New ACA Vantage benchmarking reveals where risk concentrates, and how firms can move the needle faster.
In 2025, ACA Vantage for Cyber assessed cybersecurity posture across more than 300 portfolio companies (PortCos) spanning 18 industries and 12 countries, providing granular insight into where risk concentrates and which actions correlate with meaningful reduction.
Three themes stood out:
1. The distribution is even, but the improvement is not.
Across the landscape, PortCos split roughly evenly between lower- and higher-risk categories. That balance is by design: RealRiskTM (our 1–100 scoring model across seven domains and 46 areas) expects most companies to land in the middle. But when we segment by tenure in Vantage, differences emerge. PortCos with more than a year of sustained oversight cluster toward the lower end of elevated and high ranges, while newer entrants tilt higher. Translation: continuous assessment plus targeted action moves companies in the right direction, sooner.
2. Risk is not created equal by industry.
A 15-point swing separates the industries with the lowest and highest average risk. Sector dynamics matter: Producer Manufacturing and Industrial Services often rely on extensive third-party ecosystems, so gaps in Third-Party Risk Management are more consequential. In Health Services, Penetration Testing surfaced as a frequent high-scoring (i.e., higher risk) area given the sensitivity of data and the operational stakes.
3. Governance accelerates progress.
Yes, early technical wins (like Email Security and Endpoint Protection) are common and important. But our strongest associations with lower overall risk came from programmatic controls: annually reviewed policies; formal policy communication and acknowledgement; engaged executive/board oversight; and incident response and business continuity plans that are documented and updated regularly. PortCos with more than one year on Vantage were significantly more likely to have these fundamentals in place.
What Firms Can Do Now
- Start with visibility, then sequence the work. Baseline where risk lives (by domain and area), close foundational technical gaps, and prioritize programmatic controls early.
- Contextualize by sector. Adjust oversight expectations and investment based on inherent industry exposure, especially where third-party dependencies dominate.
- Sustain the cadence. The difference a year makes is measurable. Quarterly reviews against the RealRisk model keep remediation focused and momentum high.
The full ACA 2026 PortCo Cyber Risk Report breaks down industry‑level trends, area‑level benchmarks, and the control patterns most associated with lower risk. It also shows how risk migration plays out within categories over time.
Ready to see how your portfolio compares?
Download the report for the complete benchmarking, methodology, and recommendations.