Executive Summary

A benchmarking report released by ACA Group on March 3, 2026, has found that 50% of private equity (PE) portfolio companies demonstrate 'elevated' or 'high' cybersecurity risk. The ACA Vantage Benchmarking Report analyzed detailed risk assessments from over 300 companies across 12 countries and 18 industries, painting a stark picture of systemic weaknesses. The report identifies the Health Services and Producer Manufacturing sectors as having the highest risk profiles. Two critical control domains—Third-Party Risk Management and Penetration Testing—were consistently identified as major deficiencies. These findings indicate that many PE-backed firms are not only struggling with their own security posture but are also failing to manage risks originating from their vendors, making them attractive targets for supply chain attacks.

Report Overview

The ACA Vantage Benchmarking Report provides a data-driven analysis of cyber risk within the private equity sector, highlighting systemic issues that require attention from investors and company leadership.

• Source: ACA Group, a governance, risk, and compliance (GRC) advisory firm.
• Dataset: Detailed cybersecurity risk assessments of over 300 PE portfolio companies.
• Scope: 18 industries and 12 countries.
• Key Finding: 50% of all companies assessed have an 'elevated' or 'high' cyber risk score.
• Methodology: ACA's Real Risk methodology, scoring companies on a scale of 1-100 (higher score = higher risk) across 7 domains and 46 control areas.

Key Findings

Industry Risk Variation

The report shows that cyber risk is not uniform across industries.

• Highest Risk: Health Services (average score: 56)
• Second-Highest Risk: Producer Manufacturing (average score: 55)
• Lowest Risk: Communications (average score: 41)

The high risk in health services is likely due to the value of protected health information (PHI) and legacy systems, while manufacturing risk is heightened by complex supply chains and vulnerable Operational Technology (OT).

Major Control Weaknesses

Two areas stood out as consistent, high-risk problems across all sectors:

1. Third-Party Risk Management (TPRM): This domain had one of the highest overall risk scores, indicating that companies are not adequately vetting the security of their vendors, partners, and suppliers. This creates significant supply chain risk.
2. Penetration Testing: This area had a very high average risk score of 76, with Health Services and Transportation scoring even worse (82). This suggests firms are not regularly and effectively testing their defenses to find and fix vulnerabilities, leaving them exposed to attack.

Impact Assessment

The high-risk posture of these firms has several negative consequences:

• Increased Attack Surface: PE-backed companies are often seen by attackers as a soft target and a stepping stone to compromise their larger enterprise customers or the PE firms themselves.
• Devaluation of Assets: A significant cybersecurity incident can severely damage a portfolio company's value, impacting the return on investment for the PE firm.
• Systemic Risk: The interconnectedness of these companies through supply chains means that a vulnerability in one can lead to a cascade of breaches across an entire sector.
• Regulatory & Compliance Failures: Weaknesses in areas like TPRM and penetration testing often correlate with non-compliance with regulations like GDPR, HIPAA, and others, leading to potential fines.

Detection & Response Recommendations

For PE firms and their portfolio companies, detection and response must become more programmatic.

1. Mandate Regular Penetration Testing: PE firms should mandate that all portfolio companies undergo annual, independent penetration tests. The results should be tracked to ensure critical and high-risk findings are remediated within a defined SLA. This aligns with D3FEND's Vulnerability Scanning.
2. Centralize TPRM: Establish a centralized Third-Party Risk Management program at the PE firm level or require a robust one at each company. This program should include security questionnaires, evidence review, and risk-based tiering of all vendors.
3. Implement Continuous Monitoring: Use tools that provide continuous visibility into the external attack surface of all portfolio companies, identifying exposed services, misconfigurations, and vulnerabilities in real-time.

Mitigation Guidance

The report suggests that stronger governance is key to reducing risk.

• Establish a Cybersecurity Program: Ensure every portfolio company has a formal, documented cybersecurity program with clear policies, standards, and procedures. This should be a condition of investment. This aligns with Security Policy Management.
• Develop and Test Incident Response Plans: Mandate that all companies have a tested Incident Response (IR) plan. PE firms can provide a template and require annual tabletop exercises to ensure readiness. This is a core component of Incident Response Plan development.
• -Invest in Foundational Controls: Focus on implementing foundational cybersecurity controls as outlined in frameworks like the CIS Critical Security Controls. This includes asset management, access control, and vulnerability management (Software Update - D3-SU).
• Board-Level Oversight: Ensure that cybersecurity risk is a regular agenda item at the board level for each portfolio company, with clear metrics and reporting from management.