Private equity must stay vigilant against cybersecurity threats

Cybersecurity remains a pressing concern for private equity as firms and their portfolio companies navigate an increasingly complex threat landscape. In an interesting twist, respondents in the Q1 2025 RSM US Middle Market Business Index survey reported that data breaches in 2024 were down from record highs; however, PE industry advisors warn that now is not the time for complacency.

Whether the drop in breaches is due to improved security measures or a temporary slowdown in global cyberthreat activity, the trend does not eliminate the underlying risks that PE firms and their portfolio companies face.

Early and ongoing cyber risk management is crucial

Kevin Carpenter, a principal in transaction advisory services at RSM US LLP, stresses the importance of adopting a comprehensive approach to cybersecurity, beginning in the earliest stage of the PE lifecycle. He has seen cybersecurity diligence evolve from a niche service to a crucial requirement due to growing demand from underwriters and investment committees.

In response, transaction diligence services are adapting to evolving threats by incorporating more technical testing—that is, going beyond management responses to verify configurations through network scans, dark web searches and compromise assessments. The challenge then becomes turning diligence insights into actionable integration steps.

“From a post-close cybersecurity perspective, PE firms must hit the ground running to integrate and secure the new asset,” says Carpenter. “Combining strong diligence procedures with a risk-based cybersecurity program can significantly reduce the risk of an incident across the portfolio.”

PE’s cybersecurity posture continues to improve

Anthony Catalano, an RSM US principal who leads the cybersecurity practice for private equity, sees a notable improvement in the industry’s adoption of baseline security practices. More firms and PE-backed portfolio companies are implementing foundational cybersecurity measures such as regular penetration testing and multifactor authentication to mitigate risk.

Another area of progress is the shift toward centralized cybersecurity programs. Leading PE firms are moving away from fragmented, ad hoc security approaches and instead implementing standardized cybersecurity frameworks for their portfolio companies, often with the aid of managed services.

“Firms with effective cyber breach management provide baseline cybersecurity services to all portfolio companies and then work with each company to elevate their individual security posture,” says Catalano. This approach enables resource-limited portfolio companies to benefit from a structured security program.

Enhancing cybersecurity in PE

While PE firms and their portfolio companies have made notable strides in cybersecurity, there are still opportunities to strengthen their approach and close existing gaps. Drawing from RSM’s experience with PE clients, Catalano highlights three key areas where deficiencies persist:

• Governance and risk management: Many PE firms struggle to implement sustainable cybersecurity programs across their portfolio companies because effective and ongoing cyber risk management requires time and money. Many firms don’t want the hassle of managing daily portfolio operations or the added expense of a more programmatic cybersecurity oversight approach that takes highly skilled talent and resources to implement.
• Logging and monitoring: Effective threat detection depends on the ability to track and correlate security events across an organization’s network. However, many portfolio companies either fail to implement comprehensive logging mechanisms or lack the capability to analyze security data effectively. As Catalano explains, "You might have a firewall log and an Active Directory server sending logs, but if they’re not being correlated, you’re missing indicators of an attack."
• Incident response and business continuity: Having a clear incident response plan is critical for minimizing the impact of cyberthreats. Yet many portfolio companies are unprepared for a breach, lacking predefined procedures for containment, recovery and business continuity. Catalano points out that companies often fail to prioritize which systems need to be restored first, leading to prolonged disruptions and potential financial losses.

The takeaway

A reduction of reported data breaches should not lead PE firms or their portfolio companies to ease their cybersecurity efforts. The evolving nature of cyberthreats means that attackers will eventually adjust their strategies, exploiting any weaknesses left unaddressed. To stay ahead, it is critical to prioritize cybersecurity risk management early and maintain ongoing measures throughout the PE investment lifecycle.