Private equity firms and their portfolio companies are potential goldmines for threat actors. As pivotal links across the financial value chain, they hold a wealth of sensitive information that could be exploited. Data on confidential deals, investor communications, and financial intelligence is highly valuable, especially to criminals who can use it to demand ransom payment.
According to a recent study, nearly three-quarters of PE professionals experienced a serious cyber incident across their portfolios in the past three years. And in the financial sector, it’s estimated that the average cost of a data breach is nearly £4.5 million.
These statistics underscore the stark reality that digital vulnerabilities can have a devastating impact on portfolio performance and investor trust. They could ultimately jeopardise long-term fundraising prospects, undermining the very foundations of a private equity firm's success.
Investing in protection
Leading firms are discovering something counterintuitive: investment in cyber security can create competitive advantages worth far more than its protective value. Recent studies show that companies with advanced cyber security maturity report measurable gains in customer trust, operational resilience, and contract wins.
Trust is embedded within a business’ value offering. That is why prioritising cyber security as a core tenant early in the value creation process can sustain growth, bolster investor confidence and even increase valuations.
Here's how investment firms Apollo Global Management and Gridiron Capital acknowledged the long-term value that cyber security can bring.
1. Apollo Global Management: Security As a Fuel for Progress
Apollo Global Management recognises cyber security as vital to achieving success in the digital era.
Strategies that drive success
Leaders from over 35 of Apollo’s portfolio companies discussed emerging trends and best practices in technology and risk management, including cyber security. Among the key takeaways from their 2023 conference was the need for agile people, processes and technologies: “complete cyber programmes quickly adopt new technical capabilities, test internal processes from the help desk to the board room and leverage the best people within and outside the firm.”
Due Diligence
Before investing, the New York-based company conducts thorough due diligence to identify, evaluate and rank cyber security risks, using these assessments to inform their risk mitigation strategies. In its 2024 report, Apollo included the following key cyber security practices:
- Vulnerability assessments and annual penetration testing.
- Multi-factor authentication.
- Annual security awareness training programmes.
- Continuous monitoring and threat detection.
- Incident response planning.
2. Protecting Value, Enhancing Competitiveness: Gridiron Capital's Cyber Security Journey
Gridiron Capital, a US-based private equity firm, oversees a diverse portfolio of 20 companies across B2B, B2C, and industrial sectors.
Laying the groundwork
To address the complex cyber security landscape, Gridiron established foundational controls, including multi-factor authentication and regular penetration testing, to create a consistent baseline.
Expanding the framework
However, the firm sought to further optimise risk management and create value by partnering with a specialist adviser to:
- Collect and analyse detailed cyber security data, considering each company's unique operational context.
- Benchmark and compare risks and defences, identifying strategic improvement areas for each investment.
- Implement a systematic, data-driven approach, replacing ad-hoc decisions with proactive oversight.
According to Gridiron's leadership, this collaborative effort yielded a scalable, proactive cyber security programme that protected firm value and enhanced competitiveness. With enhanced data, Gridiron guided portfolio companies to close specific cyber security gaps, strengthening resilience and mitigating risks that could impact deal execution, operations, or reputation.
“We sought to elevate our risk management profile and drive continued evolution for our companies.” Jeff Steinhorn, Operating Partner at Gridiron Capital.
Key Competitive Advantages:
- Proven operational improvements with measurable ROI across portfolio companies.
- Increased trust and confidence from investors and limited partners.
- Enhanced deal-making positioning, with strengthened due diligence and exit readiness.
This approach showcases how private equity firms can leverage cyber security as a value creation driver, rather than solely a risk mitigation strategy. This establishes themselves as forward-thinking and responsible investors.
The Dual Purpose of Cyber Security
Private equity firms continue to integrate cyber security into their investment strategies in 2025, recognising the dual potential for risk mitigation and value creation.
This shift is partly driven by the escalating financial impact of cyber attacks. IBM’s 2024 stated that the average cost of a data breach was close to $5m, a 10% year-on-year increase.
It is also driven by how PE firms’ attention is directed towards high growth sectors, where the importance of data protection is further highlighted. PE funding for healthcare, insurance and technology businesses is surging. But these are also prime targets for threat actors, considering how pivotal their data is to their success.
As a result, cyber security is no longer treated as a mere compliance requirement, but is embedded throughout the investment lifecycle, from pre-acquisition due diligence to ongoing portfolio management. Strong cyber defences are now a powerful differentiator in the competitive marketplace.
Ready to assess your portfolio’s cyber risk?
Thomas Murray supports private equity firms by combining cyber expertise with leading technologies to provide continuous, proactive monitoring of cyber risks across their portfolio. Investors adopt our cyber managed services throughout the investment lifecycle to assess, monitor and respond to cyber threats before they impact investment performance. With decades working with and providing cyber security services to PE, our approach focuses on delivering value and exceeds both the expectations of PE and their investments. As assets generate value extensive investment in new technology can leave organisations exposed without planning and structure such as the rapid adoption of Artificial Intelligence. Thomas Murray’s approach and experience balances the competing demands of security and business priorities to maximise returns and manage compliance and cyber security risk.
Cyber Risk
Cyber attacks are becoming more intelligent than ever and private equity firms require security partners who understand the complete investment lifecycle and can protect business value. Our experience working with 8 of the 10 largest Private Equity funds by AUM positions us as a trusted advisor delivering strategic cyber security services across portfolio companies and investment stages.
Insights
How Private Equity Leaders Turn Cyber Security Investment into Competitive Advantage
Leading firms are discovering something counterintuitive: investing in cyber security creates advantages worth far more than just protection.
Recent Cyber Attacks on Australian Super Funds: A Wake-Up Call for Enhanced Cyber Security
Recent cyber attacks on Australia’s Super funds highlight the need for stronger security.
The Rising Threat: How Cyber Risk is Reshaping Operational Due Diligence Priorities
Cyber threats are reshaping operational due diligence. Learn how investors are adapting to evolving risks and protecting their portfolios.
The Essentials of Operational Due Diligence on Investment Managers
Thomas Murray’s ODD solutions simplify risk management with automation, AI monitoring, and cyber security insights.