From deepfake to vendor breach: Why 2025 is the turning point in private equity cyber risk

PARTNER CONTENT 

By Anand Mohabir, Founder & CEO, Elteni 

Cybersecurity in the private equity industry has passed a tipping point in 2025. What was once considered an IT issue, handled behind the scenes, is now a boardroom issue with a direct impact on investor confidence, day-to-day operations and reputation. issue, one that directly affects investor confidence, day-to-day operations, and reputation.

Ten years ago, it was acceptable to secure the perimeter with strong firewalls and train staff to identify a phishing email. The landscape has changed so dramatically that this is not even the starting point for protecting a fund’s systems. Attackers are using  AI technology to clone voices to impersonate colleagues and investors and penetrate the networks of vendors who provide the fund’s back-office and infrastructure. The distinction between privacy, cybersecurity and operational risk is dissolving, with very real consequences. 

Earlier this year, a group called ShinyHunters performed a highly sophisticated, multistage attack using voice phishing and malicious data-loader tools to target Salesforce environments. Instead of using brute force, the group used AI-generated voices that simulated legitimate support staff. This fooled employees into providing access to sensitive systems to the bad actors. Ultimately, financial and client data from numerous firms began to appear on the dark-web. 

While no private equity firms were directly attacked, the breach of Salesforce is an example of something private equity firms can realistically expect. Private equity firms are especially vulnerable to this type of manipulation. Capital call notices, wire instructions, and portfolio company information are all highly sensitive. A single phishing success or compromised vendor account can expose details that affect valuations, competitive positioning, and investor trust.

When investor or portfolio company data is stolen, it is not just a security problem, it is also a privacy issue. Regulators and investors no longer separate the two. The SEC’s updated Regulation S-P makes this clear. What began as a rule about safeguarding customer information has evolved into one that expects firms to have tested response plans, clear notification processes, and ongoing oversight of service providers. For private equity, this represents a shift from compliance to accountability. Protecting confidential information is now part of fiduciary duty, not just a legal requirement.

Private equity firms operate in one of the most interconnected ecosystems in finance. Between administrators, custodians, data providers, and their portfolio companys, a fund’s operation depends on dozens of external partners, each of which increases the attack surface.

Private equity operates in one of the most interconnected financial ecosystems. Fund administrators, legal and accounting partners, cloud providers, and portfolio companies all create potential points of exposure. A single outage or breach can disrupt reporting cycles, delay capital calls, or erode investor confidence.

While your firm may have strong controls, if a vendor or service provider is compromised, your operations can grind to a halt. Due to this, vendor oversight is not a box checking exercise, it’s a continuous process that sits at the heart of enterprise risk management.

Artificial intelligence is reshaping how cyberattacks are planned and executed. Malicious actors are using AI to create convincing phishing messages, replicate executives’ voices, and even produce fake video messages. Over the past year, several private equity executives have been targeted by deepfake phone calls. Some of those calls came during critical financial transactions.

Traditional awareness training isn’t enough anymore. Firms need to implement AI-aware defenses, systems that look for unusual patterns, not just suspicious emails. Verification protocols for wire transfers, trading activity, and data access must evolve. In a world where you can’t always trust what you see or hear, internal validation becomes the new perimeter.

Even though the SEC recently pulled back some of its proposed cybersecurity rules, that shouldn’t be seen as a step back. Regulators are simply rethinking how best to apply them, not whether they’re necessary. In the meantime, expectations from investors and other oversight bodies are only getting higher. Firms are still expected to show they have a strong handle on cybersecurity, regardless of whether a formal rule is in place. For private equity, the merging of privacy and cybersecurity has become part of the same fiduciary responsibility, protecting investor trust.

That uncertainty leaves private equity firms in a tough spot. Executives face greater personal accountability under existing fiduciary standards, even as the broader system for sharing cyber threat information continues to weaken. It’s an uneven landscape, but investors aren’t waiting for regulators to catch up. Many are already pressing funds to prove they’re ready, asking deeper and more detailed questions during due diligence to see how seriously they take cybersecurity and data protection.

Leading private equity firms are treating cybersecurity as more than just a compliance task. Institutional investors have increasingly included cyber maturity into their due diligence, and regulators are reviewing how firms structure their programs.

The most resilient private equity firms are embracing a modern approach built around six key elements:

• Zero Trust Architecture – Every device or user must prove their identity
• Active Vendor Oversight – Performing continuous monitoring of key service providers
• AI-Resilient Controls – Build in defenses that can detect AI-driven deception, including voice verification and behavior-based authentication.
• Integrated Privacy and Incident Response – Combine cyber and privacy functions to streamline response and notification.
• Board-Level Accountability – Treat cyber risk like investment or liquidity risk, with ownership at the top.
• Testing and Simulation – Run phishing tests, tabletop exercises, and recovery drills to ensure readiness.

Firms that implement these practices aren’t just protecting information, they’re protecting business continuity, reputation, and investor confidence.

This year may prove to be a defining one for private equity firms and cybersecurity. The rise of AI-driven attacks, the growing complexity of vendor ecosystems, and shifting regulatory expectations all points in the same direction, that standing still is not an option.

Cybersecurity and privacy have become essential parts of how funds operate and uphold their responsibilities. The firms that take them seriously and treat them as business priorities, not just compliance requirements, will be the ones that stand out.

In private equity, trust is the ultimate return, and resilience is how you achieve it.

Anand Mohabir, CISSP, CISM, OSCP, CREST-CRT, CMMC-RP, CEH, Founder & CEO,  Elteni – Anand Mohabir is the Founder and CEO of Elteni, a cybersecurity consulting and advisory firm focused on helping organizations strengthen their security posture, manage risk, and achieve meaningful compliance. With close to three decades of experience across technology, cybersecurity, and financial services, Anand brings both strategic insight and deep technical expertise to his leadership at Elteni. Before founding Elteni, Anand served as Managing Director of ACA Aponix (the cybersecurity division of ACA Compliance Group). His prior experience includes senior technology and security roles at Adams Hill Partners, Massif, Labranche Structured Products, and JAT Capital, among others. Anand holds multiple advanced cybersecurity credentials, including CISSP, CISM, OSCP, CREST-CRT, CMMC-RP, and CEH, and is actively involved in the cybersecurity community. He is recognized for his pragmatic approach to cybersecurity leadership, commitment to education, and dedication to helping clients build resilient, secure environments.