The Top 10 Things PortCos Should Be Doing Now

In most portfolios, the issue isn’t cyber awareness. It’s a shared baseline for what “defensible” actually looks like at the portfolio company level.

PE has built operating discipline around every other function in the portfolio — procurement playbooks, FP&A close calendars, talent scorecards, value creation plans. Each began as a few firms doing the work better than everyone else, then became the standard the industry runs. Cybersecurity is the function that hasn’t yet been institutionalized in the same way.

Most portfolios still treat security as a PortCo IT problem to be handed off to whoever has bandwidth, with whatever tools the budget allowed, against whatever the threat landscape happened to look like that quarter. The result is the same posture problem repeating across 15 PortCos with 15 different answers, none of them defensible to an insurer, an LP, or a buyer.

The conditions that made that approach tolerable have changed. The SEC now actively enforces a four-business-day incident disclosure rule. Reg S-P amendments mandating written incident response programs land for smaller registered advisers in June 2026. Two years ago, cybersecurity was a due diligence checkbox. Today it is a standing agenda item in portfolio reviews, a pricing factor in exits, and a condition that determines whether insurance coverage holds when it matters most.

The following ten controls are the operating baseline, drawn from Abacus’ work across 800+ financial services clients, the majority of which are alternative investment managers and their portfolio companies.

The 1- 5 /6- 10 Split

The first five controls are 90-day non-negotiables — what we call the Minimum Viable Security (MVS) baseline. They represent the minimum required to satisfy most cyber insurance underwriters, survive buy-side diligence, and materially reduce the likelihood of a disruptive incident. The remaining five build the durable program: the discipline that turns point-in-time controls into a sustainable program, and turns security posture into a measurable value-creation asset.

1. MFA Everywhere. Enforce multi-factor authentication on all users, administrators, VPN, and critical SaaS applications. Tune conditional access policies for high-risk sign-ins.
2. EDR on 100% of Endpoints. Deploy endpoint detection and response (EDR) on every endpoint and server, connected to managed detection and response (MDR) for 24/7 monitoring. Enable disk encryption on all workstations.
3. Harden Email and Domains. Implement advanced phishing and impersonation protection covering owned, vendor, board, and management company domains.
4. Publish and Enforce the Governance Pack. Finalize and distribute the written information security program (WISP), incident response plan (IRP), Incident Report Form, Breach Notification Template, business continuity and disaster recovery (BCDR) plan, and acceptable use policy (AUP) with signatures and training attestations.
5. Activate an IR Retainer. Secure an incident response retainer, ideally written into the cyber insurance policy, and run an annual tabletop test with realistic scenarios. Coalition’s 2026 data shows 86% of businesses now refuse ransomware payment, up sharply from prior years.
6. Right-Sized Third-Party Risk Management (TPRM). Tier critical vendors, require minimum controls from high-risk suppliers, verify offboarding and key escrow, and monitor concentration risk.
7. Backups and Recovery That Actually Work. Maintain immutable or offline backups for critical systems. Run quarterly restore tests. Align BCDR to business impact.
8. Living Risk Register and Quarterly Risk Committee. Track risks with owners, due dates, residual risk scores, and compensating controls. Report to the board quarterly.
9. Align Early With Cyber Insurance. Map controls to insurer requirements. Maintain evidence continuously. Use renewal cycles to drive uplift.
10. Measure What Matters. Track leading indicators: MFA and EDR coverage, time-to-patch, privileged access hygiene, phishing fail rate, and restore success rate. Roll them into a board-ready scorecard with business impact context.

The Operating Discipline Behind the List

Together, these ten controls form the operating baseline, the floor every portfolio company is now expected to clear, to insurers, buyers, and boards alike. The first five close the most acute gaps in 90 days. The next five build the durable program that holds up through the full hold period.

The firms that institutionalize them, through standardization, shared tooling, and the portfolio operating model that scales across PortCos, turn cyber from a recurring fire drill into a measurable value-creation discipline. The firms that don’t continue to absorb the variance: a higher likelihood of incident, longer recovery cycles, harder renewals, and the occasional strategic surprise during diligence that no one wants in an IC memo.

This list is the starting point. Download the full resource, built to be read in a sitting and forwarded to PortCo leadership.

For a deeper dive, check-out the Portfolio Company Cyber Playbook, which includes the operating model, two portfolio case studies, and the framework behind the ten controls above.