With cybercrime projected to cost the world a staggering $23 trillion by 2027 and a new vulnerability identified every 17 minutes, according to IBM’s Cost of Data Breach 2024(Opens a new window), it's clear that both fund-level and portfolio company security cannot be overlooked. Embracing a comprehensive cybersecurity journey – from initial assessments and employee training to advanced penetration testing and continuous monitoring – helps enable both fund-level entities and portfolio companies to be well-equipped to handle the challenges of today's digital threat landscape.

Other recent data from IBM’s report paints a sobering picture:

• Data breaches: There has been a 205% increase in data breaches between 2015 and 2024.
• Breach origins: Approximately 55% of data breaches are caused by malicious actors – hackers intentionally breaching systems – while the remaining 45% result from human error (for example, sending a sensitive spreadsheet to the wrong email address).
• Dwell time and incident costs: One of the most critical challenges is the delay in detecting and containing breaches. On average, a threat actor remains undetected in an environment for 194 days. Once detected, it takes approximately 64 days to contain the breach. This lengthy dwell time amplifies the cost and highlights the need for robust monitoring and rapid response capabilities.

These figures emphasize the immense financial and operational risks associated with cybersecurity failures. In the United States alone, the average data breach cost is about $9.36 million, compared to a global average of roughly $4.88 million, IBM’s Cost of a Data Breach 2024 found. When you break it down, a breach costs around $143 per record, an increase of $17 from last year. Such numbers illustrate the high stakes and the disproportionate impact in markets with abundant sensitive data and a litigious environment. 

Regulatory Influences and Compliance Considerations

Compliance commitments now play a central role in shaping cybersecurity practices:

• GLBA revisions: Originally targeted at financial and lending institutions in the mid-1990s, the Gramm-Leach-Bliley Act (GLBA) was revised last year to encompass all lending institutions. This means that if your organization is involved in any form of lending, you must now comply with these expanded regulations.
• SEC requirements: In addition to GLBA, public companies must increasingly disclose their cybersecurity practices through filings such as 10-Ks and 8-Ks. This transparency is essential for building investor confidence and ensuring cybersecurity is considered a critical aspect of corporate governance.

For organizations that manage consumer and private data, these regulatory changes underscore the importance of aligning cybersecurity policies with legal requirements and industry best practices.

Three approaches to mitigate cyber risks

1) Cybersecurity due diligence in transactions

For many private equity firms, the cybersecurity journey begins at the transaction level:

• Pre-transaction assessments: Conducting high-level risk assessments and technical tests – such as Microsoft 365 security reviews – provides critical insights into an organization's cybersecurity posture.
• Post-transaction follow-up: After the deal, firms can set expectations for remediation efforts and allocate resources (such as escrow funds) to address identified vulnerabilities.

In many cases, funds that have experienced breaches at the portfolio level have subsequently mandated comprehensive cybersecurity due diligence across all investments. This layered approach protects the portfolio companies and safeguards the fund's overall reputation and financial health.

2) Penetration testing and baseline assessments

Penetration testing – engaging ethical hackers to identify weaknesses – can be an effective tool, but it must be approached correctly:

• Assess first, test later: Organizations just beginning their cybersecurity journey should conduct an initial baseline assessment to understand their current state. This includes evaluating basic policies, IT operations, and user practices before moving on to more advanced testing like penetration tests.
• Social engineering: Simulated phishing campaigns and other social engineering tests have revealed that, in some cases, up to 70% of employees may click on suspicious links , underlining the need for ongoing training and awareness.

3) Cyber insurance considerations

Cyber insurance remains a vital part of the overall risk management strategy but comes with nuances:

• First-party vs. third-party coverage: First-party coverage addresses direct losses from an attack (such as system downtime or data loss), whereas third-party coverage protects against claims from customers or partners affected by a breach.
• Service provider risks: When relying on third-party IT providers, it's crucial to maintain robust cybersecurity practices and carry adequate insurance, as a breach at the MSP level can compromise the entire organization.

Building resilience

For SBICs and financial sponsors, managing cybersecurity protocols requires a balanced approach combining proactive risk management and rigorous compliance. From understanding the staggering statistics and cost implications to implementing assessments and robust governance frameworks, firms must view cybersecurity not as an expense but as a critical investment in their future stability. By aligning cybersecurity practices with regulatory mandates such as the revised GLBA and SEC requirements and by addressing both human and technical vulnerabilities, organizations can build resilient defenses that protect not only their sensitive data but also the confidence of investors and stakeholders.