I. Introduction: Why Private Equity Should Start Cyber Diligence with the Portfolio – Not the Target

Cyber risk management in private equity shouldn’t start with a target – it should start with the portfolio. That’s why the first step in our methodology is Portfolio Risk Benchmarking: a consistent and economic way to assess cyber risk across all holdings. It cuts through the noise of one-off vendor reports and mismatched frameworks, giving sponsors a clear view of where things stand… and what actually needs attention.

This article breaks down how Portfolio Risk Benchmarking works, what you get from it, and why we treat it as the foundation for everything that follows – from diligence to post-close to exit planning.

📉 Summary: for when there’s no time to read the full memo 📉

Portfolio Risk Benchmarking is the starting point for managing cyber risk the way private equity actually works… fast, repeatable, and grounded in real context. It gives sponsors a clear view across holdings and makes every new diligence effort easier to scope, faster to execute, and harder to second-guess. This article details our methodology for making this a reality at an affordable cost.

II. The Status Quo: Fragmentation, Friction, and Inflated Costs

Most private equity portfolios weren’t built with cyber oversight in mind. Each company runs its own systems, works with its own vendors, and defines “secure” however it wants. One might follow NIST standards, another leans on their MSP’s quarterly report, and a few just cross their fingers and hope for the best.

This fragmentation creates three problems for PE firms.

First is the most obvious challenge. There’s no clean way to compare cyber maturity across the portfolio. Managing cybersecurity for a single company is hard enough.. so trying to get consistent data across ten or twenty businesses with different systems, security tools, and reporting formats? That’s a different level of complexity. Risk committees end up sorting through clashing formats and conflicting “scores.”

If you’ve tried to address the first challenge, then you’ve likely ran into the second problem. Portfolio-wide assessments are typically priced and built for the wrong market. Traditional firms quote $20,000 to $40,000 per portco, then show up with frameworks made for Fortune 500s. That might be fine for the mega funds, but most sponsors know the ROI just isn’t there.

And third, every new diligence effort kicks off without any real context. Without a benchmark in place, every target gets assessed in a vacuum and deal teams are stuck redefining what “good enough” looks like every time. It adds friction, stretches timelines, and makes it harder to compare risk across deals. Setting a consistent internal standard changes that… it gives sponsors a way to evaluate new targets in context.

III. What Is Portfolio Risk Benchmarking?

Portfolio Risk Benchmarking is an assessment of cybersecurity maturity and risk across all portcos – built specifically for the way private equity firms operate. It gives sponsors a clear and consistent way to understand how each company stacks up, where the gaps are, and what those risks actually mean in financial terms.

At the core of this process is the financial quantification of risk, modeled using FAIR, to translate cyber exposure into estimated loss ranges across all portfolio companies. It helps sponsors understand not just where the gaps are, but which ones actually matter. Rather than flagging every technical issue simply by severity... the focus is on providing a financial perspective that helps sponsors prioritize based on business impact – not just technical noise.

But benchmarking isn’t just about sizing up individual companies. It’s about building a common reference point across the portfolio. Every company is assessed using the same lens so that the outputs are directly comparable. That standard becomes stronger with each assessment – giving sponsors a way to track progress, spot outliers, and evaluate new targets with context instead of guesswork.

IV. How Benchmarking Turns Cyber Diligence into a Repeatable Advantage

Without a portfolio benchmark every new deal starts from zero. There’s no shared baseline, no consistent risk tolerance, and no easy way to put a new target’s cyber posture in context. This makes it hard to figure out if the acquisition is high risk and makes your team figure it out each time. It slows down diligence, adds friction to negotiations, and forces deal teams to make judgement calls without much to go on outside of the diligence report.

All of that gets easier with a benchmark in place. Deal teams walk in knowing what “good enough” looks like in the context of the portfolio. Assessments can be scoped faster, findings make more sense, and there’s a clearer line between risk that matters and risk that doesn’t. Integration planning can start earlier and there’s less guesswork around how to get a new company to meet the minimum thresholds you’d like to see across your portfolio.

And it’s not just helpful during diligence. Once the benchmark is in place, it becomes a reference point for everything else – insurance questions, board and investor updates, and year-over-year tracking. It gives firms a way to manage cyber risk across the portfolio while making every new diligence effort faster and more informed. And when it’s time to sell, that same benchmark becomes proof – showing a track record of maturity, progress, and control that helps buyers get comfortable faster.

V. Engagement Scope: Comprehensive Yet Right-Sized

Portfolio Risk Benchmarking isn’t about boiling the ocean or running a 200-point audit on every company. It’s designed to give PE firms the visibility they need without overwhelming the operations teams. That means keeping the scope focused, consistent, and practical. Each portfolio company gets its own assessment, but they all follow the same playbook – which means sponsors don’t have to reinterpret findings or reset expectations every time. The goal isn’t a stack of disconnected reports. It’s a clear and consistent way to understand cyber risk across the portfolio and to zoom in wherever more detail is needed.

