Navigating cybersecurity and privacy threats for SBICs
Robust cybersecurity measures and regulatory compliance are critically important for SBICs. We provide three approaches to mitigating cyber risks including cybersecurity due diligence, penetration testing, and cyber insurance.
With cybercrime projected to cost the world a staggering $23 trillion by 2027 and a new vulnerability identified every 17 minutes , it's clear that both fund-level and portfolio company security cannot be overlooked. Embracing a comprehensive cybersecurity journey – from initial assessments and employee training to advanced penetration testing and continuous monitoring – helps enable both fund-level entities and portfolio companies to be well-equipped to handle the challenges of today's digital threat landscape.
Other recent data paints a sobering picture:
- Data breaches: There has been a 205% increase in data breaches between 2015 and 2024.
- Breach origins: Approximately 55% of data breaches are caused by malicious actors – hackers intentionally breaching systems – while the remaining 45% result from human error (for example, sending a sensitive spreadsheet to the wrong email address).
- Dwell time and incident costs: One of the most critical challenges is the delay in detecting and containing breaches. On average, a threat actor remains undetected in an environment for 194 days. Once detected, it takes approximately 64 days to contain the breach. This lengthy dwell time amplifies the cost and highlights the need for robust monitoring and rapid response capabilities
These figures emphasize the immense financial and operational risks associated with cybersecurity failures. In the United States alone, the average data breach cost is about $9.36 million, compared to a global average of roughly $4.88 million. When you break it down, a breach costs around $143 per record, an increase of $17 from last year. Such numbers illustrate the high stakes and the disproportionate impact in markets with abundant sensitive data and a litigious environment.
Regulatory Influences and Compliance Considerations
Compliance commitments now play a central role in shaping cybersecurity practices:
- GLBA revisions: Originally targeted at financial and lending institutions in the mid-1990s, the Gramm-Leach-Bliley Act (GLBA) was revised last year to encompass all lending institutions. This means that if your organization is involved in any form of lending, you must now comply with these expanded regulations.
- SEC requirements: In addition to GLBA, public companies must increasingly disclose their cybersecurity practices through filings such as 10-Ks and 8-Ks. This transparency is essential for building investor confidence and ensuring cybersecurity is considered a critical aspect of corporate governance.
For organizations that manage consumer and private data, these regulatory changes underscore the importance of aligning cybersecurity policies with legal requirements and industry best practices.
Three approaches to mitigate cyber risks
1) Cybersecurity due diligence in transactions
For many private equity firms, the cybersecurity journey begins at the transaction level:
- Pre-transaction assessments: Conducting high-level risk assessments and technical tests – such as Microsoft 365 security reviews (typically costing between $7,000 and $8,000 ) – provides critical insights into an organization's cybersecurity posture.
- Post-transaction follow-up: After the deal, firms can set expectations for remediation efforts and allocate resources (such as escrow funds) to address identified vulnerabilities.
In many cases, funds that have experienced breaches at the portfolio level have subsequently mandated comprehensive cybersecurity due diligence across all investments. This layered approach protects the portfolio companies and safeguards the fund's overall reputation and financial health.
2) Penetration testing and baseline assessments
Penetration testing – engaging ethical hackers to identify weaknesses – can be an effective tool, but it must be approached correctly:
- Assess first, test later: Organizations just beginning their cybersecurity journey should conduct an initial baseline assessment to understand their current state. This includes evaluating basic policies, IT operations, and user practices before moving on to more advanced testing like penetration tests.
- Social engineering: Simulated phishing campaigns and other social engineering tests have revealed that, in some cases, up to 70% of employees may click on suspicious links , underlining the need for ongoing training and awareness.
3) Cyber insurance considerations
Cyber insurance remains a vital part of the overall risk management strategy but comes with nuances:
- First-party vs. third-party coverage: First-party coverage addresses direct losses from an attack (such as system downtime or data loss), whereas third-party coverage protects against claims from customers or partners affected by a breach.
- Service provider risks: When relying on third-party IT providers, it's crucial to maintain robust cybersecurity practices and carry adequate insurance, as a breach at the MSP level can compromise the entire organization.
Building resilience
For SBICs and financial sponsors, managing cybersecurity protocols requires a balanced approach combining proactive risk management and rigorous compliance. From understanding the staggering statistics and cost implications to implementing assessments and robust governance frameworks, firms must view cybersecurity not as an expense but as a critical investment in their future stability. By aligning cybersecurity practices with regulatory mandates such as the revised GLBA and SEC requirements and by addressing both human and technical vulnerabilities, organizations can build resilient defenses that protect not only their sensitive data but also the confidence of investors and stakeholders.

Ali Khraibani
Looking for the full list of our dedicated professionals here at CohnReznick?
Contact
Let’s start a conversation about your company’s strategic goals and vision for the future.
Please fill all required fields*
Please verify your information and check to see if all require fields have been filled in.
Related services
Our solutions are tailored to each client’s strategic business drivers, technologies, corporate structure, and culture.
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.