ESG insights for private companies

Cybersecurity for private companies

Multiple authors
8 min read
2025-06-30
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
1300422159

The views expressed are those of the authors at the time of writing. Other teams may hold different views and make different investment decisions. The value of your investment may become worth more or less than at the time of original investment. While any third-party data used is considered reliable, its accuracy is not guaranteed. For professional, institutional, or accredited investors only. 

Cyberattacks are among the world’s most pressing risks. In fact, they were rated as a top 10 risk in each of the World Economic Forum’s last four Global Risk reports.1 Though previously considered a technology issue, cybersecurity has become an increasingly material ESG concern for private companies, investors, regulators, and consumers alike. Critically, cyber threats are pervasive across industries and come in many forms (Figure 1).

Cybersecurity experts predict that the threat of ransomware attacks will continue to grow in 2024, and that cybercriminals will increasingly leverage AI and machine learning to fuel the efficacy of their attacks.2 They also believe that quantum computing advancements and expanding Internet of Things (IoT) vulnerabilities will require companies to enhance their existing security defense measures. Notably, one 2023 survey found that 68% of firms had experienced a cyberattack during the year.3 We think private companies that can nimbly adapt to this evolving landscape will be better positioned to address these risks.

In this piece, we highlight this rising problem, explore how it is particularly relevant for private companies, discuss key regulatory considerations, and share best practices for companies facing these threats.

Figure 1
cybersecurity-for-private-companies-fig1

Why cybersecurity is material for private companies

Cyberattacks are material issues for private and public companies as they can raise the risk of exposing confidential company information or sensitive customer data, halting operations that can consequently disrupt supply chains, increasing regulatory scrutiny, and/or causing reputational harm. The average cost of a data breach in 2023, for example, was ~US$4.45 million per incident, a 2.3% increase from 2022 and a new all-time high.4 Companies that extensively invested in security AI and automation were shown to report US$1.76 million lower data breach costs compared to organizations that didn’t use these cybersecurity technologies.5 Companies with marketable information on clients or intellectual property may face heightened financial risk due to the impact that data has on both their value and brand loyalty. In addition, firms that provide services to others or depend heavily on real-time operations can likely expect high per-minute costs of lost revenue and dissatisfied clients in the event of a denial-of-service or ransomware attack.

Thus, while a firm may incur no direct material loss from some attacks, these risks may affect a company’s valuation by impacting brand perception and operating costs. Private companies should consider these potential risks when evaluating cybersecurity investments as underspending could amplify long-term costs.

Figure 2
cybersecurity-for-private-companies-fig2

Private companies are most at risk right before IPO

While overall risks remain the same for both public and private companies, public companies are often better prepared as they have more consistent scrutiny on cyber risks due to their established oversight practices and engagement with public investors. In contrast, when investing in a private company at early stages, investors likely have more limited insight into the company’s cybersecurity risks and thus the same scrutiny is not applied. Furthermore, early-stage companies may be more focused on building a client base and generating revenue, with fewer resources allotted to cybersecurity risk management.

Importantly, we believe early-stage companies are at the highest risk of a cybersecurity attack right before they go public. This is because a public announcement may draw the attention of “black hat” hackers who are very aware of a company’s maturity stage and the critical importance of its reputation during an IPO. This can make the business an attractive target for extortion/ransom attacks. If thoughtful controls are not in place, the company may not be able to fend off the attack, potentially placing it in the position of having to pay a ransom, suffering a public data breach, or having its services shut down at a critical time. By addressing these risks early, private companies can better avoid issues at this crucial transition period.

Increasing regulatory considerations

Regulators across the globe are increasingly concerned about data security, privacy, and transparency. In July 2023, the US SEC adopted new rules of cybersecurity risk management and disclosure for public companies, with the goal of creating consistent and comparable information for investors. The new rules require companies to disclose cybersecurity incidents and impacts within four business days of the incident being determined to be material. Furthermore, companies must disclose material information about their cybersecurity risk management, strategy, and governance in annual reporting.6 This reporting must include the board and management’s role(s) in identifying, assessing, and reporting cybersecurity risks internally. Private companies — particularly those preparing for an IPO — should consider whether they have sufficient cyber expertise on their leadership teams to satisfy investor and/or regulatory expectations for oversight.

