A global real estate investment firm (headquartered in the U.S.) identified a need to assess their portfolio of 150+ companies in order to evaluate and manage cybersecurity risks. Through that process, the firm also requested that the cybersecurity (“cyber”) review be performed bi-annually across their portfolio and as part of the due diligence efforts for any new and existing partners.
Baker Tilly’s Cyber Health Check program supplies a consistent, ongoing, scalable approach and provides visibility to the people, processes, technology and governance across each portfolio company’s information technology (IT) environment. Intentionally designed to be a lighter and more manageable version of a cybersecurity audit, our clients receive useful insight into the cyber practices and risks of their portfolio in a shorter timeframe. Using the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as the backbone, the cyber health check keys in on 30 controls spanning the identify, protect, detect, respond and recover functional areas.
In this engagement, the 30 controls were formatted into a survey template and submitted to each portfolio company for initial completion. Upon completion, each portfolio company submitted the survey to Baker Tilly and a 1-hour interview session was scheduled to discuss the submission and gather additional details and supporting documentation, as needed. Baker Tilly drafted the final report following this interview session and, pending any outstanding questions, this concluded the portfolio company’s commitment to the effort.
Baker Tilly provided the results of our assessment to the investment firm first, which involved an assigned implementation status, observation, maturity rating, risk rating and actionable recommendation for each control. Further, a summary scorecard was developed using the maturity ratings, including the average maturity across each of the five functional areas and overall. With client approval, the results of the assessment were provided directly to each portfolio company. Our results helped the client understand their cybersecurity risk exposure and ultimately set a risk tolerance threshold with insights from the maturity scorecards.
Short-term cyber reassessments for the identified higher-risk portfolio companies
For the companies that scored below the threshold floor, the investment firm engaged Baker Tilly to perform short-term (i.e., 60 day) reassessments. The short-term reassessment timeline began immediately following delivery of the initial cyber health check final report. Baker Tilly supplied the portfolio company with a tactical plan that prioritized the findings based on risk and maturity. The tactical plan was built to exceed the risk threshold floor set by the client. A 30-minute briefing was set up to discuss the results of the cyber health check as well as the tactical plan, offering the company an opportunity to ask questions and discuss the recommendations provided. The short-term reassessment engagement was then an internal effort by the portfolio company. Evidence of remediation—whether through policies and procedures, screenshots or commentary—was submitted directly to the Baker Tilly point of contact.
Upon submission of evidence by the portfolio company, Baker Tilly documented the improvements made within a final report that mirrored the format of the initial cyber health check. Where merited, controls received an updated implementation status, observation, maturity rating, risk rating, and if needed, recommendation, as well as a new maturity scorecard. These reassessments had a directed focus on enhancing cybersecurity maturity and remediating the riskier findings from the initial cyber health check.