72 Percent. $3.4 Million. What Two International PE Reports Mean for DACH.

In November 2025, Russell Reynolds Associates published a piece titled Creating Value with Cyber Security: What Leading PE Firms Are Getting Right. In parallel, RSM US has been running a dedicated private equity cybersecurity service line, built around a platform called RSM Sentry — portfolio-wide dashboards, AI-assisted analytics, centralised visibility over the cyber posture of every portfolio company.

The two pieces were produced independently, but read against each other they make the same point: cyber inside the PE portfolio has become a value-creation question, and most firms are not operationally set up for that yet. For DACH PE, family offices and M&A advisors, the relevant question is not whether these findings travel — it is how much time remains to adapt without paying for the lesson in-house.

The Numbers Every Operating Partner Should Know

Russell Reynolds' survey of US and European PE firms gives the most defensible data we have on this question today:

• 72 percent of the PE firms surveyed reported a serious cyber incident at one of their portfolio companies within the past three years. Average damage per incident: $3.4 million.
• Around one third of portfolio-company leaders list cyber risk among their three biggest operational challenges. Almost the same share openly admit they are not equipped to manage it.
• Only 38 percent of PE organisations proactively plan for technological change — the remaining 62 percent react.
• 52 percent of leaders expect AI adoption to break existing cyber safeguards.
• More than half of respondents from PE-backed companies see their organisation as insufficiently equipped to protect against "AI negligence" — careless AI use inside the workforce.

RSM puts the same picture in a single, precise diagnosis: "Limited visibility into a portfolio company's cybersecurity practices, combined with the challenge of defining effective cybersecurity standards, often hampers a fund's cybersecurity risk management efforts."

Put differently: the firms that actually know what their portfolio cyber posture looks like are a minority. The firms that proactively steer it are a smaller one still.

The Central Thesis: Value Protection Is Value Creation

The single most consequential line in the Russell Reynolds piece reads:

"Value protection is inseparable from value creation — but most firms still run them on separate tracks."

The historical split between "cyber as a compliance cost centre" and "cyber as a valuation factor" has started to dissolve in the US market over the past 18 months — driven by real incident frequency and an increasingly technical board-level attention. Russell Reynolds cites an operating partner to the effect that boards today ask tactical questions — "is MFA rolled out everywhere?" — where two years ago they were still asking strategic ones. That is not progress in the strict sense. It is the recognition that the basics are often missing.

A second line from the piece captures the underlying dynamic: "Most firms find religion through pain." Translation: most PE firms only professionalise their cyber governance after an incident has damaged an asset, a valuation or an exit process. The 72 percent figure above is the quantitative form of that observation.

The Lifecycle the Reports Describe — and What It Means for DACH

Russell Reynolds outlines a model in which cyber is actively woven into five points across the investment cycle, instead of being inspected once at closing day:

1. Due diligence — pricing risk through technical testing (penetration, cloud audit, identity review) rather than through self-assessment questionnaires.
2. Value creation — a remediation roadmap directly linked to the value-creation plan; measured through metrics such as mean time to detect and mean time to respond.
3. Exit protection — red-team exercises and compliance attestations whose explicit purpose is preserving valuation, not ticking an audit box.
4. Operating model — moving from the reactive model (fragmented, consultant-dependent, project-driven) to the institutionalised one (data-driven, dashboard-supported, standardised).
5. Leadership & governance — tying portfolio-management compensation to measurable cyber-maturity improvements.

What we see in DACH reality during M&A cyber due diligence is almost always the opposite: cyber DD, if it happens at all, is bought once at closing as a sidecar to legal and financial DD. After closing, the portfolio company carries the responsibility alone — usually without a CISO, without a reporting structure, without a defined maturity target.

The gap becomes visible across the hold period. With average PE hold periods now above six years (see McKinsey, covered in our previous piece), a portfolio company running without continuous cyber stewardship will have a different security posture at exit than at closing — usually a worse one, almost always a more poorly documented one. That is what makes exit-stage findings produced by the buyer the most expensive form of any cyber finding.

