Private equity due diligence has changed. Five years ago, cybersecurity questions in the diligence process were largely checkbox items — do you have antivirus, do you patch regularly, have you had any incidents? Today, the questions are materially harder, the insurer requirements are more demanding, and the consequence of a weak security posture is no longer limited to a note in the risk register.
For portfolio companies — particularly those in the mid-market and lower-middle-market — this creates a real operational challenge. The security expectations being applied to them are closer to enterprise standards. The internal resources available to meet those expectations are not.
What Has Changed in PE Due Diligence
The increase in due diligence scrutiny reflects a combination of factors that have converged in recent years.
Ransomware losses at portfolio companies have been significant. PE firms have experienced direct financial losses from portfolio company incidents — operational downtime, ransom payments, recovery costs, and deal valuation impacts. The losses are no longer hypothetical.
Cyber insurance underwriting has tightened substantially. Insurers began demanding technical controls as prerequisites for coverage starting around 2021. MFA, EDR, backup isolation, and incident response planning are now baseline requirements for most commercial cyber insurance policies. Organizations that cannot demonstrate these controls are either declined, quoted at rates that reflect the risk, or offered coverage with exclusions that materially limit the policy's value.
Regulators and counterparties are asking. Enterprise customers increasingly include cybersecurity requirements in vendor agreements. Regulated industries have extended security expectations through supply chains. A portfolio company that handles data for a large customer will often face contractual security obligations that were not present three years ago.
Cyber is now a material risk factor in valuations. PE firms have begun incorporating cybersecurity risk into deal pricing and post-close value creation plans. A target with a weak security posture represents both operational risk and integration complexity.
The Standard Due Diligence Questions
The specific questions vary by firm and deal size, but the core areas now assessed in most PE security due diligence include:
Identity and access management. Is MFA enforced across all systems — email, cloud platforms, VPN, financial applications? Who has administrator-level access and is that list current? Is there a joiner-mover-leaver process?
Endpoint security. What endpoint detection and response tools are deployed? Are they managed and monitored, or installed and ignored? Are personal devices used to access business systems and if so, how are they managed?
Vulnerability management. What is the patch cadence? Is there a defined process for prioritizing critical patches? Has the organization performed a vulnerability scan recently?
Data inventory and protection. Where does sensitive data (customer data, financial records, IP) live? Is it encrypted at rest and in transit? Who has access to it and how is that access controlled?
Third-party risk. Who are the critical vendors with access to systems or data? Have vendor security reviews been performed? Are there contractual security requirements in place with key vendors?
Incident history. What security incidents has the company experienced in the past three years? How were they handled? What was disclosed and to whom?
Cyber insurance. What coverage exists, at what limits, and what exclusions apply? What controls did the underwriter require?
Incident response planning. Does a documented plan exist? Has it been tested?
The Gap Most Portfolio Companies Have
The most common finding in PE-context security assessments is not that companies are completely unprotected. Most have basic controls in place. The gap is typically in the supporting structure that makes controls defensible and auditable.
An organization may have MFA deployed for Office 365 but not enforced for cloud storage, financial systems, or remote access. The control exists; the coverage is incomplete.
They may have an endpoint security product installed but no evidence that it is actively managed, alerts are reviewed, or detections are acted on. The product exists; the program does not.
They may have cyber insurance but have not verified that their current controls meet the policy requirements — a situation that frequently results in claim denials.
The documentation gap is also significant. Policies and procedures that describe controls that do not exist in practice, or the reverse — controls that exist but are not documented anywhere — both create problems in diligence.
What Investors Are Looking For Specifically
At the initial screening phase, most PE firms want to understand three things:
Has the company had incidents, and how were they handled? Incidents are not automatically disqualifying. How the organization responded — whether it was contained quickly, whether leadership was informed, whether appropriate notifications were made — says more about program maturity than the incident itself.
Are baseline controls in place? The specific list varies, but MFA, patching, EDR, backup isolation, and documented access controls are typically the items that will trigger concern if absent.
Is there someone accountable for security? In small companies this is often the IT director or a fractional resource. The question is whether there is a defined owner who can speak to the security program with specifics, not just say "we have an IT vendor."
At the deep diligence phase, the questions become more specific and the supporting evidence (policy documents, vendor contracts, insurance certificates, scan reports) is reviewed in detail.
Preparing for a Transaction
If you are anticipating a transaction, a proactive security posture review typically six to twelve months before a process provides meaningful advantages. The most common interventions that move the needle in diligence assessments:
Document what exists. Many organizations have security controls in practice that are not documented anywhere. Policies, procedures, and evidence of controls (configuration documentation, access reviews, vendor contracts) are the materials diligence reviewers examine.
Close the obvious gaps. MFA gaps, unmanaged endpoints, and absence of a cyber insurance policy are the items most likely to produce deal friction. These are also the items with the most straightforward remediation paths.
Prepare an incident history narrative. If there have been incidents, having a clear factual account of what happened and how it was handled is more useful in diligence than hoping the question does not come up.
Establish a security owner. Whether that is an internal resource or a fractional CISO, having someone who can speak credibly to the security program and respond to detailed diligence questions significantly reduces friction in the process.
A fractional CISO engagement in the six to twelve months before a transaction provides the program development, documentation, and oversight that moves a company from "potential issue" to "defensible posture" in diligence.
Post-Close Integration
For PE firms integrating portfolio companies into a fund-level security program, or for portfolio companies undergoing operational improvements post-close, the priorities are typically:
- Establishing baseline visibility: asset inventory, access controls, and logging across the portfolio company's environment
- Implementing the controls required by the fund's cyber insurance carrier
- Aligning with any compliance obligations introduced by the acquisition (particularly relevant if the portfolio company operates in a regulated industry or has government customers)
- Integrating incident response coordination between the portfolio company and the fund
The post-close security work is most effective when there is a defined point of accountability at the portfolio company level — someone who owns the security program and is accountable for progress against defined objectives.
The Bottom Line
PE-backed companies are operating in a due diligence environment where cybersecurity is evaluated with more rigor than it was two years ago, and that trend is continuing. Organizations that address their security program proactively — not in response to a diligence finding or an incident — are in a meaningfully better position at the transaction and post-close.
The goal is not to achieve a perfect security program. It is to have a defensible one: documented, demonstrably operational, and supported by controls that match the risk profile of the business.