The 100-day cybersecurity plan for a newly acquired portfolio company

The 100-day plan is a PE tradition for a reason. The operating partner has a fresh mandate, the portfolio company has a cleared runway and the LBO capital structure makes every month of post-close delay expensive. The cybersecurity workstream inside that 100-day plan used to be a line item. In 2026 it is a top-five priority for most sponsors, because cyber insurance is tighter, questionnaire pressure from enterprise customers is higher and a post-close incident inside a levered portfolio company is uniquely painful.

What follows is the practical playbook we use when we are brought in at close. It assumes a mid-market portfolio company of 50 to 500 employees, a seller that ran IT informally, and a sponsor that needs a defensible cybersecurity posture in under 4 months.

Days 1 to 30, assess

The first 30 days are about establishing ground truth. Sellers frequently describe IT and cybersecurity in aspirational language, and the first week of ownership is when the real picture appears.

Priorities:

• Asset inventory. What endpoints, servers, network devices and cloud tenants actually exist, and which are unmanaged. Shadow IT shows up fast.
• Identity inventory. Every user account, every service account, every shared credential, every vendor with access. Dormant accounts are the single largest footprint of unmanaged risk.
• Backup posture review. What is being backed up, where, how often, whether it is immutable and when the last successful restore was tested. “Tested” means a restore was executed and verified. Not that a backup job reported success.
• Cyber insurance review. Current policy, last renewal application, any open claims, the carrier’s list of required controls and whether those controls are actually in place.
• Incident history review. Any incidents in the last 3 years, their scope, remediation status and whether any unresolved indicators of compromise remain in the environment.
• Regulatory posture. Any industry-specific regimes that apply. HIPAA, PCI, NIST 800-171, SEC examination expectations, state privacy law.
• Vendor footprint. SaaS and infrastructure vendors with material access to company or customer data.

Day-30 deliverable: a prioritized gap inventory with severity, business impact and remediation estimate. The deliverable should be legible to the CFO and to the sponsor’s operating partner, not just to IT.

Days 31 to 60, stabilize

The second 30 days are about eliminating the highest-severity gaps and building the operating discipline that the rest of the plan requires.

The non-negotiables in this window:

• Phishing-resistant MFA on privileged and executive accounts. Not SMS. FIDO2, passkeys or authenticator app with number matching. Full workforce rollout follows later; the executive and admin population happens now.
• Endpoint detection and response on 100% of managed endpoints. Replace or augment any legacy antivirus that cannot meet this bar. Modern EDR with a managed response layer closes the single largest gap in most mid-market environments.
• Immutable offsite backup with a tested restore. This is often the biggest single lift of the 100 days, and it is non-negotiable. A ransomware event without a tested immutable backup is the scenario that ends careers.
• Admin-rights cleanup. Remove local admin from standard user accounts. Move privileged actions to scoped, logged admin accounts with just-in-time elevation where feasible.
• Executive account hardening. Conditional access policies, session length restrictions, legacy protocol disablement, mailbox forwarding audits.
• Cyber insurance control attestation. Any controls the carrier assumed exist per the renewal application either exist or are being brought into compliance on a dated plan shared with the carrier.

Day-60 deliverable: a signed attestation that the critical controls are in place, with evidence, and a clean or acknowledged list of open items with dated owners.

Days 61 to 100, execute

The final 40 days convert the stabilized environment into a documented, defensible program that the sponsor and the cyber insurance carrier can both point to.

Workstreams:

• Framework alignment. Usually NIST Cybersecurity Framework 2.0 for the general case. SOC 2 readiness if the portfolio company sells into enterprise customers. NIST 800-171 if there is federal-contract flow-down. The point is not certification in 100 days. The point is documented alignment with a framework the sponsor can reference in the LP letter.
• Policy baseline. A written information security policy, acceptable use policy, access control policy, incident response plan, vendor management policy and business continuity plan. Eight documents, each kept short enough that the named owners will actually read them.
• Tabletop exercise. A 90-minute ransomware tabletop with the executive team, IT, the MSP and ideally the cyber insurance broker. The artifacts produced (decision log, call tree, regulatory notification list) become operating assets.
• Vendor risk baseline. A documented inventory of vendors with access to company data, a tier classification (critical, material, incidental) and a due-diligence record for the top tier.
• Quarterly reporting cadence. A sponsor-facing cybersecurity dashboard that reports on a consistent set of metrics. Coverage rates, incident count, open findings, remediation status.

Day-100 deliverable: a board-ready cybersecurity program document, the framework alignment summary, the tabletop output and the first quarterly dashboard.

What a sponsor should expect in cost terms

Budget varies with scope. For a 150-person lower-middle-market portfolio company with average pre-close IT hygiene, the 100-day budget typically falls in the $75,000 to $200,000 range, inclusive of MSP engagement fees, licensing for any tooling newly required and the labor to execute remediation. Companies with material pre-close gaps or federal contract obligations run higher.

That spend is usually cheaper than the insurance premium increase, the diligence friction at exit or the enterprise deal cycle cost of being unprepared.

Where we fit

We support a lower-middle-market PE portfolio company we carved out from its publicly-traded industrial-services parent operator, building the standalone IT and cybersecurity environment, operating as the post-close MSP and producing the reporting cadence sponsors expect. That engagement directly shaped the playbook above.

For sponsors entering a new platform investment or executing an add-on acquisition, the 100-day cybersecurity workstream is usually the fastest way to reduce operating risk inside the hold period. Starting in week 1 is the difference between a defensible program at day 100 and a remediation project that competes with operating priorities for the rest of year 1.

If you are a sponsor, operating partner or portfolio-company CFO planning the 100-day cybersecurity workstream for a new acquisition, schedule a discovery call. We can scope the engagement against the specific deal, the sector and the timeline you are working with.