Cybersecurity continues to grow as a concern amongst alternative asset managers. Investors allocating to these managers now place cyber readiness at the top of their agendas when engaging with managers, especially given the more recent rise of public news and private disclosures about breaches. 

The year 2024 proved a turning point for large, sophisticated limited partners (LPs). It became clear that the inexorable rise in incidents was symptomatic of a broader structural weakness across the alternative asset management sector, requiring a fundamental shift in how LPs view cyber risk and a growing need for leading investors to mitigate these risks more directly.

What’s driving the high-risk level for LPs and alternative managers?

A shift in mindset among LPs has occurred in response to the persistent increase in both the frequency and severity of incidents amongst alternative managers and their related entities, including private equity-sponsored portfolio companies. Broadly speaking, financial services is now the second most attacked industry (behind manufacturing) and represents 20% of all recorded cyber incidents.^[1]

However, we have witnessed a higher prevalence of incidents among alternative managers for a few key reasons:

1. Smaller managers are likely more vulnerable.

Cyber actors rightly or wrongly assume that the majority of alternative managers are not run at the scale of larger firms like Carlyle or KKR, and do not have the resources, either in-house or with their outsourced IT teams, to manage persistent threats across an ever-expanding attack surface. Thirty-five percent of all attacks are on companies with less than 100 people.^[2]

2. Alternative managers are in the public eye.

Fundraising and private investments are often publicly announced, if not outright press events. To make matters worse, press releases and articles propagated across news bots cite fund and investment sizes, as well as the use of funds by PE-sponsored portfolio companies. This information makes bad actors smarter and helps sharpen their approach to exploit specific vulnerabilities.

3. GPs are ideal personas to impersonate.

GPs are fast-moving and time-starved, ideal traits for using phone and text to convince a lower-level employee to act quickly in initiating a wire transfer, one of the most common forms of successful cyber attacks. Recently a large and well managed PE suffered a ”sophisticated social engineering attack” with damage yet to be fully understood. In the interim the firm found it prudent to make a public statement.

4. Portfolio companies of PE firms are attractive targets.

Portfolio companies can be operationally immature and vulnerable. If attacked, these companies often prove eager to settle for higher ransoms in an effort to move on from the incident quietly. Seventy-five percent of all attacks are on companies with less than 1,000 employees, and these attacks increased seventy percent in the past year.^[3]

How have increased attacks impacted alternative management?

As the frequency and severity of incidents have increased, so has the average size of financial impact, be it direct loss from wire fraud and ransom, or indirect effects on manager operations and the ability of a portfolio company to conduct its business.

Insurance data notes that financial services firms are purchasing insurance limits two times greater than other industries at similar revenue sizes.^[4] Cyber threats to PE-sponsored portfolio companies are ubiquitous, with over 80% of Drawbridge’s PE clients reporting a moderate-to-severe cyber incident at one of their portfolio companies.^[5]

The impact of an incident is not just financial, either. It impacts corporate reputation and “availability to trade,” regardless of whether that trade is a marketable or private security. Top investors want very much to maintain their image and reputation as investing in quality managers, making the existence of worrisome cyber vulnerabilities amongst their pool of managers difficult to accept.

Certainly, GPs have been well aware of how cyber attacks affect firm operations and financial statements for some time. PE firms have typically conducted operational and technology due diligence on prospective investments. Yet, the number of events has reached a critical level, and the attack vectors used by state-sponsored or other bad actors have widened considerably.

For most limited partners (LPs), the reality has hit that cyber breaches have become a costly problem for the managers to whom they allocate. This threatens returns for both the investor and the manager, placing the issue squarely in the front office.

Addressing the evolving problem of cyber attacks in 2025

It is true that cyber maturity and readiness are core components of the due diligence (DD) performed by investors on prospective managers. In the prior decade, investors leaned more toward a “check the box” exercise. If a manager lacked proper awareness and execution, an investor patiently allowed that manager to improve over time, especially if the manager had an enviable record of above-average performance at their current or prior firm, and if the investor was anxious to allocate. Flash forward to today, and cyber has become a top three issue in manager diligence, with a manager’s specific cyber control state as an investor relations priority.

Recognition of the problem has focused on two fronts - building a comprehensive and independent cyber program to govern and monitor threats, and purchasing cyber insurance to partially or wholly mitigate against financial loss. Managers are also taking more ownership of the risks posed by their key software and services vendors. PE firms are doing the same to ensure that their portfolio company investments are resilient to attacks.

With cyber incidents reaching a tipping point in the alternative investment management sector, discussions between GPs and their top investors have become more frequent and intense, and LPs are expressing their intent to improve their understanding of and ability to lower the cyber risk profile of their allocations.^[6]

Investors are changing their cybersecurity evaluations of alternative managers in three important ways:

1. Evaluate risk across the life cycle of an allocation.
   Relying on a pre-investment DD report is no longer sufficient for an investor’s investment committee. They want cybersecurity to be treated more like the traditional factors that affect portfolio risks and returns, which means more frequent inputs with a combination of post-allocation cyber diligence and      ongoing manager transparency and communication.
2. Quantify risks across managers on an apples-to-apples basis.
   Quantifying cyber risks is now critical. Investors have always spoken the language of portfolio analytics in defining and setting return targets, deciding asset allocation strategies, and selecting managers and securities. Chief risk officers and chief investment officers are partnering to create consistent and clear ways of rating or scoring a manager’s cyber defenses, which will directly impact allocation decisions and target return modifications.
3. Actively reduce cyber risk.
   Greater transparency on how managers are treating fundamental cyber controls is a more common ask. Basic cyber hygiene is now a “tell” on a manager’s overall program approach. In addition, LPs want a window into how high-severity cyber risks are being addressed and remediated as close to real-time as possible. A t minimum, investors are engaging managers in frequent updates to cyber readiness and asking managers to proactively update them on changes to critical controls with the explicit goal of lowering the investor’s return risk.

In this new world where criminals favor targeting alternative managers and their investments, LPs have raised the stakes on how they evaluate their allocations.

The first shift is moving from a diligence mindset to one where cyber risks represent a threat to portfolio returns. This will be manifested through changes to ongoing risk management, measurement and risk mitigation. At minimum, LP investment committees will de-risk their portfolios by declining to allocate to managers with poor scores, or those unable to demonstrate clear intent and progress in bolstering worrisome cybersecurity controls.

The upshot of these trends is that investors are no longer willing to be patient and work with managers to build defenses, they view cyber as a risk they are unwilling to own at the portfolio level and will materially mark down performance projections to reflect the expected value loss of sub-par cyber readiness. Investors now view cyber as a portfolio return input that compels them and managers to take steps to not only de-risk current allocations but to filter in those managers that will be with them for the long haul.