Cyber Controls Assessment

Each company is evaluated across 15 core cyber maturity domains. These aren’t just borrowed from enterprise frameworks – they’re built for the realities of mid-market companies: lean IT staff, outsourced infrastructure, and inconsistent security tools. We focus on the controls that underwriters care about most – the ones that cause claims and lead to losses. Using a mix of commercial and proprietary tools, we build an initial snapshot of each company’s controls and configurations. From there, we review key documentation like cybersecurity policies, incident response plans, and cyber insurance coverage to validate plans and processes. And then we like to schedule one to three stakeholder meetings to clarify execution, confirm assumptions, and understand how decisions are being made in practice. We understand that scheduled time with operations teams is valuable, so we're flexible in what this looks like. This layered approach helps flag the true gaps – whether it’s inconsistent implementation or risk decisions that don’t match the firm’s appetite.

Cyber Risk Exposure Modeling

Alongside the controls assessment, we quantify cyber risk using the FAIR model (the only international standard ‘Value at Risk’ model for cyber). FAIR considers the strength of existing controls but also factors in the likelihood and financial impact of an incident – giving sponsors a clearer picture of actual exposure, not just surface-level risk. For each portco, we model three common scenarios:

• Ransomware
• Data breach
• Business interruption

This isn’t just a cyber exercise. It’s a way to put dollar values behind cyber risk and treat it like any other factor in your investment model. From a portfolio view it makes cyber risk consistent and comparable. One company might have bad controls but very little actual exposure. Another’s cyber controls might look fine on paper but carry a financial downside that needs to be addressed with more robust controls. Without modeling the cyber risk exposure, most firms would focus on the company with bad controls and overlook the one with greater financial risk. It'd just come down to your gut feeling.

On the diligence side, quantifying cyber risk sharpens deal terms, supports integration planning, and translates technical findings into board-level language. It gives sponsors the data they need to prioritize what actually matters – not just what looks alarming on a heatmap. And just as importantly, it helps clarify when a perceived red flag isn’t a real blocker. We had a PE firm's head of security insist on resolving a control gap before closing… but because we had benchmarking data across the portfolio, we could point to two other portcos with the exact same gap – and significantly higher risk exposure. That context made it clear the risk was already within their tolerance and helped move the deal forward without added friction.

External Threat & Breach Intelligence

Because most real-world threats start outside the company, we also perform targeted dark web research and threat intelligence. We look at dark web forums and marketplaces, breach databases, and signs of executive impersonation, domain spoofing, and fraudulent brand / IP usage. These are the signals that can truly impact a holding period or new acquisitions. You won’t find these risks by following an enterprise framework. This external view rounds out the picture… hopefully confirming there’s nothing in play, but highlight any signs that a portfolio company may already be in the crosshairs.

With a clear view of control maturity, quantified exposure, and external threat activity across the board… sponsors gain something rare in cybersecurity: consistency. The result is faster decisions, smarter prioritization, and a portfolio strategy that’s built on data instead of guesswork. And it all starts with the right outputs.

VI. Outputs That Actually Drive Decisions

The value of Portfolio Risk Benchmarking isn’t just in the process – it’s in what you can do with the results. Every assessment feeds into a common set of outputs that give sponsors both the high-level view and the ability to drill into specific risks when needed.

• A custom reporting portal that gives sponsors a dynamic view of their entire portfolio – including company-level dashboards with prioritized remediation guidance, controls and quantification benchmarking against the portfolio, and the ability to zoom in or out as needed. Access can also be extended to operating partners or individual portcos, depending on how firms want to manage visibility.
• A static report in PDF format, including the scorecard, critical findings, and prioritized recommendations.
• An attestation report in PDF format, delivered to the sponsor as a reference for audit documentation, LP updates, or divestiture preparation.
• Optional individual portfolio company reports in PDF format – useful for targeted remediation follow-up or internal reporting.

Together these deliverables give sponsors a clear, scalable way to manage cyber risk across the portfolio. More than static documentation, they provide a repeatable structure for tracking improvements, identifying outliers, and grounding every new diligence project in a benchmark that actually reflects how the firm operates. This isn’t about producing another binder for the shelf. It’s about arming deal teams and operating partners with intelligence they can actually use… quickly and consistently. Whether you're reviewing a target, updating your risk committee, or prepping for a sale… the answers are already in front of you.

VII. Conclusion: Benchmarking Is Strategic Leverage

This isn’t about policing portfolio companies or checking a compliance box. Benchmarking cyber risk across a portfolio can / should be the foundation for managing cybersecurity for private equity firms. Without a benchmark across the portfolio... every diligence process is a reset, every post-closing plan starts blind, and every conversation about cyber risk lacks context. With one in place, you have a consistent lens across holdings and transactions… one that informs decision-making, helps with prioritization, and removes the need for guessing what good enough looks like.

That’s why it’s the starting point of our firm’s methodology. We don’t dabble in M&A cyber – it’s all we do. We’ve built this process specifically for sponsors who need clarity across their portfolios and speed in their deals. And we know from experience… getting the first step right changes everything that comes after.