A recent report by the Identity Theft Resource Center (ITRC) highlighted something Private Equity firms should sit up and take notice of: two-fifths of small businesses have raised prices after suffering a cyber incident. Not because they wanted to. Because they had to.
For PE Groups overseeing 20–30 portfolio companies, this matters. A cyber incident isn’t just an “IT problem” – it’s a margin problem, a growth problem, and can eventually become an exit problem.
The numbers in the report are sobering: 81% of small businesses suffered a security or data breach in the past year. Of those, 41% blamed AI-powered attacks, while 43% pointed to external threat actors and 42% to malicious insiders. (Yes, the numbers overlap — attackers don’t stick to just one trick.)
AI Isn’t the Future Threat, It’s the Current One
The Identity Theft Resource Center (ITRC) warned that AI is now being used to create:
- Hyper-realistic phishing emails
- Deepfake audio and video for business email compromise (BEC)
- Adaptive malware that changes behaviour on the fly
- Automated reconnaissance that maps out targets faster than any human could
Translated into normal language: attackers are getting faster, cheaper, and harder to spot, especially for PortCos without in-house cyber expertise.
This is exactly where PE-backed businesses are vulnerable. They’re often lean, moving fast, and focused on growth. Security maturity rarely keeps pace with ambition.
The Confidence Gap PE Firms Shouldn’t Ignore
One of the most worrying findings in the report is what it calls a “dangerous disconnect”. Many small business leaders are confident in their cyber resilience, yet haven’t adopted basic security controls.
This false confidence is risky for PE firms. It means boards may be reassured, dashboards may look green, but the underlying reality is far less comfortable. And when a breach happens, the costs show up quickly: downtime, incident response, legal fees, reputational damage, and yes, price increases passed on to customers.
That’s not a great story to explain during an exit.
Where Black Creek Cybersecurity Fits In
This is where Black Creek Cybersecurity takes a different approach.
Having come from the PE world, Black Creek understands the real relationship between PE Groups and their PortCos – the balance between oversight and autonomy, the pressure to perform, and the reality of limited internal capability.
Instead of selling shiny tools and bloated programmes, Black Creek focuses on the essentials across people, process and technology:
- People: Helping PortCo leadership and staff understand risk in plain English. No jargon. No scare tactics. Just clear conversations about what attackers actually do and how to avoid making their job easy.
- Process: Putting sensible, proportionate controls in place that scale across multiple PortCos — without grinding operations to a halt.
- Technology: Making sure the right basics are in place and working properly — and just as importantly, calling out what isn’t needed.
Black Creek acts as an independent “truth teller” for PE firms — helping them see where the real risks sit, where confidence may be misplaced, and what actually needs fixing.
Because in today’s environment, cyber risk isn’t just a technical issue. It’s a value preservation protection issue. And ignoring it won’t make it cheaper — as many small businesses are now finding out the hard way.
If cyber is on your agenda for the new year, let’s schedule an obligation-free conversation about what needs to be in your planning.