Cybersecurity: A critical Due Diligence for Investors and Founders

In today’s digital-first economy, cybersecurity is no longer a back-office IT concern, well at least it shouldn't be, it’s a boardroom priority. For private equity firms, venture capitalists, and business owners alike, cyber resilience is now a defining factor in valuation, operational continuity, and long-term success.

Why Cybersecurity Can’t Be an Afterthought

Many investors still treat cybersecurity as post-deal clean up. But the reality is that cyber threats are now a material risk to deal value. According to Accenture, 68% of PE clients report a spike in cyber incidents during the month of deal closure. That’s not a coincidence. It’s a signal of how quickly these investments can change.

Cyber attackers are opportunistic and the changing of ownership or control is a indicator of opportunity. And mid-sized portfolio companies which can be seen as a target for PE have historically operated with lean security budgets and fragmented systems, which is often overlooked or undervalued from a due diligence perspective. 

What We’re Seeing in the Field

Having conducted a number of cybersecurity assessments across a number of industries. The findings are concerning:

• Up to 30% of cybersecurity tools are misconfigured or underutilised.
• Many portfolio companies lack multi-factor authentication (MFA) on admin accounts.
• There’s often no single source of truth for a portfolio’s security posture.

One case study revealed that 20% of endpoints lacked active protection, and Secure Web Gateway tools were deployed ineffectively. These aren’t just technical gaps, they’re operational and reputational risks waiting to happen.

What Investors can Do Differently

1. Make Cyber Due Diligence Non-Negotiable
   Cyber assessments should be embedded in the pre-deal process. Not just a tick-box exercise, but a genuine evaluation of risk exposure and remediation cost.

2. Standardise Security Across the Portfolio
   Define a minimum cybersecurity baseline. Ensure every investee company meets it. This isn’t about perfection but it’s about consistency and accountability.

3. Optimise Spend, Don’t Just Add Tools
   More tools do not equal more security. In fact, vendor sprawl often leads to confusion and gaps. Rationalise your stack and focus on effectiveness, not volume.

4. Monitor Continuously, Not Periodically
   Cyber risk is dynamic. A one-off audit won’t cut it. Implement ongoing monitoring and improvement cycles to stay ahead of evolving threats.

For Founders and Business Owners

If you’re raising capital or preparing for an exit, your cybersecurity posture is part of your valuation. Investors are increasingly asking:

• Can this company withstand a breach?
• Are there hidden risks that could derail integration or growth?
• Will we inherit a liability?

Being proactive about cybersecurity isn’t just about protection, it’s about positioning. It signals maturity, foresight, and operational ability.

Final Thoughts

Cybersecurity is now a strategic lever. For investors, it’s about protecting capital and unlocking value. For founders, it’s about building trust and resilience. And for all of us in tech leadership, it’s about embedding security into the DNA of how we build, scale, and invest.

It's important to understand the cost of cyber security and the cost of a lack of cyber security.