I had dinner last month with a partner at a PE firm. Mid-market deals, mostly manufacturing and services. Halfway through the meal, he told me something that reframed how I think about every deal conversation I have had this year.
“We got hit last year,” he said. Not one of his portfolio companies. His firm. The actual fund infrastructure. Credential theft. Someone walked in through a compromised login and had access for weeks before anyone noticed.
I asked him what changed after that.
He set his fork down. “Everything. Every deal we look at now, the first thing my team does is tear apart the target’s cyber. Not because we got religious about security. Because we know what it costs when nobody checks.”
That partner is the exception. And that is what makes this moment so interesting for sellers.
PE firms are, by any measure, among the most disciplined risk managers in business. They would never close a deal without a quality earnings report. They would never let a seller’s accountant be the only voice on the financials. They would never skip an independent legal review.
Then they get to cyber, and the whole discipline disappears.
On cyber, the deal team checks a box. The MSP says things are handled. Or the internal IT team delivers the five words every CEO should freeze on: “We’ve got it covered, boss.”
That sentence should send shockwaves through you. Not because your IT team is lying. They are not. They know what they know. But they do not know whether you are actually secure. They cannot tell you the financial impact to the business if you get hit. They cannot quantify what a cyber event does to your valuation, your deal timeline, or your insurance coverage. They are checking their own work, and nobody in the room has the independence or the financial lens to say whether any of it would survive scrutiny.
That would be one thing if cyber risk were small. It is not.
Kroll’s 2026 study of 325 PE executives found that cyberattacks now cause an average of $2.1 million in financial impact per incident. More than half reported losses exceeding $500,000. And eSentire’s 2025 threat data showed the VC and PE sub-industry recorded an 86 percent intrusion ratio — meaning the vast majority of attempted breaches succeeded. Private equity is one of the most targeted and most penetrated sectors in financial services.
Read that again. The firms buying your company are getting breached at an 86 percent rate. Losing millions per incident. And their deal teams are still treating cyber in the companies they acquire as an IT checklist.
Imagine applying that logic to accounting. “Our controller says the numbers are clean, so we skipped the quality of earnings.” No PE professional on earth would say that out loud. But on cyber, they are living it every day.
When I ask PE professionals why, the answer is usually: the losses can be spread across the portfolio. Cost of doing business.
That math works until it does not. Twenty-six percent of PE firms have already reported that cyber incidents resulted in a reduced valuation or exit price. A breach at one portfolio company can serve as a gateway into the broader PE network, turning a single incident into a portfolio-wide exposure.
So I asked a PE partner a simple question. At what point do the losses become significant enough to change how deal teams treat cyber?
He did not have an answer. But the data is building one for him.
If the buyers are asleep at the wheel on cyber, sellers are not doing much better.
ESET’s 2026 SMB Cyber Readiness Index found that 87 percent of U.S. businesses feel confident in their cyber resilience. That sounds encouraging until you see the next number. Companies that had been breached multiple times reported higher confidence than companies that had not been breached at all. That is not resilience. That is scar tissue being mistaken for armor.
It is like a driver who has been in three fender benders saying, “I’ve got this. I know what an accident feels like.” That is not skill. That is a pattern your insurance company would like to discuss.
Meanwhile, the numbers on the seller’s side tell their own story. Seventy-two percent of small businesses were hit by fraud, scams, or ransomware last year. In the mid-market, 54 percent experienced a cyber incident in the past twelve months. Those are not outliers. Those are the odds.
And here is why this matters for sellers. Most PE deal teams are not scrutinizing cyber the way they will be in two or three years. That feels like safety. It is not. It is a window. When the buyer side wakes up — and the losses say they will — every seller who used that window to build proof will be in a different position than the ones who spent it feeling comfortable.
In twenty-five years of independent assessments, I have never found a clean environment. Not one. The seller almost never knows that before the deal. And the reason is structural.
The MSP or the internal IT team built the environment and says it is solid. The insurer required controls, and whoever built the system confirmed they are in place. The compliance framework documented what was reported. Everyone is referencing everyone else. Nobody is standing outside asking whether any of it actually works.
That is not security. That is a hall of mirrors. Every reflection looks real. None of them are independent.
Right now, most PE deal teams are not looking behind those mirrors. That feels like safety for sellers. It is not. It is a window. And that window closes the moment enough partners connect the losses at their own firms to the diligence process on their next deal.
When that happens, cyber stops being a checkbox. And the mid-market seller walking in with a compliance audit and a handshake from their IT provider is going to face a very different conversation.
Remember what is actually at stake. For most mid-market owners, 80 to 90 percent of their retirement is locked inside the business. That deal is not a transaction. It is decades of work converted into the financial security of their family. When a cyber finding moves the price by five or ten percent, that is not an abstract haircut. That is someone’s retirement changing. That is a conversation at a kitchen table that did not have to happen.
The question for sellers is whether you use this window or waste it.
Uncertainty benefits the buyer. Clarity benefits the seller. The difference between the two is proof that exists before anyone asks for it.
Not a last-minute scan. Not a vendor’s assurance. Not an insurance renewal letter. Independent, validated, documented proof that someone outside your system checked the math.
The buyers are getting hit. They have not all changed their behavior yet. But the ones who have are the ones you do not want to meet unprepared.
Mike Fitzpatrick
Founder & CEO, NCX Group
Distinguished Fellow, Ponemon Institute
P.S. If you are preparing for a sale and the only people who have validated your cyber posture are the same people who built it, you do not have validation. You have a second opinion from the surgeon who performed the operation. That might be comforting, but it is not the same as an independent review — and every buyer on the planet knows the difference.
Repost from LinkedIn – https://www.linkedin.com/pulse/got-breached-too-mike-fitzpatrick-hge7c/
