Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor!

Move cyber due diligence upstream in your M&A process

How overlooking portfolio-level cyber risk can erode valuation – and what to do after the deal closes

By Ester Larkin | Vice President, Private Equity Cyber & E&O, QBE North America

According to a new whitepaper by QBE North America, 60% of private equity (PE) firms report that prior to making an investment, fewer than half of target companies had cyber insurance in place. Notably, more than half of firms say that up to 25% of their portfolio companies experienced a cyber incident in the past 12 months.

This leaves a critical gap. Threat actors deliberately target smaller portfolio companies which often lack mature cybersecurity programs. A breach at the portfolio level is frequently designed to access the deeper pockets of the PE parent company. Enhancing the security posture of portfolio companies is a diligent way to manage exposure across the investment portfolio.

The QBE whitepaper is based on a survey of 300 risk managers and Chief Information Security Officers (or equivalent roles) at private equity firms with $1 billion to $50 billion in assets under management. The most common cyber risks impacting PE firms and their portfolio companies include software/IT vulnerabilities (42%), cloud security vulnerabilities (40%), data breaches (35%), business email compromise (32%) and ransomware attacks (32%). These threats are escalating in both complexity and frequency, making them no longer just an IT concern but a core investment risk. As a result, cyber due diligence must be treated as an upstream priority in the M&A process.

The cost of fixing cyber vulnerabilities post-close can be substantial, and in some cases, a weak security posture may derail a deal entirely. A thorough review helps surface hidden exposures, estimate remediation costs and determine whether the target company aligns with the firm’s risk tolerance. It also lays the groundwork for future improvements, highlighting where additional investment may be needed. Once the deal closes, the responsibility – and opportunity – to strengthen cybersecurity shifts to the buyer.

Due diligence priorities that signal cyber resilience

Cyber due diligence goes beyond scanning for past incidents and technical gaps. It requires a deeper look at how a target company operates, who is responsible for cybersecurity, and how well-prepared it is for emerging risks. To support both valuation and long-term success, PE firms should prioritize these key areas during due diligence:

1. Regulatory compliance: PE firms rank regulatory compliance as their top cyber priority — however, only 49% currently conduct regulatory compliance assessments as part of their due diligence practices. A target’s ability to comply with data privacy laws and industry-specific regulations (such as HIPAA or GDPR) can significantly affect both current risk and future liability. Inadequate compliance can trigger fines, lawsuits and reputational fallout.

2. Third-party and supply-chain cybersecurity: Even fewer PE firms (46%) are conducting third-party and supply-chain cybersecurity assessments. A company's cybersecurity posture is only as strong as its weakest partner. A breach through a vendor or service provider can expose sensitive data and disrupt operations across the portfolio.

3. Cybersecurity policies and procedures: It’s not enough for a company to claim it “takes security seriously.” While 96% of PE firms require portfolio companies to implement consistent governance frameworks, firms should look during due diligence for clear, documented policies covering incident response, data protection, system access and internal controls.

4. Employee training and awareness: Human error remains among the leading causes of breaches — including ransomware and business email compromise, which 32% of PE firms cite as a top cyber threat. These attacks often begin with something as simple as a weak password or a convincing phishing email. Examine the company’s approach to cyber education and training: Is it conducted regularly? Tailored to real-world threats? A strong culture of awareness is one of the most powerful, low-cost defenses a company can have.

5. Key personnel and roles: Who owns cybersecurity within the organization? Is there a capable, accountable team in place? Some PE firms replace security personnel post-acquisition, but having the right people and structure at the outset can reduce exposure and minimize transition costs.

Improvement is the real value driver

While due diligence sets the foundation, building cyber resilience happens after the deal closes. According to the QBE whitepaper, nearly all PE firms now require their portfolio companies to implement baseline security controls, incident reporting protocols, and governance policies. Many firms are also taking an active role in helping portfolio companies enhance their capabilities – from funding improvements and providing training to evaluating incident response readiness.

For example, 43% of respondents said that 51%–75% of their portfolio companies have made cyber improvements based on their recommendations. This level of involvement signals a shift in mindset: cybersecurity is no longer siloed within IT – it’s embedded in value creation.

Insurance picks up where diligence leaves off

Even with a thorough evaluation and the right controls in place, risk doesn’t disappear – it shifts. No cybersecurity program is bulletproof, especially during the transition of a new acquisition. Threat actors are opportunistic, and even mature companies can fall victim to a well-orchestrated attack.

Cyber insurance isn’t just for worst-case scenarios. When integrated into the investment strategy and extended to portfolio companies, it allows PE firms to:

• Evaluate whether each portfolio company has the maturity to justify higher limits or if foundational improvements are needed first.

• Reinforce operational improvements such as stronger controls, updated policies and training to meet coverage requirements.

• Ensure that a single incident doesn’t derail the value creation strategy on an otherwise promising portfolio company.

• Gain immediate access to breach response experts after an incident, who can guide them through next steps, assess the impact and help contain losses quickly.

Survey respondents report that 53% of their PE firms have cyber insurance, and 60% plan to increase coverage limits in the next 12 months. As more PE firms purchase cyber insurance, there is an opportunity for them to educate their portfolio companies on the value of cyber insurance.

Ultimately, embedding cyber resilience into post-close operations – not just due diligence – is where private equity firms can make the biggest impact. From protecting firm reputation and investor capital to positioning companies for growth and future exits, cybersecurity is a long-term value lever.

QBE North America is a global insurance leader focused on helping businesses solve unique risks. With a strong track record in cyber risk, QBE partners with private equity firms and portfolio companies to strengthen resilience across the investment lifecycle. To learn more, visit qbe.com/us/cyber and read the full whitepaper here.

Ester Larkin, Vice President, Private Equity Cyber & E&O, QBE North America

QBE makes no warranty, representation, or guarantee regarding the information herein or the suitability of these suggestions or information for any particular purpose. QBE hereby disclaims any and all liability concerning the information contained herein and the suggestions herein made. Moreover, it cannot be assumed that every acceptable risk transfer procedure is contained herein or that unusual or abnormal circumstances may not warrant or require further or additional risk transfer policies and/or procedures. The use of any of the information or suggestions described herein does not amend, modify, or supplement any insurance policy. Consult the actual policy or your agent for details about your coverage. QBE and the links logo are registered service marks of QBE Insurance Group Limited. © 2025 QBE Holdings, Inc.