For three decades, financial institutions have treated asset safety as a matter of market infrastructure, custody discipline, operational resilience and post-trade control.
But the AI threat era has changed the meaning of asset safety.
Previously, securities had to be held safely, settlement had to happen predictably, and central securities depositories had to be understood, assessed and monitored – that was the meaning of asset safety.
Today, it’s no longer a question of where assets are held
We now need to know whether an institution, platform, portfolio company or market infrastructure holding or servicing assets can withstand an adversary operating at machine speed.
The old security model was built around human time, human discovery, human exploitation, human response, human governance, and human committees – but AI has moved the goalposts.
The exploit window has collapsed
A new generation of frontier AI capability has compressed the time and cost of cyber exploitation. What once required specialist teams, expensive tooling and long development cycles can now be accelerated by autonomous or semi-autonomous AI agents (agentic AI).
This means faster, more impactful attacks: vulnerability discovery, exploit development and weaponisation are moving from weeks to hours.
For private equity firms, portfolio company CISOs, CIOs and financial services leaders, this represents not just a technical development but a valuation event: cyber risk is now a control plane for deal certainty, enterprise value, regulatory confidence and exit readiness.
In the AI era, a company’s cyber posture is no longer something to be checked at diligence and revisited before exit – it has to be monitored, measured and improved continuously throughout the hold period.
Asset safety now has two dimensions
In financial services there remains a basic truth: you cannot protect assets unless you understand the infrastructure that holds, transfers, services and reconciles them.
But in 2026, that principle has expanded.
FS infrastructure is no longer just post-trade; it’s digital, it’s cloud-hosted; it’s API-connected; it’s third-party dependent; it’s AI-enabled - and it’s often exposed in ways boards can’t fully see.
- Firstly, there’s the traditional dimension: legal, operational, counterparty, liquidity, settlement, custody and asset servicing risk.
- Secondly, there’s the cyber-resilience dimension: whether the digital environment surrounding the asset, the fund, the portfolio company or the service provider can resist, detect and recover from AI-enabled attack.
The first protects ownership, while the second protects continuity, trust and value. Firms ignoring either are compromising asset safety.
Private equity is uniquely exposed to this cyber shift
A listed bank, custodian or CSD typically has regulatory pressure, mature governance and institutionalised risk functions. A portfolio company often does not: It may have grown quickly. It may have underinvested in controls. It may rely on inherited systems, unmanaged SaaS, fragmented identity architecture, weak third-party oversight and inconsistent incident response.
The arrival of AI has changed the threat model faster than the operating model can respond.
This means the classic enterprise security model is now structurally obsolete. It’s too slow, too reactive and too dependent on human-scale processes.
For a PE house, there are now four uncomfortable truths:
- Cyber risk can now move faster than the investment committee.
An exposure that looked tolerable during diligence can become material during ownership because attacker capability has accelerated. - Cyber weakness can dilute enterprise value without a full-blown breach.
Insurance costs, remediation spend, customer assurance failures, regulatory findings, delayed integrations and stalled exits all carry a price. - Portfolio-wide exposure is often invisible.
Most firms don’t have a consistent, comparable, asset-level view of cyber resilience across the portfolio. - Buyers are becoming less forgiving.
At exit, cyber evidence is no longer a nice-to-have. It’s part of the confidence package.
This is why cyber resilience must become a lifecycle discipline: priced at origination, operated during hold, evidenced at exit.
AI-first defence is now an asset safety requirement
AI-first defence means using AI and automation to discover exposures, prioritise risk, monitor attack surface, test controls, detect anomalies, accelerate response and produce board-ready evidence. But AI-first defence only works if it’s paired with ruthless attack surface minimisation.
For private equity, this should be managed like any other value creation lever because, in the AI era, an unmeasured cyber posture is an unpriced liability.
PE must industrialise cyber resilience across the investment lifecycle
The firms that win in this new threat environment won’t be the firms that treat cyber as a compliance exercise, they’ll be the firms that industrialise cyber resilience across the investment lifecycle.
- From the word go, they’ll identify cyber debt early and price it properly.
- During diligence, they’ll assess not only current exposure but also the cost and time required to reach an acceptable resilience baseline.
- During ownership, they’ll monitor continuously, benchmark consistently and intervene where risk threatens value.
- Before exit, they’ll produce evidence that cyber risk is understood, governed and under control.
This isn’t defensive bureaucracy, it’s value protection - and increasingly, it will become value creation.
A portfolio company that can prove resilience will be more trusted by customers, lenders, insurers, regulators and buyers. A company that cannot will face harder questions, slower transactions and greater valuation pressure.
Asset safety has entered the AI era
Thomas Murray’s historic focus on asset safety in financial services is now colliding with the defining technology risk of our time.
The same discipline that helped banks and investors understand CSD, custody and post-trade risk must now be applied to cyber resilience across private markets.
Find out how you can protect value and safeguard reputation.
Cybersecurity for Private Equity
Cyber attacks are becoming more intelligent than ever and private equity firms require security partners who understand the complete investment lifecycle and can protect business value. Our experience working with 8 of the 10 largest Private Equity funds by AUM positions us as a trusted advisor delivering strategic cybersecurity services across portfolio companies and investment stages.
Insights
AI Has Moved the Asset Safety Goalposts
The AI threat era has changed the meaning of asset safety for financial institutions.
The Hidden Risk of Private Credit
With the private credit boom set to continue in 2026, funds should view cybersecurity as a key liquidity risk.
Claude-Alt-Delete: Three Big AI Security Lessons for Private Equity
In a world where AI use is proliferating, PE firms need to move fast to not get left behind.
Is a Quantum Shift in Thinking Required for Private Equity?
The past year has seen big technology stories, themes and events that offer real learnings for private equity.