Cybersecurity is not just an IT issue; it’s a mainstream risk with material implications for your business’ financing arrangements.

For portfolio company borrowers, cyber considerations in relation to financing arrangements should be treated with the same rigor as other critical risks. The questions for every finance transaction are simple: could a cyber event impair debt service, disrupt operations and erode asset value or goodwill?

While you can put plans in place to reduce harm, including business continuity and disaster recovery plans, it’s important to consider these risks and how they can arise and impact debt funding arrangements.

Before funding

Proactive assessment is essential. Lenders are ever-increasingly treating cyber as a core element of conditions precedent with deliverables including an incident response plan, assurances from third party key suppliers, and evidence of fit-for-purpose cyber insurance.

To support this, we’ve launched an interactive Cybersecurity Tool, to guide you through three stages: protect and prepare, test and train, and react and rebuild. You can access the tool here.

Directors’ duties

Cyber risk is not merely an IT concern; directors must assess and manage these exposures as part of their statutory duties. Directors should maintain continuous, proactive oversight of cyber resilience, ensuring governance frameworks, risk registers and investment decisions properly reflect the organisation’s evolving threat landscape.

Boards should regularly challenge management on incident readiness, supply‑chain vulnerabilities, data governance and recovery capability, and ensure that testing, training and resourcing remain proportionate to operational and financial risk.  Read our previous article to find out more about directors’ duties.

When an incident hits

A cyberattack can depress revenue, elevate costs, and strain financial covenant headroom. Lenders will very closely monitor cross-defaults, solvency triggers, and supply chain contagion and portfolio company borrowers may need short-term liquidity and covenant flexibility.

Insurance is not a cure-all: scope often excludes lost profits and proceeds are frequently required to be applied in prepayment, so the details of coverage should be assessed before placing insurance. Robust notification mechanics to lenders and regulators, periodic risk reporting and cyber-specific undertakings provide a more reliable toolkit than relying solely on material adverse effect clauses.

Why this matters now

Recent cyberattacks show the financial consequences can be severe. Marks & Spencer has guided to an approximately £300 million operating profit impact from its 2025 cyberattack, with disruption lasting weeks. Jaguar Land Rover’s 2025 cyber incident led to factory shutdowns and significant losses while operations were restored. These episodes demonstrate why portfolio company borrowers should carefully consider cyber resilience alongside debt capacity.

Practical actions for finance documentation and monitoring

As lenders sharpen their focus on cyber resilience, you should expect tighter requirements when raising debt and prepare early to streamline the process and protect valuations.

• Conditions precedent: Expect lenders to request clear evidence of cyber readiness before closing. This may include a robust incident response plan, board-approved cyber policy, key supplier assurances, and confirmation of cyber insurance with lender-acceptable endorsements.
• Information undertakings: Finance documentation will likely include obligations for prompt breach notification, periodic threat and risk reporting, and post-incident remediation updates.
• Covenants and events of default: Traditional material adverse change language is increasingly seen as inadequate for addressing cyber risks, so lenders are introducing bespoke covenants requiring companies to maintain defined cyber controls and to remediate incidents within realistic, evidence‑based cure periods.
• Security: Lenders are increasingly aware of how cyber incidents can undermine the value and integrity of digital assets, IP, and operational systems. As a result, you may be required to evidence robust back‑ups, regular disaster‑recovery testing, and safeguards that preserve control and asset value in a security‑enforcement scenario.
• Insurance proceeds: Lenders may seek rights to apply cyber insurance proceeds to prepay facilities; you should consider constraints to retain proceeds needed for recovery, potential carve-outs for third-party losses, and reinvestment periods. This remains an emerging area in which lenders have yet to establish consistent market norms, but these are the trends we are increasingly seeing as lenders respond to the evolving risk landscape.

How we can help you

Our Finance and Cybersecurity & Data Protection teams work together, leveraging our interactive cybersecurity tool, to help you assess resilience, close gaps, and respond effectively when incidents occur.

Access tool