Incident Response for Private Equity
When it happens, you need someone who has done this before

A serious cyber incident may hit your portfolio once in your tenure. Black Creek handles them week in, week out.


That experience is now available to you.

The Reality of Your Role

If you’re the Cyber Lead for a mid-market PE firm, you know the position well. You’re responsible for security posture across the portfolio, but cyber sits alongside a dozen other operational priorities. You’ve built a reasonable program. Your PortCos have the basics in place.

But there is one scenario that keeps you honest: the call that comes at 6am. Ransomware. A business email compromise. A PortCo locked out of its systems the week before a board meeting.

Most Cyber Leads in private equity will likely face a serious incident only a few times in their career. The problem is that incident response is a skill you build through experience, but the time to build it isn’t during the incident itself.

The Stakes

Incidents in PE-backed companies are not rare.

Mid-market businesses are a primary target for ransomware actors. They hold valuable data, often have leaner IT teams, and can face real operational disruption from even a brief shutdown. Private Equity involvement raises the stakes further. The timeline pressures of a hold period mean that a poorly-managed incident can have lasting impact on valuation and exit readiness, and can de-focus efforts on other more strategic efforts.

SOURCE: STATE OF RANSOMWARE REPORT 2026, SOPHOS

why black creek

Incident response built for private equity-
not retrofitted to it

Most incident response firms work across industries. They are competent, but don’t know how your board communicates. They don’t know the dynamics of a management team under PE pressure. They likely haven’t done this inside dozens of portfolio companies across multiple funds.

we know the stakeholders

Board communications, LP disclosure, insurer notification, legal counsel coordination – we’ve navigated all of it, inside PE-backed businesses, under real pressure.

we move immediately

The first 72 hours define the outcome. Our process is designed to keep you in the driving seat but to provide clear ownership and decisive action from the first call – no ramp-up time, no vendor evaluation under pressure.

We share the learning

Every incident produces insights that matter across your portfolio. Root cause countermeasures are assessed and can be deployed wherever relevant across your PortCos. At every step we’re on your side of the table, independently advising with no axe to grind or sales quota to meet.

During live incidents, they take clear ownership of incident response, leading us with confidence and clarity when it matters most.

Mike Newbold, , Thompson Street Capital Partners

Vice President, Portfolio Support Group, Thompson Street Capital Partners

Our Process

What happens when you make the call

A clear, practiced process, so the one variable in any incident is the incident itself, not the response.

Step 1 — initial triage and containment

We establish the scope of the incident quickly and recommend immediate steps to limit further exposure. Clear, calm communication to your team from the first hour.

 Step 2 — stakeholder coordination

We help you manage communications to your board, deal team, legal counsel, and cyber insurer – with the appropriate detail and none of the panic or confusion that can make incidents worse.  

Step 3 — forensics and remediation

We engage and coordinate vetted specialist firms (who typically respond within 30 minutes), or coordinate between teams you already have on contract – forensics providers, legal teams, technical responders. We manage the process so you don’t have to.

Step 4 — root cause and portfolio review

Once the immediate incident is resolved, we conduct a structured post-incident review and assess whether countermeasures should be extended across your broader portfolio.

think of it as insurance

The one service you hope to never need

You carry cyber insurance. You have legal counsel on retainer. You have an operating team for when deals get complex.

Black Creek’s incident response capability is the same principle applied to the moment a PortCo is under active attack. It’s not a vendor relationship you activate after searching. It’s a team that already knows you, your portfolio, your processes, and your stakeholders, ready to move when you need them.

For a cyber lead who may face two or three serious incidents in their tenure, this is the most efficient investment in the program.

What’s included

incident investigation leadership - quarterbacking the process

Immediate triage and scoping when an incident is declared

Forensics firm coordination and management

Stakeholder communication leadership - board, counsel, insurers

Portfolio-wide learning and remediation assessment

Post-incident review and root cause countermeasures

NB. Third Party Services e.g. legal, forensics and possibly media relations are often used in incident response management and are paid for directly by the client with no markup by Black Creek.

Start with a free IR Readiness Review

A 30-minute structured assessment of your current incident response capability. We’ll review what’s in place, where the gaps are, and what you should prioritise. No pitch. No obligation. We share the scorecard with you whether we work together or not.

  • 30 minutes, by video or phone

  • Structured scorecard shared afterward
  • PE-specific framework
  • No sales pitch

Not ready to book? Let’s talk first

If you’re thinking through your portfolio-wide cyber security posture and want a conversation,  not a review, Brad is happy to connect. No agenda, no sales deck.