How important is cybersecurity to investors? The private equity firm KKR (KKR) just provided its own answer to that, adding a cyber-risk score to its assessment of the companies in its portfolio.
About a year ago, KKR officials decided they needed to find a way to understand the current state of security at the companies they were invested in, as Chief Information Office Ed Brandman tells it. That goal might sound simple, but how to get there wasn’t obvious for a diverse set of 90 companies across a range of industries and regions.
“Given the sheer breadth and scope of the companies we own, you can’t get intrusive and get under the cover with 90 different companies,” says Brandman.
KKR worked with BitSight Technologies to come up with what amounts to a credit score for cyber risk.
BitSight, based in Cambridge, Mass., collects Internet traffic flowing to and from tens of thousands of companies. Its staff members analyze risky behavior, such as communications with spam networks or servers known to be controlled by hackers and cybercriminals, to come up with a score for cyber risk on a scale from 250 (worst) to 900 (best). Subscribers to the service use it to help assess the security at third parties with whom they may share sensitive data and to benchmark their own performance, says Stephen Boyer, chief technology officer at BitSight.
Bitsight did the same for 70 of KKR’s private equity holdings—excluding some in the portfolio that KKR was about to sell or had just bought.
Only three of the companies scored in the “red category” of very high cyber risk, says Brandman. KKR didn’t release any specific companies’ scores. It gave the data and ratings to all the companies and to the KKR team that manages each and said, “collectively, we need to work on this together,” Brandman says.
The metric gives KKR the ability to track and assess cybersecurity, without forcing companies to use scarce resources to do the monitoring. Brandman plans to follow the scores over time, perhaps quarterly, and go back for a more in depth assessment annually.
“It’s a very innovative model to get data that’s not intrusive but that is very useful in doing high-level analytics and saying do we have an issue or don’t we at a company,” he says. ”When you’ve got the leadership of KKR saying ‘hey, this analysis that came back, this matters to us and it needs to matter to you,’ that provides clout.”
KKR got its own cyber-risk score as well, which Brandman says he was “happy” with. Looking at the data for his own company validated BitSight’s approach for Brandman; KKR’s score dropped at times that Brandman correlated to actual attacks on its network, he said.