Private Equity Firm Drives Cybersecurity Maturity in its Portfolio

Published by Axio

Axio360 is deployed to deliver ongoing visibility into cybersecurity risk and enable portfolio companies to maintain target performance levels.

Private equity firms succeed by identifying attractive investment opportunities, instilling operational and management discipline, and subsequently, realizing multiples of their initial investment upon exit. The middle element of that PE strategy is where value gets created and a host of modern methodologies enable PE principals to manage their portfolio effectively. Financial management and reporting is a great example because the balance sheet and income statement are understood by all and provide the gateway for the Private Equity firm to maintain visibility into how its investments are performing.

Cybersecurity on the other hand, is still largely in the wild west era. Private Equity Firms increasingly contemplate cybersecurity during investment due diligence, but those exercises typically take the form of technical assessments or vulnerability scans. That approach is better than not doing anything, but they often vary based on the consulting firm and are typically point-in-time snapshots that can only be used as an oversight tool for a finite period of time. More concerning is that technical assessments rarely, if ever provide an understanding of the underlying risk at hand – meaning a picture of the types and financial impacts of cyber events that could be experienced by the company. As a result of the current approach, Private Equity Firms have minimal visibility into the underlying cyber risk of their portfolios nor an ability to manage it consistently and effectively on an ongoing basis.

Axio360 for Private Equity Portfolio Management

A Private Equity Firm with tens of billions of dollars under management and dozens of portfolio companies desired a dynamic cybersecurity solution in order to better protect the value of its investments and give its investors the confidence that it was treating the risk effectively. It sought a methodology and platform that it would allow it to manage the cyber risk of its portfolio similar to how it managed the financials of its portfolio – consistently, comparatively, and in a language that the individual company management team, PE principals and investors could all understand. The specific components of the solution needed to include:

  • Risk Understanding: A view of the risk of each individual company and the portfolio as a whole. What are the types of cyber events that could be experienced and the financial impact of those events?
  • Risk Management Maturity: Are the portfolio companies making effective cybersecurity management decisions and via a methodology that can evidence continual progress?
  • Risk Recovery: Do the portfolio companies possess the financial means to successfully recover from the types of cyber events relevant to them? Is the insurance portfolio appropriately matched to the risk?
  • Benchmarking and Portfolio Insight: Can each of the three aforementioned elements be benchmarked across the portfolio and aggregated into a PE and Investor dashboard?

In order to meet the Private Equity Firm’s needs, Axio first deployed a lightweight version of its Axio360 platform to gain a baseline understanding of the cybersecurity maturity of all companies within the portfolio. Axio’s data science team then collaborated with the Private Equity Firm’s management to develop a target maturity profile that each portfolio company would be expected to continually adhere to.

Subsequently, Axio and the Private Equity Firm released the enterprise version of Axio360 to the entire portfolio, providing additional capabilities for individual companies to continually adhere to the target profile and make appropriate changes when their risk profile changed. In some instances, Axio’s cyber risk engineering team helped create improvement roadmaps for individual companies, and in other instances, Axio360 output was handed off to existing partners to implement new technologies, controls or modifications to the insurance portfolio. Throughout the continual journey Axio and the Private Equity Firm collaborated to create and deploy enablement content and awareness materials for the portfolio companies and their management teams.

Collaboration is ongoing and ultimately Axio has been able to help the Private Equity Firm gain confidence that it is managing the cyber risk of its portfolio effectively. With the Axio360 platform deployed to the portfolio, companies are able to continually evidence how they are individually managing their cybersecurity and adherence to the target profile.  The Private Equity firm now understands the underlying risk picture and how it is evolving over time.  Best of all, the Private Equity Firm possesses a means to easily convey this information to existing and potential investors.