Kroll: Cyber attacks emerged as “material transaction risk” for PE

Kroll has released a report warning that cyber incidents have become a “material transaction risk” for private equity (PE), causing significant value destruction across the deal lifecycle and rising in frequency. 

The report, based on a survey of 325 PE firm executives, found that cyber risk was directly affecting valuations, exits and deal execution, particularly during the portfolio hold period.

Multi-million dollar cyber hits 

On average, surveyed firms reported a financial impact of $2.1 million per cyber incident. Dave Burg, global group head of cyber and data resilience at Kroll, said this was “just the tip of the iceberg,” with the true cost emerging in regulatory investigations, delayed deal timelines and continuation vehicles triggered by post-incident governance gaps.

Kroll’s analysis indicated there was a 53% probability that a PE firm would lose more than $500,000 in any given attack and a 13% chance that losses would exceed $5 million.

In total, 94% of respondents said they had suffered some form of financial impact due to cybersecurity risk. This included reduced valuation or exit price following cyber incidents in just over a quarter of cases, increased ongoing compliance or cybersecurity training costs for nearly two-thirds of firms, and indirect remediation or consultancy bills for almost half of respondents.

Hold period becomes prime target for attackers

Kroll also noted that the pressure was most acute during the hold period. Eight in 10 PE firms experienced disruption due to cyberattacks while holding a portfolio company, and almost a third of those incidents resulted in outright business disruption or downtime.

Additional impacts included unexpected remediation costs for 44% of firms, compliance- or regulatory-related litigation for 29%, and IT system integration challenges for 30%, the report said.

Meanwhile, nearly 70% of PE firms said cyber incidents were increasing during the hold period, suggesting that attackers were targeting companies in the midst of integration and transformation.

Burg said it was “not a coincidence” that nearly 70% of respondents had experienced cyber incidents during the hold period and pointed to attackers “synchronizing when they strike” and using generative AI to amplify the impact and effectiveness of their actions.

Big PE vs mid-market: a widening cyber readiness gap

The research also highlights a pronounced gap between larger PE firms, with more than $25 billion in assets under management, and smaller sponsors managing less than $25 billion.

A majority of larger firms, 55%, reported that they governed cybersecurity risk through a formal mandate to portfolio company managers, compared to only 12% of smaller firms. Similarly, 81% of larger firms said cybersecurity due diligence was a standard part of transaction due diligence, whereas just 29% of smaller firms did so as a matter of course.

Larger managers were also far more likely to use dedicated risk management platforms, with 58% doing so versus only 9% among smaller firms, and more than half of large firms, 52%, had a dedicated cyber risk leader, compared to 15% of their smaller counterparts.

Eric Hasty, managing director of cyber and data resilience at Kroll, said cybersecurity incidents could have significant impacts on PE portfolios of all sizes. He added that the study showed that PE firms which implemented a concise set of required cybersecurity controls, used dedicated platforms to monitor risk, conducted standardized due diligence and established clear accountability were far more effective at protecting value against cyber exposure in a cost-efficient way.

2026 expectations: more cyber pressure, tougher incidents

Looking to 2026, Kroll reported that 96% of PE firms expect the importance of portfolio cybersecurity to increase over the following 12 months. Just over half believed the financial impact of cyberattacks would grow in the coming year, and 54% expected cyber incidents to become more challenging to manage.

For insurers, brokers and cyber risk advisers working with PE-backed companies, the findings point to sustained demand for higher cyber limits, more integrated advisory support and tighter integration of cyber risk assessment into M&A and portfolio management, particularly among smaller and mid-market sponsors that have yet to build the governance and tooling seen at the largest firms.