RSM helps private equity group proactively manage cybersecurity risks
CASE STUDY |
The Compass Group manages Compass Diversified Holdings, a publicly traded private equity firm. Headquartered in Westport, Connecticut, Compass was founded in 1998, and currently has eight middle market portfolio companies, with a focus on the consumer branded and niche industrial verticals. The Compass Group is actively involved in its portfolio companies, partnering with their strong management teams to help grow their enterprise value and cash flows for investors.
The Compass Group takes a proactive approach to risk management and corporate governance, with a dedicated risk identification culture at the parent level and within its portfolio companies. Through conversations with board members and the RSM US LLP team, as well as continued education and training, Compass executives understood potential cybersecurity risks and the challenges for private equity groups and public companies.
Compass decided to take action, and put an emphasis on cybersecurity to protect investments both at the parent level and within its portfolio companies. Therefore, the organization sought an advisor to conduct a cybersecurity assessment to proactively add enterprise value, save money and time in the long run, and defend Compass’ investments and reputation.
While the initiative was driven from the parent level, Compass’ portfolio companies also recognized the importance of a dynamic cybersecurity strategy. Subsidiaries were very receptive, open and committed to enhancing security measures.
RSM has built a strong relationship with The Compass Group through a history of providing services, addressing needs in multiple facets of the business. Following a cybersecurity presentation by the RSM team and a demonstrated knowledge the risks for private equity companies, Compass chose RSM to conduct a cybersecurity gap assessment for the parent and its portfolio companies.
“After the RSM cybersecurity risk team presented their skill sets, it became quickly evident that this would be a great partnership,” said Ryan Faulkingham, chief financial officer at Compass Diversified Holdings.
The Compass Group has a variety of portfolio companies, from small enterprises to recognized brands. The RSM team performed a risk evaluation for the parent and for each company, analyzing governance and policies and procedures, determining each entity’s cyberattack vulnerability and ranking how attractive each would be to cybercriminals.
In addition to some of its higher-profile portfolio companies, RSM determined that some of Compass’ smaller companies that often would not typically be considered as attractive for a cyberattack could be potential targets. With private equity groups, hackers often don’t initially target the parent level or larger portfolio companies. Those larger entities typically have stronger security measures; therefore, criminals attempt to infiltrate smaller organizations and then social engineer themselves through other portfolio companies and then into the fund.
RSM helped The Compass Group understand how the fund could be a conduit for potential attackers. Everyone in the company has a hand in the effectiveness of a cybersecurity strategy, and with Compass’ proactive risk culture, the message of increased awareness from top to bottom resonated and was embraced throughout the organization.
Following the assessment, the RSM team presented key findings to The Compass Group’s key executives, its board of directors, as well as the management teams of its portfolio companies to help enhance their cybersecurity posture and protect the company’s investments. The top cybersecurity risks and potential emerging concerns were ranked and detailed, as well as suggested policy improvements, including defining authorized roles and security processes for third-party vendors.
“I appreciated that it was a candid discussion with our board of directors. Our chairman had expected the discussion to be an exercise of doom and gloom, which can happen with a consultant,” commented Faulkingham. “The RSM team provided a clear analysis, detailing our high and medium risks, what we should keep an eye on and how even our high risks are manageable. It was well-presented, and specifically, our chairman commented that it had exceeded his expectations and he appreciated that it wasn’t what he expected it to be.”
In addition, Compass leveraged RSM’s cybersecurity risk assessment to facilitate stronger SOX compliance efforts. The company’s internal auditors utilized the findings to identify key risk areas.
“We do not have the IT skill set, nor do many companies, to assist in identifying and evaluating all of our internal and external cybersecurity risks. We just don’t have the capacity,” said Faulkingham. “RSM helped our companies understand what our weaknesses are, and also gave my internal audit team more exposure to risk areas that we need to focus on.”
RSM’s cybersecurity gap assessment helped The Compass Group develop an effective cybersecurity program at the parent level and within each portfolio company. With its strong risk culture, Compass identified RSM as a key resource to proactively address and mitigate emerging threats. The RSM team understood the risks for private equity groups, and analyzed the organization, presenting clear findings of potential risks within the organization and suggestions to address vulnerabilities and protect investments.
Key benefits of RSM’s cybersecurity gap assessment for The Compass Group included:
- Increased cybersecurity awareness from the parent level to individual portfolio companies
- Stronger insights into the risks at smaller portfolio companies and how hackers can infiltrate private equity groups
- Targeted insights into key risks and potential process and policy improvements
- Enhanced internal audit exposure to key risk areas for SOX compliance efforts
They said it
“With my relationship with the CFOs of our portfolio companies, I need to have faith in who I am sending to perform work on their behalf. I need to have confidence in their style and that they can manage different personalities and situations. Given our relationship with RSM, as well as the presentations that they gave me, I had faith that this project would be well-managed. And it was.”
- Ryan Faulkingham, Chief Financial Officer, The Compass Group