Insight Partners disclosed that its systems were compromised through "a sophisticated social engineering attack". The firm, which manages over $90 billion in regulatory assets and has invested in more than 800 companies worldwide, detected unauthorized access to specific information systems on January 16, 2025. While Insight Partners stated there was "no material impact on portfolio companies," the incident underscores the vulnerability of even well-resourced financial institutions.
In December 2024, PowerSchool, the education technology provider acquired by Bain Capital for $5.6 billion in 2024, experienced a significant cybersecurity incident. Attackers compromised the company's PowerSource customer support portal using stolen credentials, gaining access to the PowerSchool SIS system, which manages student records for over 60 million students across more than 18,000 customers.
While PowerSchool stated it wasn't a ransomware attack, the company was reportedly extorted into paying an undisclosed sum to prevent the exposure of its data. The incident potentially exposed names, addresses, Social Security numbers, medical information, and grades of students and teachers across numerous K-12 school districts.
Best Practices for Cybersecurity-Resilient Private Equity
The survey revealed that private equity firms are grappling with a complex challenge: balancing the need for rigorous security oversight with the practical realities of managing their diverse portfolios. The report contends that successful firms would likely be those that move beyond passive to active risk assessment and management, establishing baseline security controls across all portfolio companies while tailoring additional measures based on individual risk profiles.
Private equity firms are playing an increasingly significant role in the security of their portfolio companies. Currently, 2% of respondents allow portfolio companies to manage cybersecurity risk entirely independently, 53% provide dedicated budgets for cybersecurity risk initiatives, and 34% mandate programs that portfolio companies must fund themselves.
The report argues that forward-leaning private equity firms, at least when it comes to cybersecurity, are implementing several key practices that bridge the gap between awareness and action. First, they're right-sizing their cybersecurity due diligence investments to match the acknowledged importance of cybersecurity risk in deal-making. This means allocating resources proportionate to the potential impact, not treating cybersecurity assessments as an afterthought.
"At the very least, acquirers need to look at the target company's documented policies, information security practices, and conduct business impact assessments to get an early indication of the company's risk posture," Swick said. "Even if there's no time for a full risk assessment, even a brief review of governance and security practices can provide valuable insights," he said.
Second, the report advises private equity firms to establish precise, measurable baseline security requirements for all portfolio companies. These include mandatory incident response plans, regular employee training, and protocols for immediate breach notification.
Remes warned, however, that private equity firms should not attempt to impose a single security framework on their portfolio companies, but instead assess each organization's security maturity individually and allocate resources where risk is highest.
Third, report authors advocate for leveraging economies of scale by negotiating portfolio-wide security services, sharing threat intelligence across companies, and creating communities of practice where portfolio company security leaders can learn from one another. The idea is shifting the traditional private equity model from a collection of individual investments into a collaborative security posture.
Finally, the authors advise treating cybersecurity as a value creation opportunity, not just a cost center. By implementing robust security programs and documenting improvements, they're positioning their portfolio companies more favorably for eventual exits while reducing the risk of value-destroying incidents during the holding period.
