Private equity firms are increasingly aware of the growing cyber threat landscape, but many are falling short in translating this awareness into effective risk mitigation, according to new research from global intelligence and cyber security consultancy S-RM.
The firm’s latest study, based on a survey of 100 PE professionals across the UK, Europe, and the US, reveals that 72% of respondents have experienced a serious cyber incident across their portfolios in the past three years – highlighting cyber attacks as systemic risks that span entire investment ecosystems.
Despite the prevalence of incidents, only 65% of portfolio companies are required to report cyber events to their parent firms immediately, raising concerns around oversight, transparency, and readiness.
The research comes amid heightened scrutiny of threat actor groups such as Scattered Spider, which have broadened their targets beyond retail to include insurers and service-based sectors – raising the stakes for PE-backed platforms.
While 70% of firms reported conducting cyber due diligence on every transaction, a significant portion are underinvesting in these efforts. One-third of respondents said they spend less than £16,000 per cyber due diligence engagement, with cyber assessments receiving approximately 82% less investment compared to technology due diligence.
Moreover, although 89% of firms acknowledged that cyber maturity has influenced a deal decision, many admitted that structured post-close remediation strategies remain lacking – creating a disconnect between pre-deal insights and long-term portfolio risk management.
S-RM’s findings also underscore a lack of consistent cyber hygiene across portfolios. Just 54% of firms confirmed that all portfolio companies have a defined and tested incident response plan, while only 53% require regular employee cybersecurity training across the board.
