Cybersecurity as an investment risk in tech transactions – a PE partner’s perspective

ByAndrzej Przewięźlikowski

In technology transactions, we no longer ask if a cybersecurity incident will occur. The critical questions today are: when, at what scale, and who will bear the cost.

According to the Kroll “Private Equity and Cybersecurity” (2024) report, the average financial impact of a significant cyber incident in a PE portfolio company is approximately $2.1 million [1]. This is a mean value that often excludes the full tail of valuation degradation, customer churn, exit delays, or increased cost of capital. In practice, the impact on IRR can be several times higher.

For Managing Partners at PE funds, cybersecurity has shifted from an IT or compliance issue to a critical pillar of investment value protection – both during the transaction and throughout the hold period.

1. Impact on valuation and deal structure

Financial models rarely include a “cyber risk adjustment” line item, which is a strategic oversight. A lack of maturity in this area materializes in three specific ways:

  • Underestimated Cost Base: under-budgeted security expenditures (CAPEX/OPEX) artificially inflate EBITDA. Bringing infrastructure up to market standards post-acquisition often requires significant catch-up investments that were not factored into the original model.
  • Limited Scalability: in B2B SaaS and Fintech models, the absence of certifications (ISO 27001, SOC 2) or proper production environment segmentation acts as a barrier to the enterprise segment. This directly bottlenecks revenue growth.
  • Hidden Liabilities: an undisclosed incident occurring before closing can lead to claims and regulatory fines under the new owner’s watch.

According to the latest IBM “Cost of a Data Breach Report 2025,” the global average cost of a data breach is currently $4.44 million [2]. While the global average saw a slight decline due to AI-driven containment, costs in the United States hit a record high of $10.22 million. For a company with an EBITDA of $5–10 million, this represents a risk of wiping out an entire year’s operating profit. This reality necessitates mechanisms such as repricing during due diligence, escrow holdbacks, or broader use of W&I insurance.

2. Systemic risk at the portfolio level

Cybersecurity in PE is not just an asset-specific risk; it is a systemic one. Data suggests that a significant portion of funds have experienced an incident in at least one portfolio company within the last 24 months.

Many tech companies scale their commercial operations faster than their security architecture. Common pathologies identified during our audits include:

  • Lack of global MFA (Multi-Factor Authentication) deployment.
  • Untested Backup and Disaster Recovery (DR) procedures.
  • Poor access segmentation to production environments.
  • Absence of formal Incident Response plans.
  • Weak or default passwords and configurations.

For the fund, this means exposure to correlated reputational risk with LPs (Limited Partners) and the risk of breaching reporting obligations, especially under new regulations like NIS2 in the EU or SEC requirements in the US.

3. Exit: the maturity discount

During the exit process, buyers—particularly strategic ones—are conducting increasingly aggressive IT/Cyber Due Diligence. Discovering gaps at this stage has tangible consequences:

  1. Deal fatigue: delays caused by mandatory remediation plans before closing.
  2. Price pressure: buyers use security gaps as leverage for a multiple-driven discount.
  3. Expanded warranties: broadening the scope of the seller’s liability.

Any operational uncertainty in the valuation model translates into a discount. Cybersecurity is now a measurable factor influencing the EV/EBITDA multiple.

Action plan: active risk management

If cybersecurity is not on the Investment Committee’s agenda, there is a management gap. We recommend four operational steps:

  1. Expanded due diligence scope: beyond compliance checklists, include penetration testing, architecture review, and process maturity assessment (e.g., based on the NIST CSF framework).
  2. Minimum cyber baseline: implement mandatory standards (MFA, backup, segmentation) across all portfolio companies, regardless of size.
  3. Fund-level governance: establish regular cyber risk reporting directly to partners and define crisis response scenarios.
  4. Value creation integration: improving security should be treated as an investment that enables market expansion and shortens sales cycles for enterprise clients.

The role of the operating partner

Cybersecurity is not a technical problem—it is a core element of risk management strategy. Funds that treat security as a value-creation lever, rather than just a cost center, gain a real competitive advantage at exit.

At 3HT Partners, we support Private Equity funds in:

  • Conducting operational and technological due diligence.
  • Designing and supervising post-acquisition remediation plans.
  • Integrating cybersecurity into value creation programs.
  • Preparing companies for exit through operational maturity audits.

Managing cyber risk is a choice between proactive mitigation and accepting losses when they materialize.

Sources:

[1] Kroll, Private Equity and Cybersecurity: A Significant Risk to Deals with $2.1M Financial Impact on Average (2024).

[2] IBM Security, Cost of a Data Breach Report 2025.

Andrzej Przewięźlikowski is a Senior Partner at 3 Hazel Tree Partners, a boutique advisory firm specializing in transformations in the private equity and IT/TMT sectors in Central and Eastern Europe and the Benelux countries. He has over 20 years of experience as a C-level manager in the enterprise software, loyalty/marketing technology, and financial services IT industries.

Similar Posts