A single ransomware incident at a mid-market portfolio company now costs $4.5-8.2M on average — IBM's 2024 Cost of a Data Breach Report pegs the global mean at $4.88M, with US figures at $9.36M. For a sponsor holding a portco at 12x EBITDA, an event that takes systems offline for 9-14 days (the median ransomware dwell-to-recovery window) typically wipes 8-15% off enterprise value at exit through customer churn, remediation costs, and multiple compression. Across a 40-company portfolio with one incident per 18 months, the unmanaged cyber risk drag on fund-level IRR runs 150-400 basis points. That math has pushed cybersecurity from a tier-three operational concern to a board-level value protection mandate at every serious sponsor.
The structural challenge is that portfolio companies — typically founder-led, sub-$500M revenue, acquired with technical debt — start far below the security baseline of the sponsor's own corporate environment. A typical mid-market acquisition target has 15-30% EDR coverage gaps, 200-1,200 unpatched critical CVEs at deal close, no documented incident response plan, and a fractional or non-existent security function. Bringing 40 such companies to a defensible posture requires a programmatic operating model — not 40 bespoke security programs.
The Posture Gap at Close
Cyber diligence has moved from a checkbox in Technology Due Diligence to a standalone workstream in 2024-2026 transactions. Marsh, Aon, and Kroll now run pre-LOI external attack surface scans on virtually every PE deal above $100M. The typical findings on a $300M revenue manufacturing or services target tell a consistent story: shadow IT spanning 40-80 unsanctioned SaaS apps, MFA coverage below 70% on privileged accounts, domain controllers running unsupported Windows Server 2012/2016, and no segmentation between OT and IT networks.
The implication for the 100-day plan is concrete: roughly 80% of acquisitions arrive at or below NIST CSF Tier 2, meaning ad-hoc controls, no formal risk register, and no continuous monitoring. Moving a portco from Tier 2 to Tier 3 — the defensible baseline for cyber insurance renewal at sub-$500K premium — typically requires 9-14 months of structured remediation, $400K-$1.2M in tooling and integration spend, and a fractional CISO commitment of 20-40 hours per month.
The Fund-Level Operating Model
The sponsors that have institutionalized cyber risk management — KKR Capstone, Bain Capital's Portfolio Group, Carlyle's Global Technology & Solutions team, Vista Equity's Value Creation team, and Thoma Bravo's operating partners — converge on a four-pillar model. Each pillar has a defined owner, budget envelope, and reporting cadence to the Investment Committee.
The economics of this shared-service model are decisive. A standalone $300M revenue portco building equivalent capability would spend $2.8-4.5M annually on a full-time CISO, security engineers, EDR licensing, SIEM, and IR retainer. Drawn from the fund-level pool, the same coverage runs $600K-$1.1M — a 60-75% reduction that mirrors the economics described in shared service centers.
The Standardized Stack
Vendor consolidation is the single highest-leverage move in portfolio cyber operations. The portcos a sponsor inherits typically run a mix of legacy AV (Symantec, McAfee, Sophos), point vulnerability scanners, and on-prem SIEMs with no analyst coverage. Replacing this with a cloud-native stack achieves both cost takeout and posture improvement simultaneously.
| Layer | Primary Vendors | Typical Portfolio Discount | Coverage Target |
|---|---|---|---|
| Endpoint Detection (EDR/XDR) | CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint | 35-50% off list | 98%+ of endpoints in 90 days |
| Cloud Security Posture (CSPM/CNAPP) | Wiz, Palo Alto Prisma Cloud, Orca | 40-55% off list | 100% of AWS/Azure/GCP accounts |
| Identity & Access (IAM/SSO/MFA) | Okta, Microsoft Entra ID, JumpCloud | 30-45% off list | 100% workforce MFA in 60 days |
| Vulnerability Management | Tenable, Qualys, Rapid7 | 40-50% off list | Critical CVE patch SLA <14 days |
| Managed Detection & Response | Arctic Wolf, Expel, Red Canary, eSentire | 25-40% off list | 24/7 SOC coverage |
| Email Security | Abnormal Security, Proofpoint, Mimecast | 35-45% off list | 100% inbox coverage |
| Backup & Recovery | Rubrik, Cohesity, Veeam | 30-45% off list | Immutable backups, <4hr RTO |
The stack is not mandatory — that's a common mistake. Portco CEOs resist top-down vendor mandates, particularly when their existing tools work. The model that succeeds is opt-in pricing: portcos that adopt the standard stack get the negotiated rate, white-glove deployment, and access to the fund-level SOC. Portcos that don't can run their own tooling but pay full freight and lose access to the shared MDR. In practice, 75-85% of portcos opt in within 18 months because the economics are unambiguous.
Continuous Posture Telemetry
The reporting cadence to the Investment Committee runs on a small number of metrics — typically 8-12 — that combine external ratings, internal control coverage, and threat exposure. The objective is to identify the bottom-quartile portcos before they become the next 8-K filing.
External rating services — Bitsight, SecurityScorecard, UpGuard, Black Kite — provide a continuously updated outside-in view based on scanning DNS, certificates, leaked credentials, and patching cadence visible from the internet. The ratings correlate meaningfully with breach likelihood: Bitsight's published research shows companies rated below 600 are 4.6x more likely to experience a publicly disclosed breach than those above 750. The number is imperfect (it misses internal threats and insider risk) but it's the cheapest continuous signal available, typically $8-25K per portco per year.
Internal control telemetry comes from the standardized stack itself. CrowdStrike Falcon's API exposes endpoint coverage by host; Wiz's API exposes cloud misconfigurations and exposed secrets; Okta exposes MFA enrollment and privileged session counts. A modest data pipeline — typically built in Snowflake or Databricks aligning with the data lakehouse architecture the sponsor uses for other portfolio analytics — ingests these feeds nightly and surfaces them in a Tableau or Looker dashboard for the Portfolio CISO.
