Case Study: Building a Cybersecurity Portfolio Company Oversight Program

Client: Ara Partners
Client Type: Private Equity
Portfolio Size: 27 companies across Europe and North America, including food, agriculture, chemicals and materials

Background

Ara Partners (Ara) is a significant player in the industrial decarbonization space with an investment strategy that focuses on serving as a “builder firm” to support companies in all stages of their growth.

To support its strategy, Ara set out to bolster its portfolio management process so it could support the build out of its portfolio companies in its traditional areas of expertise, along with aspects of the portfolio companies’ operations – like cybersecurity risk management – where deeper subject matter expertise was required.

Challenge

Like many private equity firms, Ara’s portfolio is made up of companies with unique cybersecurity risks and opportunities, and a diversity of cybersecurity expertise and resources.

With Ara’s investments in firms that are in growth stages, it had originally focused on helping companies establish critical cybersecurity controls during an initial 100-day post-investment planning process. However, maintaining ongoing cybersecurity oversight and guiding these companies in multiple geographies was becoming a tedious, albeit necessary task.

Steve Cherington, Head of Operations at Ara Partners notes, “At Ara, we have a sort of ‘Builder DNA’ which extends to project building with our portfolio companies and allows us to be intensely involved when building out these platforms from the outset.”

The firm realized it needed to bring in outside expertise to help with managing the portfolio companies on an ongoing basis. A major factor was directing these companies on how to manage their cybersecurity issues. Having the flexibility to minimize intensive on-site effort and using a similar framework across the portfolio was something that Ara believed would be very helpful in the long term.

Solution

ACA’s Vantage for Cyber is designed to help operating partners and sponsors in private equity, venture capital, and real estate firms build a comprehensive cybersecurity portfolio oversight program that allows the firm to better manage cybersecurity risk and drive value across the portfolio.

According to Steve Cherington, “The Vantage program design vocalized to us in the early stages really impressed us since it had a process and timeline and was designed to be applicable to all of our portfolio companies across multiple geographies.”

ACA offered Ara ACA Vantage, a solution that provides:

• Ongoing evaluation of cybersecurity risks across Ara’s portfolio of companies.
• A consistent framework to assess and understand cybersecurity gaps and areas of potential improvement.
• Access to an online tool that allows Ara and all its portfolio companies to view and evaluate assessment results.
• Guidance and resources that can be provided to all portfolio companies to allow them to close identified gaps.

Steve Cherington commented, “ACA was able to come in and continue to drive things, making sure deadlines were met without making it too taxing on our team or making it seem like some things are slipping through the cracks. As one of the managing partners and senior leaders, I was involved from the outset and continued to remain involved, not on a day-to-day or week-to-week basis, but as someone who was able to drive the importance of this initiative home.”

Results

Since implementing ACA Vantage for Cyber, Ara, has seen improvements in the ways its portfolio companies manage their cybersecurity issues.

Beyond the enhanced oversight and visibility into the cybersecurity risks and opportunities across the portfolio, the firm has seen several other benefits in its time using ACA Vantage, including:

• Insurance Assurances for Portfolio Companies: With Ara regularly requiring its portfolio companies to invest both time and dollars into improving their cybersecurity posture, seeing real-world cost savings and benefits on the insurance side has been a boon for these organizations. With regular guidance from ACA regarding security improvements, ACA Vantage has helped provide accurate and reliable recommendations to boost the insurance coverage of the portfolio companies.
• Hassle-free Onboarding & Execution: A major concern within Ara was if this program would require massive efforts from its team and the portfolio companies. However, with minimal involvement needed from both the holding organization and the portfolio companies, these doubts were resolved almost immediately. There was little to no on-site work required from Ara, and having already worked with ACA in the compliance sector, there were no doubts about the level of subject matter expertise or the depth of detail from ACA Aponix. The ACA Vantage framework became applicable to all of its portfolio companies, reducing the efforts needed to customize surveys on an org-to-org basis.
• Increased Clarity with Partners & Investors: Since enrolling in the ACA Vantage program, Ara has been able to shed more light on its working relationships with its portfolio companies to its investors and partners, helping them understand how Ara is driving the best practices in the area. With tangible results to highlight, the timelines on how to further improve these portfolio companies is easier to create, and it will help Ara push these targets out to the portfolio companies for a much more streamlined portfolio management program.

Having industry leaders like ACA at the helm has not only helped Ara Partners achieve continuous improvement of their portfolio management, but also helped set expectations for the companies within its portfolio (e.g., conducting audits of third parties, use of multi-factor authentication penetration testing, etc.).

Steve Cherington added, “With a baseline plan in motion, we plan to get ACA involved in earlier stages of our investments to further smoothen the process and try and push our targets out to the portfolio companies moving forward.”

Practitioner Tips

Set the right tone at the top

ACA Vantage is designed to provide firms with greater visibility and oversight of the cybersecurity risks across their portfolio. For the product to work, the portfolio companies must complete an assessment of their cybersecurity program. Since this is an additional request of the portfolio companies, Ara’s leadership knew it was important to reinforce the importance of the ACA Vantage initiative.

As Steve Cherington explains, “A key element of instituting a program like this is that you need to have someone at the top who’s driving it at the right times and in the right way.”

To do this, Steve and one of Ara’s managing partners were heavily involved in communicating the ACA Vantage launch to the portfolio companies, discussing the value and importance of the program.

After that, they continued to maintain open lines of communication with the portfolio companies, checking in every four to six weeks with portfolio companies to hear what was working, gather feedback about the program, and check in on progress being made by the portfolio companies. This allowed Ara to gain buy-in from portfolio companies more efficiently as they demonstrated their commitment to the importance and value of ACA Vantage.

How we help

Our new portfolio oversight solution, ACA Vantage for Cyber, is the only cybersecurity product designed specifically for private equity, venture capital, and private debt portfolio oversight. With this solution, you get expert support to build an oversight program that is formally governed, applied consistently, and designed to grow valuations.

ACA Vantage for Cyber can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. Powered by ACA Aponix^®, this solution combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha^®, and our exclusive "RealRisk" risk assessment methodology. 

ACA Vantage for Cyber will help you to:

• Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 firms on oversight 
• Save time with instant access to assessment results and the status of related remediation efforts 
• Keep stakeholders informed and direct resources where they are needed most 
• Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies. 

Complete this cybersecurity assessment survey to receive a free report detailing your cyber program's top deficiencies and strengths as well as the opportunity to discuss the findings with one of our account managers. Or contact us to find out how we can help you protect your portfolio. 

Contact us