ACA 2026 PortCo Cyber Risk Report

Cybersecurity risk remains one of the most persistent and value-impacting challenges across private equity portfolios. As threat actors increasingly exploit smaller, less mature organizations as entry points into larger networks, sponsors are under growing pressure to understand where cyber risk truly resides, and which actions drive meaningful improvement.  

The ACA 2026 PortCo Cyber Risk Report delivers a data-driven view of cybersecurity risk across private equity portfolios, drawing on assessments of more than 300 portfolio companies across 18 industries and 12 countries. Using ACA’s proprietary RealRisk™ methodology, the report provides comparable, portfolio-wide insights that help sponsors prioritize oversight, investment, and remediation efforts with confidence. 

Industry-Specific Cyber Risk Trends Firms Need to Know

This report goes beyond high-level risk scores to examine how cyber risk manifests across industries, domains, and specific control areas, and how that risk evolves over time with sustained oversight.

 Specifically, the report explores:  

• How cyber risk is distributed across portfolio companies in 2025, and why an even distribution can still mask material differences in exposure.
• Which cybersecurity domains and areas consistently drive higher risk, including Penetration Testing, Third-Party Risk Management, and Application and Product Security ownership.
• How industry context shapes risk profiles, with sector-specific challenges influencing where risk concentrates.
• Why sustained engagement matters, demonstrating how portfolio companies with longer-term Vantage use shift toward lower risk score ranges, even within Elevated and High-risk categories.
• Which controls are most closely associated with lower overall risk, highlighting the outsized impact of programmatic governance practices alongside technical controls.

Turning Cyber Risk Insights into Portfolio Action

Cybersecurity risk is no longer confined to IT teams, it is a material business risk that directly affects enterprise value, operational resilience, and exit readiness. Sponsors need more than point in time assessments; they need consistent, comparable insight across the portfolio to inform smarter decisions.

The benchmarking data shows that:

• Portfolio-wide, ongoing assessment enables earlier identification of systemic risk drivers.
• Foundational technical controls often deliver early gains, but programmatic controls, such as policy governance, board engagement, and incident preparedness, are more closely tied to sustained risk reduction.
• Portfolio companies operate at varying levels of maturity, requiring sequenced, risk-based prioritization rather than one-size-fits-all expectations.

This report is designed to help sponsors align oversight efforts with where they will have the greatest impact.

Complete the form to receive your copy of the ACA 2026 PortCo Cyber Risk Report and explore the insights shaping cybersecurity oversight in private equity today.

You’ll receive the report by email. You may also receive related insights from ACA and can unsubscribe at any time.