Cybersecurity is rapidly climbing the agenda for both public utilities and private equity firms, as two major developments this February underscore the growing risks and financial consequences of cyberattacks across critical infrastructure and the investment landscape. While the Monroe County Water Authority in New York is set to receive nearly $1.1 million in federal funding to bolster its cyber defenses, a new report from Kroll reveals that private equity (PE) firms are facing mounting losses and operational headaches from increasingly sophisticated cyber incidents. Together, these stories highlight a world where digital vulnerabilities threaten not just data, but the very foundations of business and community life.
On February 12, 2026, the Monroe County Water Authority announced it had secured close to $1.1 million in federal funding, thanks to the efforts of Senators Chuck Schumer and Kirsten Gillibrand, along with Representative Joe Morelle. The funding, included in the appropriations bill signed into law in January, is earmarked for a sweeping upgrade of the authority’s cybersecurity infrastructure. According to the authority, the money will be used to secure data storage servers, implement infrastructure security upgrades, install new backup systems, and deploy advanced threat detection software—all with the aim of protecting the region’s drinking water operations from evolving cyber threats.
Senator Schumer emphasized the critical nature of this investment, stating that the funding plays a vital role in “ensuring Rochester-Finger Lakes residents have access to clean drinking water.” Representative Morelle echoed this sentiment, saying, “This is exactly how the federal government is supposed to function, by providing direct support to companies, organizations, and local communities.” Their remarks reflect a growing recognition that cyberattacks on utilities are not a distant possibility—they are a clear and present danger, with potentially devastating consequences for public health and safety.
While public utilities like Monroe County Water Authority are shoring up their defenses, the private sector is grappling with the financial and operational fallout of cyber incidents on a massive scale. On the same day as the water authority’s announcement, Kroll released a report based on a survey of 325 private equity firm executives, revealing that cyber incidents have become a “material transaction risk,” causing significant value destruction throughout the deal lifecycle. The average financial impact per cyber incident? An eye-watering $2.1 million.
Dave Burg, global group head of cyber and data resilience at Kroll, warned that this figure is “just the tip of the iceberg,” pointing to additional costs that emerge in regulatory investigations, delayed deal timelines, and the triggering of continuation vehicles due to post-incident governance gaps. The numbers are sobering: Kroll’s analysis indicates there is a 53% probability that a PE firm will lose more than $500,000 in any given attack, and a 13% chance that losses will exceed $5 million. In total, a staggering 94% of surveyed firms reported some form of financial impact due to cybersecurity risk.
The damage isn’t limited to balance sheets. The report found that just over a quarter of firms saw reduced valuations or exit prices following cyber incidents, while nearly two-thirds faced increased ongoing compliance or cybersecurity training costs. Almost half had to contend with indirect remediation or consultancy bills. And the pain doesn’t stop there: Eight in ten PE firms experienced disruption due to cyberattacks while holding a portfolio company, with about a third of those incidents resulting in outright business disruption or downtime. Additional headaches included unexpected remediation costs for 44% of firms, compliance- or regulatory-related litigation for 29%, and IT system integration challenges for 30%.
Why are these incidents hitting so hard during the so-called “hold period”—the time when PE firms are integrating and transforming portfolio companies? According to Kroll, attackers are getting smarter, often synchronizing their strikes to coincide with these vulnerable phases. Burg noted, “It’s not a coincidence” that nearly 70% of respondents had experienced cyber incidents during the hold period. He pointed to the use of generative AI by attackers to amplify the impact and effectiveness of their actions, making it harder for firms to keep up.
One of the more striking findings from the Kroll report is the widening gap in cyber readiness between the big players and their smaller counterparts. Among firms managing more than $25 billion in assets, 55% governed cybersecurity risk through a formal mandate to portfolio company managers, compared to just 12% of smaller sponsors. Similarly, 81% of large firms said cybersecurity due diligence was standard for transactions, while only 29% of smaller firms did so routinely. When it comes to tools, 58% of large firms used dedicated risk management platforms, versus just 9% among smaller firms. And more than half of the biggest PE managers had a dedicated cyber risk leader, compared to only 15% of smaller shops.
Eric Hasty, managing director of cyber and data resilience at Kroll, stressed that cybersecurity incidents can have significant impacts on PE portfolios of all sizes. He added that the study showed PE firms that implemented a concise set of required cybersecurity controls, used dedicated platforms to monitor risk, conducted standardized due diligence, and established clear accountability were far more effective at protecting value against cyber exposure in a cost-efficient way.
Looking ahead, the pressure is only expected to mount. Kroll’s report found that 96% of PE firms expect the importance of portfolio cybersecurity to increase over the next 12 months. Just over half believe the financial impact of cyberattacks will grow in the coming year, and 54% expect cyber incidents to become more challenging to manage. For insurers, brokers, and cyber risk advisers working with PE-backed companies, these findings point to sustained demand for higher cyber limits, more integrated advisory support, and tighter integration of cyber risk assessment into M&A and portfolio management—especially among the smaller and mid-market sponsors that have yet to build the governance and tooling seen at the largest firms.
The convergence of these stories—federal investment in public utility cybersecurity and the private sector’s struggle to contain cyber risks—paints a picture of a society racing to keep up with digital threats. Whether it’s ensuring clean water for thousands or safeguarding billions in investment value, the stakes could hardly be higher. As attackers grow more sophisticated and the financial consequences mount, both public and private sectors are being forced to rethink what it means to be truly secure in a connected world.