From Visibility to Insight

Black Creek Cyber’s PortCo ShieldTM was designed to give private equity firms a clear, practical view of cybersecurity across their portfolio. Built around BCC’s Top 7 Cyber Poverty Line, it focuses on what actually needs to be done, and tracks it over time.

But beyond visibility, the platform is now surfacing something just as valuable: real-world incident data. While not yet statistically significant, the patterns emerging across portfolios are already directionally clear and highly relevant for deal teams, operating partners, and PortCo leadership.

What the Data Is Telling Us

One trend stands out immediately: human error dominates root causes, by a mile. Around 75% of incidents trace back to people, whether through misjudgment, process gaps, or simple mistakes. System-related issues account for roughly 15%, with third-party provider (3PP) issues making up the remaining 10%.

Root Causes skew heavily toward human error, highlighting where most risk actually sits.

 

Looking at how incidents originate, Business Email Compromise (BEC) is overwhelmingly the leading threat vector, responsible for approximately three quarters of all cases.

Threat Vectors: BEC dominates as the primary entry point across portfolios.

 

On the surface, this aligns with industry expectations, but seeing it consistently across portfolios, in a structured way, reinforces just how concentrated the risk really is.

What This Means in Practice

Despite the volume of incidents, most are not catastrophic. In fact, around 90% result in no or only minor impact, particularly when a company is operating above the Cyber Poverty Line.

Impact Types: The majority of incidents have limited impact — but still consume time and attention.
(None, 1-Low, 2-Moderate, 3-High)

 

That doesn’t mean they’re harmless. BECs, in particular, are a persistent and unnecessary distraction. They pull CEOs and leadership teams away from growth initiatives and into reactive problem-solving, often for issues that could have been prevented with relatively simple controls.

When third-party issues do arise, they tend to be more complex and harder to control. And importantly, incidents are rarely the result of a single failure. More often, they are multi-causal; small gaps compounding each other. Weak configurations or incomplete MFA setups, for example, often sit quietly in the background, amplifying risk until something triggers an incident.

The Circle of Learning: Turning Incidents into Progress

What sets BCC’s approach apart is what happens next. Every incident feeds into what we call the “Circle of Learning.”

Rather than treating incidents as isolated events, they are logged, reviewed, and shared (where appropriate and with all due confidentiality) across the portfolio. The goal isn’t just resolution, it’s improvement. Lessons learned, firsthand from within the group, inform process changes, strengthen controls, and raise the baseline across all PortCos. This is a priceless outcome that some of the bigger incident response firms cannot deliver. 

Most importantly, having first-hand insight into real incident threat vectors, root causes, and impacts (within specific entities where size and inherent business risk are well understood) makes it significantly easier to persuade other, similar portfolio companies of the need to strengthen their people, processes, and technology.

Over time, this fosters a culture of shared, continuous improvement, where every incident, no matter how small, contributes to building a stronger and more resilient portfolio.

Three Practical Takeaways for Private Equity

  1. Focus on human risk and cultural change first.
    The data is clear: most issues originate with people. Training, clear processes, well implemented controls and simple safeguards will outperform overly complex technical solutions every time. By sharing compromises from within and across the portfolio, help build a culture of continuous improvement.
  2. Treat BEC as a business risk, not just an IT issue.
    Reducing exposure here isn’t just about security and brand reputation, it’s about protecting leadership time and maintaining focus on growth.
  3. Standardize and track the basics across the portfolio.
    Consistency beats complexity. A clear baseline, measured over time, drives far better outcomes than fragmented, company-by-company efforts.

Clarity Over Complexity

PortCo ShieldTM doesn’t just provide visibility, it provides clarity and actionable insights. It shows what’s actually happening across portfolios, where risks are concentrated, and how companies are progressing over time.

For BCC clients, that translates into fewer surprises, better decisions, and a cybersecurity strategy grounded in reality, not theory.

If you’re looking to bring structure, accountability, and practical insight to cybersecurity across your portfolio, it’s worth a closer look. 

If you’ve had an incident and need a confidential, no-obligation review, get in touch and we’ll be happy to help.