Key takeaways
  • Cybersecurity remains a critical part of a private funds CFO’s due diligence.
  • Security breaches and transfer fraud continue to pose reputational, personal, and regulatory risks.
  • Artificial intelligence supports both more sophisticated attacks and defenses.
  • Privacy policies represent an emerging area of risk for funds.

Cyber risk—the potential for financial loss, operational disruption or reputational damage resulting from failures in information technology systems or cybersecurity controls—is a critical priority for private funds CFOs in 2026. For private equity and venture capital fund CFOs, cybersecurity due diligence must be an ongoing practice—not a one-time assessment.

Although cyber risk is an evergreen concern, the specifics are always changing. While technology and training can help make firms more resilient, what works today may not do as well in the future.

Imagine this: A bad actor compromises a trusted vendor’s email account and uses an existing email thread about invoices to request updated wire instructions due to a banking change. If the organization simply processes the payment without independent verification, they wind up sending the funds directly to the attacker’s account. By the time the vendor follows up about a missing payment, it could easily be too late to recover the money.

In this dynamic landscape, private equity and venture capital firms investing in portfolio companies need to constantly identify current threats and deploy critical cybersecurity controls. Thorough due diligence that extends to cybersecurity risks should be a priority before your fund management team closes an investment in a new portfolio company. Constant vigilance and ongoing review after you close are critical as well. As you undertake those reviews, remember that cyber risk isn’t confined solely to fraud. Regulatory and legal compliance issues can become a funds CFO’s problem, too, especially when it comes to protecting data privacy.

Here are five questions private funds CFOs should be asking about their cybersecurity practices in 2026.

As you undertake those reviews, remember that cyber risk isn’t confined solely to fraud. Regulatory and legal compliance issues can become a funds CFO’s problem, too, especially when it comes to protecting data privacy.

1. Are our transactions as secure as they should be?

 

Business email compromise (BEC) attacks remain among the most common and costly threat all CFOs face. According to the Federal Bureau of Investigation, BEC schemes produced nearly $2.8 billion1 in losses during 2024. Misdirecting a transaction can be very lucrative for a criminal—and devastating for an organization that finds itself with little recourse to recover the money. And that’s before considering the host of reputational, legal and regulatory problems that can follow.

Maintain strict email security controls to stay ahead of phishing attempts and other common vectors for social engineering attacks. To strengthen protection against funds transfer fraud, consider:

  • Requiring layered verification for all financial requests.
  • Validating all banking/payment changes using a known, previously confirmed phone number.
  • Maintaining strict email security to prevent phishing and social engineering attacks.
  • Implementing strong vendor-management processes.
  • Encouraging a “pause and validate” culture that encourages team members to slow down and ask questions, especially if they feel rushed or manipulated.

2. How is AI changing the face of cybersecurity risk?

 

AI tools are making it easier than ever2 for criminals to launch sophisticated attacks, from deepfakes of executives’ voices3 over the phone to dynamically generated malware scripts4, with relatively little effort. In other words, evergreen threat types are becoming more sophisticated and more frequent. Because these tools tend to automate common patterns of activity used to perpetrate fraud, however, AI tools are well suited to help monitor and guard against these attacks.

Managed detection and response (MDR) solutions that combine 24/7 monitoring with AI-driven analytics can often detect and contain threats designed to bypass traditional controls. Bear in mind that while AI scanning for malicious patterns of activity can give you a pulse of what may be lurking within the network, it’s not foolproof. A good internal network scan and solid internal controls remain critical.

3. Are third parties obscuring your view of critical risk?

 

Your portfolio companies aren’t the only potential source of cyber risk. Your vendors’ cybersecurity lapses could ultimately be your problem, too. When you outsource functions to cloud providers and other vendors, you don’t necessarily outsource your liability. In fact, 35.5% of breaches5 that occurred in 2024 occurred due to third-party vendors.

Understanding what tools your vendors have in place is another important layer of protection. Find out what their security controls checklist looks like and make sure it’s appropriate. And just as your own controls checklist gets stale over time, so do your vendors’. For private equity cybersecurity programs, third-party risk management should be a core component of ongoing oversight. Submit your vendors to periodic reviews at least as often as you review your own controls.

Submit your vendors to periodic reviews at least as often as you review your own controls.

4. Are your tracking technologies creating hidden compliance risks?

 

Criminals don’t have to steal sensitive information to create a major problem for your firm. Even the default cookies your portfolio companies use to enhance user experiences on websites could expose user information that violates your privacy policy. What’s worse, those cookies act as a permanent record that you’re in violation.

With open-source tools making it easy for law firms to scan for these sorts of violations, you could wind up in trouble you didn’t even know existed. And that trouble could be substantial: the average claim for wrongful collection of data has reached $1.5 million6. It’s worth coordinating across legal, IT, marketing and compliance teams to identify places your organizations use tracking technologies and ensure they align with your stated policies.

5. How do I balance cost and protection?

 

You don’t have unlimited resources to identify and deal with cybersecurity and privacy issues. Controls need to be as effective as possible, but they also need to be as cost effective as possible. Understanding what your risks look like given your universe of vendors, portfolio companies and technologies is the first step toward matching your resources with your needs. You can then look at the areas most likely to produce high-risk scenarios—such as transactions—and focus your resources on your areas of critical need first.

Understanding what your risks look like given your universe of vendors, portfolio companies and technologies is the first step toward matching your resources with your needs.

Keep up to date

 

Assembling an appropriate set of controls isn’t the end of the job, either. You still need to test your resilience, shore up any additional areas of weakness that you find and review both your needs and your controls periodically to keep them up to date.

Conducting in-depth reviews of areas of need throughout the year can also help uncover and address potential issues. By consistently revisiting these cyber risk questions, funds CFOs can strengthen their cybersecurity due diligence and stay ahead of evolving threats. This article is the first in a series on cyber risks. In our next articles, we’ll go into greater depth on these key trends, as well as efforts you can take to stay in front of them.

FAQs

 

1. What are the most common cybersecurity threats facing private equity firms?

Business email compromise remains one of the most prevalent cybersecurity threats private equity firms face, opening the door to hijacked transactions, data breaches and ransomware attacks, among others. Issues with third-party vendors can also slide under the radar.

2. How can CFOs protect against business email compromise attacks?

Maintain strict email security controls to stay ahead of phishing attempts and other common vectors for social engineering attacks. 

3. What should CFOs look for in vendor cybersecurity assessments?

Find out what your vendors’ security controls checklist looks like and subject those controls to reviews alongside your own to make sure they’re appropriate. 

4. How is artificial intelligence changing cybersecurity for private funds?

AI tools are making it easier for criminals to launch more frequent and more sophisticated attacks. But the technology also is making it easier for private funds to recognize and respond to patterns of suspicious activity.

5. What data privacy risks should private equity CFOs monitor in 2026?

CFOs should coordinate across legal, IT, marketing and compliance teams to identify places their organizations use tracking technologies and ensure they align with stated policies.