Incident Response: The Four-Day Clock
The most expensive failure mode in portfolio cyber is the unrehearsed incident. The 2023 MGM Resorts ransomware event — $100M EBITDA hit on $14B revenue — was a social engineering attack against the IT help desk that escalated because the IR playbook hadn't been tested. The 2024 Change Healthcare incident cost UnitedHealth Group $2.87B in direct response costs alone, with another $9B in advances to affected providers. PE portcos at $200-800M revenue can't absorb proportional impacts; they exit the market.
MDR provider escalates confirmed incident to Portfolio CISO and portco CEO. Pre-cleared IR retainer (Mandiant, CrowdStrike Services, Kroll) activated under master engagement letter. Initial scoping call within 60 minutes.
EDR isolation of affected hosts. Privileged credentials rotated via Okta/Entra. Network segmentation activated. Communications counsel (Edelman, Sard Verbinnen) briefed. Sponsor GP and LPAC chair informed under pre-agreed protocol.
Forensics team determines scope of data exfiltration, system impact, customer/employee notification obligations. Materiality memo prepared for SEC Item 1.05 evaluation if portco is SEC registrant or has registered debt. Regulator notifications (state AGs, HHS for HIPAA, NYDFS) staged.
If material, 8-K Item 1.05 filed within four business days of materiality determination. Customer notifications begin. Backup restoration from immutable copies. Threat actor negotiation (if applicable) handled by retained negotiator under fund-level relationship.
Tabletop exercises — quarterly at the portco level, semi-annually at the fund level — are the highest-ROI activity in the program. A typical tabletop costs $35-75K (vendor-led) and surfaces 8-15 actionable gaps per session. The most common findings: undocumented decision authority for ransom payment, no pre-cleared communications counsel, backups not actually immutable (Veeam configured without object-lock), and EDR isolation actions that require admin approval the CEO can't grant at 2 AM on a Saturday.
Cyber in Diligence and Exit
Cyber posture has become a value driver — not just a risk — at exit. Strategic buyers and secondary sponsors now run reverse diligence that mirrors the sell-side preparation discussed in Exit Preparation. A clean cyber file — SOC 2 Type II, ISO 27001, no material incidents in trailing 36 months, NIST CSF Tier 3+, current penetration test reports — is now a deal accelerator that compresses diligence timelines by 3-5 weeks and reduces escrow withholds by 50-150 basis points on enterprise value.
Conversely, a portco with an unresolved incident in the trailing 12 months faces a measurable exit penalty. Forrester's 2024 analysis of 47 PE-backed exits with disclosed incidents in the trailing 24 months showed a median multiple compression of 0.8-1.4x EBITDA versus comparable clean exits. For a portco exiting at $80M EBITDA at 10x, that's $64-112M of value destruction directly attributable to unresolved cyber posture.
We don't sell a company anymore without 18 months of clean SOC 2 evidence in the data room. The buyer's diligence team will find anything we don't disclose, and the discount they apply for surprise is 3x the discount they apply for disclosed-and-remediated.
— Managing Director, Mid-Market Buyout Fund
Cyber Insurance Economics
Cyber insurance pricing went through a structural reset in 2021-2023, with premiums up 100-300% and capacity withdrawn from non-compliant insureds. The market softened in 2024-2025 — Marsh's Q1 2025 Global Insurance Market Index showed cyber premiums down 6% year-over-year — but underwriting requirements stayed strict. Carriers now require MFA on all remote access, EDR on 95%+ of endpoints, immutable backups, and documented IR plans before binding coverage at any meaningful limit.
The portfolio-level approach to insurance produces measurable savings. A fund-level master cyber program — typically placed with AIG, Beazley, AXA XL, or Coalition through Marsh or Aon — covers all portcos under a single tower with shared retentions and aggregate limits. Per-portco premium runs 35-55% below standalone placement, with capacity that mid-market portcos couldn't access individually ($25-100M tower limits versus $5-15M standalone).
What Good Looks Like in 2026
The leading sponsors — those who have been at portfolio cyber for 4+ years — are now extending the model in three directions. First, AI-augmented security operations: pre-trained LLM analysts (Microsoft Security Copilot, CrowdStrike Charlotte AI, Google SecOps Duet) that triage 60-80% of MDR alerts before human escalation, reducing tier-1 SOC cost per portco by 35-50%. Second, supply chain risk: continuous monitoring of fourth-party dependencies, particularly software supply chain (SBOM ingestion, Snyk/Socket integration) after the 2024 XZ Utils backdoor and the ongoing fallout from npm and PyPI compromise events. Third, OT and IoT coverage in manufacturing portcos, where Claroty, Nozomi, and Dragos have replaced the assumption that air gaps still exist.
The talent dimension — covered in detail in the final article of this guide on fractional CTOs and tech reskilling — applies directly to cyber. The fractional CISO model, properly structured, gives a $200M revenue portco access to a $400-500K-level security leader at $80-120K of allocated cost. Across 40 portcos, that's the difference between a defensible portfolio cyber posture and a series of regulatory enforcement actions waiting to happen.
Cyber posture management is one of the few portfolio operations disciplines where the fund-level investment compounds across every hold period. The vendor master agreements, the IR retainers, the playbooks, the Bitsight feeds, the Portfolio CISO bench — they pay back on every new acquisition and every exit. Sponsors that built this capability in 2021-2023 are now harvesting the returns: faster diligence, cleaner exits, lower insurance costs, and — most importantly — no $100M ransomware event sitting in the trailing-12-month exit window.