Where International Findings Hit DACH Reality

Three friction points are relevant when transferring these international findings to DACH structures:

First, the scale question. RSM operates with 2,900+ PE/VC client relationships and 4,500+ portfolio companies — that is a platform logic that technically and commercially supports something like RSM Sentry in the first place. A DACH boutique with three active portfolio mandates will not run an equivalent tooling stack — it needs a reporting rhythm that produces the same visibility instead: monthly posture update, a one-page operating-partner brief, a quarterly heat map. That is organisational discipline, not a software stack.

Second, the regulatory geometry. The US debate runs along SOC 2, HIPAA, the SEC cyber disclosure rule and the Texas SB 5 Data Privacy Act. The DACH situation has a different shape: NIS2 obligations with personal liability for managing directors (see our explainer), GDPR as an ongoing task, the DORA roll-out in financial services. A DACH PE firm that imports a US best-practice stack one-to-one imports the wrong regulatory model — and overlooks a real liability question that simply does not exist in the same form in the US.

Third, the AI risk angle. Russell Reynolds describes AI as a "democratising force" — both for attackers and for untrained internal users. Half of respondents see their own processes against AI negligence as insufficient. In DACH portfolio companies, an additional dimension shows up in roughly half of the diligence engagements we have run since Q4 2025: shadow-AI use with personal data. Employees feed customer data into consumer LLM services, in the absence of any enforced policy framework. Legally (GDPR Art. 32 / 28) and commercially (contractual penalties, B2B credibility), that is a position that was not yet present in 2024 DD reports and that has to feature in any serious 2026 one.

What Operating Partners Can Do Differently Now

Four shifts emerge from the two reports that are immediately actionable for a DACH PE structure — without having to stand up an internal cyber team:

Cyber as a recurring standing item in the investment committee. Not a 30-second mention inside the risk block, but a one-page cyber section alongside trading, operations and pipeline. Without that, the firm does not know what it is managing.

Pre-deal cyber as a pricing input, not a confirmatory tick. Findings that arrive after the pricing decision rarely change the deal. Findings that arrive before it change the deal regularly. That is the entire ROI lever of the DD phase.

Cyber posture expressed in metrics an operating partner can read. Unpatched critical CVEs older than 30 days, identities without MFA, EDR coverage across endpoints, time to last restore test. Four numbers are enough for a first reporting. They replace the abstract "maturity score" discussion with comparable, portfolio-wide data.

Exit readiness six to twelve months before sale, not in the data-room phase. The most expensive place for a cyber finding to surface is the buyer's DD report during a live exit. A dedicated exit-readiness review run at the right point in the process costs a fraction of the valuation discount it can prevent.

A standing vCISO mandate provides the organisational home for each of these four shifts. A Compliance Sprint closes the most likely audit or contractual gap inside a portfolio company. An M&A cyber due diligence turns cyber inside the deal flow into a pricing input rather than a comfort exercise around closing day.

One Honest Closing Note

Russell Reynolds ends its piece with a line we would sign at Woodlands as it stands:

"Cyber resilience starts as a control problem but ends as a leadership one."

The most durable cyber-posture improvements inside PE portfolios that we have helped run over the past few years never started with technology at the centre — they started with a clarification at the investor level on who owns cyber risk in the portfolio, who measures it, and to whom it is attributed. Only out of that clarification do MFA roll-outs, EDR coverage and vendor reviews ever take a sequence that fits the value of the asset.

Both reports are freely accessible and we recommend reading the originals. If a concrete portfolio, deal or exit question would benefit from a short conversation — operating partner to operating partner — that is the most useful starting point.

Let's talk →

---

Sources:

• Russell Reynolds Associates. Creating Value with Cyber Security: What Leading PE Firms Are Getting Right. November 2025.
• RSM US LLP. Private equity cybersecurity services and dashboards.
• European Commission. NIS2 Directive.