The Asset You Didn’t Audit: Cyber Due Diligence and the Risk Hiding in the Deal
The Sekhmet Scribe | Team Sekhmet
EVERY PORTFOLIO HAS A NUMBER NOBODY UNDERWROTE
You modeled the EBITDA. You stress-tested the customer concentration. You walked the warehouse and read the management accounts twice.
And somewhere in that target’s environment, a domain admin password from 2019 is still valid, an unpatched server is facing the internet, and nobody in the room priced any of it.
This edition of The Sekhmet Scribe is about cyber due diligence, why the risk you don’t audit becomes the risk you inherit, and why the smartest money in the room is starting to ask harder questions before the wire goes out.
Protect • Empower • Evolve
WHAT’S HOT 🔥
Cyber Risk Is Now a Valuation Input
For years, cyber sat outside the deal model, a technical footnote handled “post-close, eventually.” That era is ending.
A breach discovered after completion does not respect the cap table. Remediation costs, regulatory exposure, lost customers and reputational damage land on the new owner, not the seller who quietly knew.
The average cost of a data breach now sits at roughly $4.4 million globally , and materially higher in regulated sectors. That is no longer a number you absorb as a surprise. It is a number you diligence for.
Increasingly, acquirers are treating a clean, demonstrable security posture the way they treat clean accounts: as a precondition, not a bonus.
WHAT’S HOT 🔥
The Portfolio Is Only as Strong as Its Weakest Company
Private equity creates a particular kind of exposure. A single firm may hold a dozen portfolio companies, sharing investors, board members, reporting lines and sometimes infrastructure.
To an attacker, that is not a collection of separate businesses. It is a map. Compromise one, and the lateral path to the others is often disappointingly short.
The firms that manage this well do not treat each company as an island. They set a portfolio-wide baseline: MFA, endpoint detection, tested backups, Cyber Essentials as a floor not a ceiling, and they measure against it. Consistently.
Resilience does not scale by accident. It scales by standard.
WHAT’S HOT 🔥
Due Diligence Is a Window, Not a Verdict
A cyber assessment at deal stage tells you where a business stands on one specific day. It is invaluable, and it is not the end of the work.
The real value is created in the hold period: closing the gaps the diligence surfaced, building the discipline the seller never had, and turning a liability into a measurable improvement that an exit buyer will pay for.
Security done well during the hold is not a cost center. It is value creation with an audit trail.
WHAT’S NOT ❄️
Treating cyber as a post-close clean-up job. Assuming a target’s “we’ve never had an incident” means they’ve never had one, rather than never noticed one. Diligence that checks for a policy document but never tests whether anyone follows it. Leaving each portfolio company to fend for itself and calling it autonomy.
These are not strategies. They are deferred invoices.
THE SEKHMET STANCE
Cyber due diligence is not about killing deals. It is about pricing them honestly and protecting the value you’re acquiring.
At Sekhmet, we work with private equity firms and their portfolio companies to assess real-world exposure before completion, build a defensible baseline across the portfolio, and turn the hold period into the moment resilience is built rather than the moment it’s discovered missing.
The lioness knows the territory before she claims it. She does not learn the ground after the hunt has started.
Diligence what you’re buying. Strengthen what you hold. Exit on what you can prove.
Protect • Empower • Evolve
Team Sekhmet