There are several frameworks that private companies can adopt as best practices to mitigate increasing risks and prepare for regulation. These include ISO 27000, the National Institute of Standards and Technology’s Cybersecurity Framework, or the Cybersecurity Maturity Model.7 However, we recommend that companies customize their standards to be most relevant to their business model and industry. This will help ensure that controls are sufficiently customized for the company’s risk profile.

Beyond cybersecurity, data privacy is another key area of focus for global regulators, with an increased emphasis on consumer welfare and control. In 2018, the European Union (EU) created a new set of rules — the General Data Protection Regulation (GDPR) — designed to give EU citizens more control over their personal data.8 Several other regions have since begun implementing similar policies, including those by the California Consumer Privacy Act (CCPA) and the California Privacy Protection Agency (CPPA) in the US. These policies promote lawfulness, fairness, accuracy, and transparency of data processing; limitations on data collection and storage; and robust processes for accountability and recourse.9 Companies are accordingly investing in their data privacy systems, increasingly moving from manual compliance to automated solutions to improve their compliance with CCPA and CPPA.10 As these regulations continue to increase, well-prepared private companies can differentiate themselves from their peers.

Cyber-hygiene best practices for private companies

In addition to the actual risks and regulations, private companies should prepare for greater scrutiny as investors increasingly include cybersecurity risk evaluations in their due diligence process prior to the closing of a deal. These could include network scanning, penetration testing, third-party cybersecurity assessments, and proof of eligibility for cybersecurity insurance.11 Additionally, while each cyberattack incident itself is important, a company’s response to an attack can be even more material to investors. Companies should aim to be highly transparent and disclose material incidents promptly to the affected stakeholders (such as customers or suppliers). Notably, we believe it is important to establish relationships with third-party breach response services to assist early on in response to a potentially material incident.

Investors are also focused on the amount of capital deployed to technological investments relating to cyber protection. A recent survey found that companies increased spending on cybersecurity by 70% from 2019 to 2023 and allocated a median of 8% of their technology budgets to cybersecurity (up from 5% in 2019).12 Higher-risk industries (such as tech and retail) and private companies/SMEs (due to maturity stage and vulnerability level) are generally expected to allocate an above-average amount to IT spending. This can include investments to securely maintain hardware and quickly patch software, to ensure multifactor authentication is in place and widely used, to adopt cybersecurity insurance, and to procure independent third-party assessments. Notably, insurance is often a good proxy for company cyber strength. While cyber insurance premiums have increased in recent years, one survey reported that 76% of issuers purchased specialized cyber insurance in 2023.13 

Importantly, companies should continuously and aggressively patch and evolve their security as attackers are constantly modifying their approaches. While smaller firms can outsource some security operations, we believe it is important, where financially feasible, to include a cybersecurity expert on the leadership team with the necessary expertise to formulate bespoke risk assessments and controls. To be effective, we believe cybersecurity needs to be proactively integrated into the operations of the firm.

Another area of focus for private companies relates to social engineering attempts by attackers via email, phone, or other means. Smaller companies with fewer resources can attract attackers for this very reason, with the likelihood of attacks increasing with press releases about funding rounds and new investors. We’ve observed email-related attacks on private companies, with attackers masquerading as executives from firms who are investors. One method attackers use is to establish “lookalike” (i.e., spoofed) email domains, similar to those of the new investment firms, and send emails in the hope of tricking an unwary member of the private firm such that the private firm is defrauded. Establishing a strong security culture and creating awareness can be an effective defense in combatting this and other social engineering methods. 

Of additional concern is overseeing cybersecurity in key third-party service providers and establishing processes to assess supplier risk and respond in the event they are subject to cyberattack. In fact, more than 80% of third-party vendor risks are discovered after the initial onboarding and due diligence process.14 In our view, companies that rely on third-party vendors for technical development services and solutions should implement strict due diligence standards to minimize risk.

Finally, we encourage companies to proactively provide high-level disclosure of the above precautions as well as details on governance structures and controls. These disclosures are generally viewed favorably by investors as positive indicators of a company’s cybersecurity preparedness. For data privacy, companies are encouraged to adhere to the GDPR, CPPA, and CCPA guidelines and to use clear, simple language in their privacy policies.

