Portfolio Cyber Services
Cydea’s Portfolio Cyber Services help private equity and venture capital firms to improve the security posture of their portfolios, generate greater returns and satisfy investor concerns. We partner with you to protect current and future value generation rather than conducting one-off audits.
Cyber security is often reported as being a ‘board level’ topic, and while the proportion of businesses saying that they never update senior managers on cyber security has steadily declined over time, this remains at 17%.
The same survey of 1,419 UK businesses conducted by DCMS, found almost one-in-two had not taken any activity to identify what cyber risk they faced.
That means that across a typical private equity portfolio of 40 businesses, seven may not have ever discussed cyber security at board meetings, and over nineteen may be unsighted on their cyber risk exposure.
Cyber security due diligence is increasingly conducted as part of the deal process, however, on-going hygiene and an investor’s exposure to cyber risk is not routinely measured. With the possibility of extreme unplanned costs and earnings volatility it’s no wonder that investors are seeking greater assurances before committing to new fundraising rounds.
Managing portfolio cyber risk
Cydea’s Portfolio Cyber Services is centred around a lightweight annual ‘cyber return’ from portfolio companies that’s based on our proven Cyber Scorecard, combined with optional quarterly check-in sessions with leadership to support their progression. This allows us benchmark posture, prioritise pragmatic recommendations and track progress so that you can demonstrate the positive impact you’re having on your investments.
"It was really important to us that this was a true partnership and we found someone that we could work with and work alongside, as opposed to outsourcing."
Where necessary, we identify ‘deep dives’ for individual companies to understand specific issues in greater detail. These may take the form of non-cyber activities (such as technology architecture or operating model exercises) and we work with existing preferred suppliers to scope out the engagements or can support their execution directly.
Portfolio companies can also take advantage of short, ad-hoc consulting sessions included within the service to answer quick questions, help improve board cyber understanding and reporting and advise on security considerations for business decisions.
We also help to educate you and your portfolio companies on cyber security through exec-friendly cyber risk advisories for newsworthy events and webinars tailored to relevant macro-level topics.
Our service can make use of existing due diligence or environmental, social and corporate governance (ESG) data and we collaborate with other existing cyber vendors that you may have engaged.
Accelerating value
Cydea partnered with the value acceleration team at Inflexion Private Equity to help protect their portfolio of over 40 companies. In this video case study Robin Oldham from Cydea, Neil Randon from Xtrac and Inflexion’s Alex Mathers discuss their experience working together.
Principles
Our approach is built around the following principles:
- focus on maturity of cyber security capability (not just a controls gap assessment)
- adaptable assessment profiles suitable for different sizes of business or regulated activity
- low friction and easy for security teams to complete on a regular basis
- show historical performance to support any future sale or divestment
- repeatable and scalable as you make future acquisitions
- grounded in measurable data
- relevant for both the portfolio company’s management team, and private equity firm
- communicate the cyber security posture at the ‘board level’
- cost-effective and commensurate for companies with a £2M-£500M EBITDA.
Benefits
Cydea’s Portfolio Cyber Services deliver value to general and limited partners, and the portfolio companies in which they invest:
- Risk evasion within the portfolio - improving governance and risk management to minimise the potential for unplanned, in-year costs
- Security cost optimisation - typically 10% of IT budgets are spent on cyber security and so it’s important this is prioritised and aligned with the organisations risk and objectives
- Protection of value realisation - streamline divestment planning and demonstrate lifetime improvement to buyers in a compelling value story
- Scorecards for your team’s portfolio companies to guide board conversations
- Portfolio-level dashboard highlighting macro issues and aggregate exposure to certain risk scenarios
- Shortlist of proposed ‘deep dive’ candidates where greater assurance is required
- Performance monitoring through investment period that integrates into existing portfolio monitoring activities
- Risk to investments are being managed in a controlled manner
- Less variability / more consistency in value
- Improved governance and risk management correlates with higher EBITDA growth
- Cyber Scorecard, similar in nature to an annual ‘MOT’ assessing and benchmarking the effectiveness of long-term cyber governance and ability to respond to short-term issues
- Quarterly clinics, giving leadership teams independent, trusted advice on their security programmes and coaching on strategies
- Q&A Service, throughout the year portfolio companies benefit from ad-hoc support to their day-to-day cyber queries
- Regular ‘risk advisories,’ suitable for board briefings, on significant topical events
- Discounts on Cydea’s cyber services
Cydea are professional service members of the British Private Equity & Venture Capital Association.
Studies have proven that there is evidence of a strong correlation between mature enterprise risk management and EBITDA growth and reduced earnings volatility. Federation of European Risk Management Associations (FERMA) found in 2012 that those with the advanced ERM practices on average had 12% greater EBITDA growth than those with emerging practices, while a multi-year study by FM Global and Oxford Metrica in 2010 showed the earnings volatility of those with strong ERM practices was over one-third less than those with weak practices.