Is a Quantum Shift in Thinking Required for Private Equity?

The past year has seen big technology stories, themes and events that offer real learnings for private equity. These should all influence the way that the industry considers, approaches and manages cybersecurity risk. 

Artificial Intelligence 

The hype around AI, including the explosion of its use and accessibility across platforms, applications and use in society, has illustrated multiple potential use cases and possibilities for the technology. But the release of a paper by Anthropic late last year highlighted that threat actors are also using the technology and have so far been able to circumvent organisation-wide guiderails that have been put in place. 

A significant concern for PE should be the speed at which organisations can be scanned and attacked using freely available tooling. For portfolios seeking to execute buy and build, the careful management of attack surfaces, across both portfolio companies and investment targets, is an urgent necessity.

New regulations

From a regulatory perspective, the Digital Operational Resilience Act (DORA) came into force in early January 2025, placing a sharp focus on the financial services sector and on IT third parties that support critical business operations. 

Asset owners, as well as asset allocators, can fall within the scope for DORA and be subject to added regulatory oversight. Continued investment in the TMT sector by PE, including managed service providers, fintechs and SaaS, could see a growing number of PE owned companies and targets also within the scope of the regulation. Concerns and considerations should cover both the possible fines associated with non-compliance, and also the potential impact of mandatory exit clauses and exit plans within service contracts, plus possible loss of customers in the event of a significant cybersecurity incident.

High impact incidents

A series of attacks and incidents in the UK starting with large retailers the Coop, Selfridges, and M&S, culminated with the widely reported JLR incident - affecting what is a key manufacturing hub in the UK. Across the world, zero-day vulnerabilities in Oracle led to multiple victims in the EBS zero-day extortion campaign. There were also a series of outages across large well-known websites, caused by DNS issues in a critical third-party provider and, in separate incidents, physical tampering, and the destruction of undersea cables. 

These events illustrated the fragility of the internet and the infrastructure that we all rely upon. They also offer lessons for private equity and demonstrate the need to underpin this technology and infrastructure with secure cybersecurity solutions. 

Expanding investments

The increased demand for energy, along with the additional datacentre infrastructure required to support the growth of AI, has resulted in many PE funds expanding as they seek new opportunities for investment. Expansion into new industries and sectors for PE investors changes the risk profile, with the need to incorporate considerations around operational technology (OT) and the corresponding threat actors that are likely to attack critical assets in the technology and infrastructure supply chain.

A growing trend for PE to pivot toward investing in the defence tech sector presents yet more risk for investments, as geopolitical instability, illustrated by events in the Middle East, highlights both the potential for lucrative rewards and the stark reality of attacks from nation state threat actors with highly capable and skilled individuals.

Looking forward

Looking further into 2026, there are already indications of systemic shifts in the underlying components of the technology stack. 

Quantum technology and the computational power that this promised technology could bring has the possibility to shift the way businesses think about, use, and interact with their data, technology, and systems. This technology offers massive potential for growth and value creation. However, as AI has proven, threat actors will no doubt adopt the technology at speed and gain the benefits from it: The ability to conduct computations at speed could mean that the existing encryption algorithms that underpin modern communications, confidentiality, confirm the origins of messages, and check data for tampering, will soon become ineffective.

The exact timeline for quantum and its adoption is not yet known, but it’s expected to be approximately five years from now. The challenge is that for the largest businesses, becoming quantum ready could take approximately seven years. No two businesses will be the same, but the risk of not becoming “quantum-ready” presents a clear and present risk to future returns. 

Despite this, most investors are not yet considering quantum within the realm of their due diligence efforts – and this lack of consideration is placing future growth and returns at risk. If businesses don’t take steps now to prepare for “Q Day”, they will be exposed to threat actors with a metaphorical “sledgehammer” (their own existing controls currently representing a woefully inadequate “nut”).

For other investors, there’s the possibility that their confidential data could already be held, waiting to be decrypted. With this in mind, the lifetime value of confidential data should also be a core consideration for investments expected to be helped beyond the projected Q Day.

For more information on the hidden risks behind private credit, plus a broader view of the private equity outlook for 2026, please view the Thomas Murray white paper, Cyber Risk is Driving Portfolio Valuation in 2026.