Figure 3

Five key cybersecurity measures private companies should prioritize

1. Require multifactor authentications for all remote access including email: This will enhance security by requiring users to identify themselves by more than a single username and password.

2. Patch all laptops, servers, and desktops aggressively to systematically monitor and enhance network security: Given that attackers reverse engineer patches to find exploitable bugs, continuous patching is a key preventative mechanism.

3. Ensure business information stays on business systems and off personal systems: Companies cannot protect information on systems that they don’t control.

4. Make cybersecurity part of your culture and model best practices from the top down: Create a mindset in employees that their daily actions impact cyber risk and encourage them to make thoughtful daily decisions that align with security policies.

5. Create incident response plans with clear lines of responsibility including the board: Review and test incident response plans annually and share them with the board. Directors should understand evolving data privacy and cybersecurity regulations, consider their potential impact on the company, and oversee/monitor compliance. Appoint a Chief Information Security Officer or Virtual CISO for dedicated oversight.15

Source: Wellington Management. | For illustrative purposes only.

Bottom line

Cybersecurity is a widespread and rapidly growing issue that can have significant material impacts on private companies. These risks are particularly relevant as private companies approach the public markets, where strong oversight controls are considered part of good corporate governance and attention from potential attackers may increase. In our view, it is critical for companies to have the necessary expertise and infrastructure to navigate these substantial risks and the corresponding increase in regulation and disclosure expectations.

Appendix: Top 10 cybersecurity questions for private companies

Governance, oversight, and controls
1.When did the C-suite and operations team last go through a rehearsal for ransomware (including a ransom Q&A)?
2. 

When was the last holistic cybersecurity assessment (i.e., beyond penetration testing)?

3.

How do you help your board members interpret cybersecurity reports?

4.   Is cybersecurity integrated into enterprise risk management programs and, if so, what are the company’s preventative, detective, and corrective controls?
Breach history and response
5.Have you had an internal data breach or an external cyberattack that has impacted your systems?
6.What are your company’s disclosure and response policies if an attack occurs?
7.

Are there clearly defined roles within your crisis management team to minimize confusion during attacks?

Business model and operations
8.Do you use Internet of Things products for your operations and, if so, have you analyzed how secure they are?
9.Are any of your competitors based in countries with state hackers?
10.Is there something specific about your business model that puts you at a higher risk of a cyberattack?

1Sources: World Economic Forum, “The Global Risks Report” 2021 to 2024. | 2Source: Forbes, “Navigating the cybersecurity landscape in 2024,” December 2023. | 3Source: Netwrix, “2023 Hybrid Security Trends” report. | 4Source: IBM, “Cost of a Data Breach 2023.” Figures include ransom payments and customer compensation. | 5Ibid. | 6Source: US Securities and Exchange Commission, “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” 26 July 2023. | 7Source: IT Governance, “ISO 27001, the International Information Security Standard.” | 8Source: General Data Protection Regulation. | 9Sources: Perkins Coie and Cytrio. | 10Source: Cytrio, “6th State of CCPA & CPRA Privacy Rights Compliance Research Report – H1 2023,” August 2023. | 11Source: Wall Street Journal, “Private-Equity Firms Tighten Focus on Cyber Defenses at Portfolio Companies,” January 2023. | 12Source: Moody’s, “Cyber budgets increase, executive overview improves, but challenges lurk under the surface,” 26 September 2023. | 13Source: ibid. | 14Source: Gartner, “Third-Party Risk Management.” | 15Source: Wall Street Journal, “Private-Equity Firms Tighten Focus on Cyber Defenses at Portfolio Companies,” January 2023.

Experts

morales-andrew-7120
Associate Director of Value Creation, Private Investments

Related insights

Showing of Insights Posts
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Designing an executive compensation program: Five best practices for private companies

Continue reading
event
6 min
Article
2025-10-31
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Human capital management for private companies

Continue reading
event
7 min
Article
2025-08-28
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

AI governance for private companies

Continue reading
event
8 min
Article
2025-07-30
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Five key ESG topics for private companies in 2024

Continue reading
event
Article
2024-12-31
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Why climate change matters in private markets

Continue reading
event
Article
2024-10-31
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
A guide to ESG materiality assessments Continue reading
event
Article
2025-07-31
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Read next