According to an ACA Group report, healthcare and manufacturing firms show higher exposure, while penetration testing and third-party risk remain persistent challenges

Half of private equity (PE) portfolio companies face elevated or high cybersecurity risk, according to the ACA Vantage Benchmarking Report released by ACA Group (ACA), the leading governance, risk, and compliance (GRC) advisor in financial services. The report draws on cybersecurity risk assessments from more than 300 portfolio companies across 18 industries and 12 countries, offering one of the most comprehensive looks to date at cyber risk exposure across PE-backed firms.

The findings underscore the scale and complexity of cybersecurity risk within portfolio companies, particularly as smaller firms continue to be targeted as entry points into larger enterprise networks. The report also highlights significant variation in risk by industry and identifies specific control areas where companies consistently struggle to reduce exposure.

The report is based on ACA’s RealRisk methodology, a structured cybersecurity assessment framework that evaluates portfolio companies across seven cybersecurity domains and 46 distinct control areas. Scores are calculated on a scale of 1 (lowest risk) to 100 (highest risk), allowing PE sponsors to benchmark companies across industries and geographies. The analysis covers assessment data collected from summer 2023 through December 2025, enabling trend comparisons between initial and most recent assessments.

Other key findings include:

• Cyber risk varies significantly by industry, with a 15-point gap between the sector with the highest average risk score, Health Services (56), and the lowest, Communications (41). Producer Manufacturing (55) ranked as the second-highest risk sector in 2025, reflecting heightened exposure associated with supply chain complexity and operational technology environments.
• Third-Party Risk Management remains one of the highest-risk control areas (average score: 71), reaching 81 in producer manufacturing and 75 in industrial services, highlighting the ongoing difficulty of managing expanding vendor ecosystems and supply chain exposure.
• Penetration Testing continues to rank among the riskiest areas (average score: 76 overall), with health services and transportation both averaging 82, indicating persistent gaps in external vulnerability identification and remediation.
• Programmatic governance controls correlate with stronger outcomes. Regularly updated policies, executive and board involvement, and tested incident response and business continuity plans most closely associated with lower overall risk scores.

Beyond technical safeguards, the benchmarking data demonstrates that foundational governance measures, such as regularly updated policies, defined ownership structures, and board-level engagement, are closely associated with lower overall risk scores. Portfolio companies with mature oversight structures are better positioned to manage both current and emerging cyber threats.

“The data shows that cybersecurity risk is not evenly distributed and cannot be evaluated in isolation,” said Greg Slayton, Managing Director and Portfolio Oversight Practice Lead at ACA Aponix. “Industry dynamics, operational complexity, and governance maturity all play a role. What’s particularly notable is that portfolio companies engaged in a sustained, programmatic approach to cybersecurity oversight show materially different outcomes over time. Companies participating in structured monitoring for more than a year are more than twice as likely to fall into low or very low risk categories compared to first-year participants. That longitudinal trend reinforces the importance of consistent measurement and oversight.”

“The report highlights that third-party risk management remains a complex and evolving challenge,” said Christine Tetherly-Lewis, Partner and Global Head of ACA’s Cybersecurity and Technology Risk Solutions. “Organizations are relying on broader vendor ecosystems and newer technologies, which expand the potential attack surface. Addressing these risks requires not only technical controls, but strong governance, due diligence, and ongoing monitoring.”

The results will be discussed during a webcast on Tuesday, March 17, 2026, at 11:00 a.m. ET, and the full 2026 ACA Vantage Benchmarking Report will be released on Wednesday, March 18, 2026. For more information and to register for the webcast, visit https://www.acaglobal.com/events/key-findings-from-the-2025-vantage-benchmarking-data/.

About ACA

ACA is the leading governance, risk, and compliance (GRC) advisor in financial services. For over 20 years, ACA has empowered clients to launch, grow, and protect their businesses. Its global team of 1,400 professionals includes former regulators and industry practitioners. ACA’s innovative approach integrates advisory, managed services, distribution solutions, and analytics with its ComplianceAlpha® technology platform. For more information, visit www.acaglobal.com.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260303412010/en/