Located in California, a private equity firm manages a portfolio of ten companies in the lower middle market specializing in technology, industrials, and business services. The firm actively manages its portfolio companies with a goal of improving financial performance and increasing value.
Like most private equity investors, the firm weighs several factors to guide their investment decisions and overall approach to business. In addition to financial returns, operational excellence, and a long-term perspective, cyber risk management has emerged as a growing pain point for the firm.
If a cyber-attack occurred, the firm knew its internal objectives and portfolio companies would be severely hampered. A successful breach could result in financial loss, stalled operations, or significant damage to a portfolio company’s reputation. While it would be difficult for the portfolio company to recover from a breach, it would also diminish the value of the firm’s investment.
In addition, the firm realized that its weakest link was its biggest vulnerability. If security is not consistent throughout the portfolio, a successful breach to one portfolio company could provide access to other companies in the portfolio or the firm itself.
The firm realized a major challenge to aligning security posture across its portfolio was that companies had different controls and protocols in place, making it difficult for the private-equity firm to gain a unified view of the overall cyber risk posture of the portfolio. The firm also lacked a centralized way to assess and monitor controls across its entire portfolio. This made it difficult to prioritize and manage cyber risk across the portfolio.
Another challenge was that the private-equity firm does not have the internal resources to conduct in-depth security assessments on each portfolio company. While some companies in the portfolio did have their own small IT departments, most had limited security allocations prior to acquisition. With limited personnel, the firm struggled to stay on top of the ever-changing threat landscape and understand the implications of new and emerging threats for ten unique businesses, plus their own.
Risk Insight and Vulnerability Management Across Investment Portfolio
The firm identified value in third-party risk management tools for their portfolio risk management needs. The firm sought out myCYPR to manage cyber risk within its investment portfolio, assessing each portfolio member as a third-party partner.
myCYPR provided a comprehensive view of each companies’ cyber risk posture by assessing key security controls against NIST and CIS Cybersecurity Frameworks. Each portfolio company received access to myCYPR’s dashboard so it could identify areas where controls were missing and view recommendations. This ensured all portfolio companies aligned to the same controls and protocols. myCYPR also provided a centralized way to assess and monitor controls across the entire portfolio. Once all companies aligned to the same controls and procedures, the private-equity firm could accurately assess common areas in need of improvement.
Additionally, myCYPR helped the firm maximize resources for effective risk management. While the firm previously lacked resources to conduct in-depth security assessments on each portfolio company, myCYPR gave the private-equity firm flexibility to utilize multiple risk assessments to assess their portfolio. The firm was able to conduct an in-depth security assessment or combine use of assessments to gain a highly detailed, real-time view of each companies’ risk profile.
Mutual Risk Reduction, Maximum Improvement
A subsequent benefit to the private-equity firm was improved internal risk standing and an efficient way to view the influence of portfolio companies’ risk standing on their own.
The firm’s own score reflected the changes and improved as high-risk portfolio companies made remediations and improved their overall risk scores. The firm gained real-time insight to the influence its portfolio’s overall security has on its own risk standing, and now has continuous access to up-to-date risk data.
“myCYPR has helped us manage our investment portfolio tremendously. Not only can we easily identify our highest-risk portfolio members, but we can actually give them a tool that helps them improve without additional cost. That’s huge, especially when trying to keep costs low and increase a company’s value.” –Vice President, Operations
Communicating with Investors
Additionally, the firm gained a tool that helps effectively communicate with investors by implementing myCYPR. Investors were increasingly hesitant to invest without more reassurance than in the past amid mounting concerns of potential of cyber-attacks impacting their investments.
The firm used myCYPR’s reports and dashboards to regularly present the potential risks associated with a particular investment and guide investors through informed decisions. The firm has also leveraged myCYPR to demonstrate its internal commitment to risk management, showing it is taking appropriate measures to minimize the impact of a breach and protect the assets it manages.
With myCYPR, the private-equity firm has proactively managed cyber risk within its portfolio, safeguarding its investments and securing its portfolio for long term success. The platform provided the firm with a centralized view of cyber risk across its portfolio, helping to quickly identify high-risk areas and take proactive steps to remediate vulnerabilities. Enabling portfolio companies to align their security controls and processes, all members are better protected against cyber-attack.
Overall, myCYPR helped the private-equity firm achieve greater visibility into its portfolio companies’ cyber risk posture, enabling them to proactively manage cyber risk and ultimately protect their investments. By leveraging myCYPR’s risk assessments and detailed recommendations, the private-equity firm was able to efficiently and effectively manage cyber risk across their portfolio, even with limited internal resources.