The biggest cyber risk in PE deals isn’t technology—it’s translation

Private equity firms do not have a cybersecurity problem. They have a translation problem. According to Anthony Catalano, a principal and private equity cybersecurity leader at RSM US LLP, the problem is not a lack of tools or frameworks; it is a persistent translation gap between cyber risk and financial decision making.

“Cybersecurity is not appropriately accounted for in a deal or in a post-close strategy,” Catalano says. “Deal teams are still asking ‘Is cybersecurity adequate?’ instead of understanding what it will actually cost if it’s not there.”

Catalano describes a recurring pattern in PE transactions: limited access during diligence, no defined cybersecurity thesis and an inability to quantify gaps in financial terms. As a result, cyber issues surface late, often after close, creating unplanned costs that directly erode value.

In one recent example he shared, a portfolio company inherited an estimated $1.5 million in cybersecurity remediation costs that were not identified during diligence.

“Now they have an asset they’ve taken on with a $1.5 million surge cost for cybersecurity that no one ever accounted for,” he says. “That impacts valuation because they have to eat that cost, and it compounds as the company grows.”

This disconnect reflects a broader issue: Security findings are still presented in technical language—frameworks, controls, maturity models—while PE investors focus on internal rate of return, multiple on invested capital and exit readiness.

Several structural dynamics are compounding the exposure and risk:

• Compressed diligence timelines limit the ability to fully assess cybersecurity posture.
• Post‑close transformations expand digital footprints and attack surfaces.
• Public deal announcements often trigger targeted cyberattacks during transition periods.
• Cyber insurance scrutiny is increasing, with claim denials tied to misalignment between controls and applications.

“As soon as deals are announced, attackers go after the organization,” Catalano notes. “It’s a 90‑day window where everything is in flux and attention is not on security as it might need to be.” 

Rather than treating cybersecurity as a checklist item, Catalano encourages PE firms to reframe it as a financial and operational discipline. Key actions include:

• Ask financially grounded diligence questions, not just technical ones.
• Quantify cybersecurity gaps in dollars, not severity ratings.
• Align cybersecurity programs with cyber insurance requirements.
• Rightsize security leadership for portfolio company scale.

If PE firms focus on one priority in the near term, Catalano says, “make sure you’re aligned at a baseline with your cyber liability insurance policy. That’s your primary risk transference strategy—and a signal of whether you’re doing the basics.”