Executive Summary
$30B Investment Portfolio: One View of All Cyber Risks
Riverstone Holdings is a leading private markets asset management firm. They play a global role in supporting organizational growth in energy, power, and infrastructure. With a reputation as a change-agent for both social and economic issues, Riverstone continues to prioritize the necessary transformation for a better digital and physical world. Their current investment initiatives focus on climate change and decarbonization. The firm manages over $30B in capital, spread across various investment vehicles, including major equity positions in over 50 portfolio companies.
Riverstone chose the Axio360 platform to measure and monitor cybersecurity across their equity investment portfolio. Within several months of platform usage, deficiencies were identified, and a holistic representation of cyber posture was available in a single view. The result was noticeable. Investors and operators could sleep well at night knowing necessary financial and technological controls were identified, and plans were put in motion to mitigate and manage security events before they transpire.
Download the Riverstone Case Study in PDF format
The Problem
A Standardized View of Cybersecurity
Riverstone’s relationship with Axio began in 2018, when Riverstone decided to take proactive measures to address what they saw as a growing risk to their portfolio companies. At the time, they were dealing with several security breaches at their portfolio companies. These incidents emphasized an immediate need to view cybersecurity posture across their entire portfolio. They desired a single solution to serve as a command center to continuously assess cyber risk. Requirements included:
- Establishing a baseline for a cybersecurity posture using a standard assessment framework
- Documenting cybersecurity expectations for portfolio companies over a given period
- Incentivizing portfolio companies to continuously perform assessments
- Tracking improvements to portfolio company cybersecurity programs
- Benchmarking portfolio companies’ cybersecurity posture against each other
- Setting an objective foundation for optimal cybersecurity investment decisions
The Axio360 solution was able to fulfill all of Riverstone’s immediate needs as well as scale to support more advanced cybersecurity program requirements in the future.
The Solution
Cybersecurity Improvement: New Efficiencies Unlocked
Riverstone’s portfolio companies were familiar with various compliance frameworks needed to satisfy regulations, both domestically and overseas. Many operators were performing various assessments in spreadsheets and found a cloud-based solution to improve their cybersecurity both rewarding and exciting. Onboarding of the Axio360 platform was seamless due to the easy-to-follow graphical user interface and logical navigation of assessment questions. Portfolio companies were eager to understand the current state of their IT and OT controls, and how they could improve their cybersecurity posture.
A Personal Touch
Every Axio360 platform license includes service hours with workshops from Axio’s professional services (PS) team. Each member of Axio PS team has been hand selected for their unique knowledge. They have built cybersecurity programs for Fortune 500 organizations and large federal entities. Many have been involved behind the scenes of the world’s most high-profile security incidents and adept at rapid knowledge transfer personalized to customer needs.
Limited Learning Curve
Within two days of workshops, Riverstone portfolio companies were able to familiarize themselves with the powerful functionality of the Axio360 solution and were armed to be self-sufficient on their assessment journey.
“We needed efficiency to do our job correctly and for Riverstone to grow and be protected from new and unforeseen cyber risks. The Axio360 platform was a quick and efficient way for us to help our companies improve in specific cybersecurity areas. It’s important to protect capital for our investors and make sure our companies perform— the results were evident quickly.”
– Eliot Cotton, Principal and Assistant General Counsel of Riverstone.
Frameworks Designed for Protecting Critical Infrastructure
Riverstone selected the C2M2 (Cybersecurity Capability Maturity Model) as their assessment framework, which is pre-loaded in the Axio360 platform along with other popular cybersecurity frameworks such as NIST CSF, CIS 20 and CMMC. The Axio360 Platform was designed to motivate users to complete assessments. The unique benchmarking feature allows users to see how their organization is performing both internally (in relation to individual business operating units) as well as to industry competitors.
“Axio was very involved in making sure the assessments were providing value for our portfolio companies. They even added financial controls to the questionnaire, and I appreciate Axio’s ability to enable bespoke functionality where we could add those questions to the assessment.”
– Eliot Cotton, Principal and Assistant General Counsel of Riverstone.
The Result
Motivation through Incentivization
Riverstone places a lot of trust in the companies in which they invest and work hard not to unnecessarily interfere with day-to-day operational affairs. The Axio360 platform was able to seamlessly fit in with the existing workflow without causing extra burden on personnel or processes. At the same time, the platform was widely adopted due it’s one-of-a-kind peer benchmarking feature.
“We found the benchmarking feature a very powerful incentive for our portfolio companies to complete assessments. There’s a certain pride in being at the very top of the data set, as well as motivation for improvement for performers at the lower-end of the scale.” -Eliot Cotton, Principal and Assistant General Counsel
Building a Resilient Future
Over 30 of Riverstone’s portfolio companies have been onboarded into the Axio360 Platform. In one aggregate dashboard, the current state of cybersecurity posture is visible for rapid analysis. As programs mature at their portfolio companies, Riverstone envisions to build on the assessment foundation to leverage Axio360’s full feature set of quantification, insurance analysis, and control initiatives.
The Axio360 platform’s assessment capability is only the beginning of the journey to improve cybersecurity in the most financial prudent way. Users can take advantage of world class risk-modeling to map their cyber risks to dollar loss values and choose the most appropriate controls for their unique needs.
“We found the concept of Risk Quantification very appealing. Being able to look at scenarios and match them up to insurance policies is something that we are excited about in the future. It’s very powerful to have a scenario to show portfolio companies so they can adjust how they function and operate, ” Cotton said. “Axio has given us a lot of calm in the chaotic world of cybersecurity. In the investment world, everything comes down to the dollar. The ability to look at insurance policies within portfolio companies and compare them to the most likely risks, quantifying impact becomes a very powerful exercise.”
-Eliot Cotton, Principal and Assistant General Counsel of Riverstone.
The Axio360 platform’s AI and machine learning capabilities give you the ability to address gaps in cyber insurance coverage.
Finding Calm During the Storm
Cybersecurity is really an exercise in educating people, Eliot Cotton said. “Not only do you have to understand the technical controls but have to ensure your people operate and function in a responsible way. You can have all the policies in place, but it’s still up to the people to adhere to them. The Axio360 platform makes it easy for people and technology to work well together for a safer world.”
Download the Riverstone Case Study in PDF format