Skip to content

Simplifying cyber, risk, and compliance for asset & portfolio managers

Dr. Heather Buker |

May 3, 2024
Simplifying cyber, risk, and compliance for asset & portfolio managers

Audio version

Simplifying cyber, risk, and compliance for asset & portfolio managers


Managing cybersecurity, risk, and compliance can be daunting for portfolio managers, especially when dealing with a diverse mix of businesses. They face unique challenges before and after mergers and acquisitions, given the varied geography, risk profiles, and compliance obligations of each entity.

The 6clicks Hub & Spoke solution is designed to streamline these complexities.

Who benefits most from this article?

This article is particularly beneficial for cybersecurity, risk and compliance leaders in these industries:

  • Asset management and investment funds
  • Private equity
  • Banks and financial institutions
  • Insurance companies
  • Pension funds
  • Sovereign wealth funds

Key challenges in portfolio management

By definition, portfolio managers typically oversee a variety of businesses, each with its own set of regulations and cybersecurity risks. The main challenges include:

  • Integration complexity: Merging different security protocols and compliance standards from portfolio company into one coherent strategy.
  • Regulatory diversification: Each business may operate under different legal frameworks, making compliance a complex task.
  • Varied risk profiles: Different levels of cybersecurity maturity and risk exposure can compromise the overall security of the portfolio.

The 6clicks Hub & Spoke solution

The 6clicks Hub & Spoke model is crafted to address these challenges effectively, offering a robust for automation for managing risk and compliance throughout the M&A process.

  • The Hub: This central framework allows portfolio managers to define overarching cybersecurity guidelines and compliance standards. It serves as the baseline from which all entities operate, ensuring consistency and control across the portfolio.

  • The Spoke: Each entity within the portfolio acts as a spoke, implementing the hub’s standards in a way that suits its specific circumstances. This allows individual entities to adapt the overarching policies to their local compliance requirements and risk landscapes.

At the portfolio manager level, there are 4 tasks that are most common as described below. 

The job to be done whats involved and how 6clicks and help automate

Risk assessment and management


Conduct comprehensive risk assessments regularly to identify, analyze, and evaluate risks associated with cybersecurity threats and vulnerabilities across all entities in the portfolio. Develop and implement strategies to mitigate identified risks.

Explore cybersecurity audit and risk assessment.


Compliance monitoring and enforcement

Simplified compliance management


Stay updated with compliance requirements and conduct regular audits to ensure that all portfolio entities comply with necessary laws, regulations, and standards, identifying compliance gaps and implementing corrective actions promptly.

Learn more about cybersecurity compliance management.

Vendor and third-party risk management



Conduct thorough security assessments before onboarding new vendors and periodically review the security and compliance postures of existing vendors to manage third-party risks effectively.

Learn more about VRM in 6clicks.

Effective governance with reporting and analytics


Utilize sophisticated reporting and analytics tools to provide comprehensive visibility into the risk and compliance status across all portfolio entities, enabling better decision-making and strategic alignment.

Learn more about the 6clicks reporting and analytics


A summary of benefits for portfolio managers

Portfolio managers can leverage significant benefits from the 'Hub & Spoke' approach to cybersecurity, risk, and compliance:

  • Process automation: Automating periodic audits from the Hub to the Spokes, along with related reporting, eliminates the need for spreadsheets, manual consolidation, and complex processes. This automation not only saves time but also enhances accuracy and reliability in compliance and risk management activities.

  • Strategic oversight: The Hub acts as a central control point for cybersecurity and compliance, setting the framework for standards, including assessment/audit templates, control sets, and libraries for risks and issues. It also allows for streamlined roll-up reporting from the 'Spokes'—the portfolio companies or entities.

  • Efficiency in asset integration: Establishing clear standards from the outset makes the integration of new assets smoother and quicker. This approach minimizes the risks and reduces the operational overhead associated with harmonizing operations after acquiring new assets.

  • Consistency across the board: The model ensures that all entities adhere to a baseline level of compliance and security. This uniformity is vital for mitigating risks and complying with regulatory standards globally.

  • Autonomy for Spokes: Each Spoke operates autonomously, which pushes accountability to the appropriate levels within each entity. This autonomy allows Spokes to manage their specific compliance and risk issues more effectively while adhering to the overarching standards set by the Hub.

Hub & Spoke for Private Equity & Investment Managers (2)

Benefits for portfolio companies

For the companies within the portfolio, the benefits are equally compelling:

  • Customized implementation: Each entity can tailor the central policies to their specific needs, ensuring compliance and security measures are both effective and appropriate. This flexibility allows each Spoke to adapt the overarching frameworks to local conditions and requirements.

  • Autonomy with alignment: While the Spoke enjoys a degree of independence, the alignment with the Hub’s standards ensures that the entire portfolio adheres to a high standard of risk management and compliance. This balance helps maintain uniformity while allowing for localized decision-making.

  • Comprehensive cyber GRC platform: Each Spoke is equipped with a full cyber GRC platform provided on a turnkey basis and adaptable to global standards and regulations. This ensures that all entities, regardless of their geographic location, can meet international and local regulatory requirements with ease and efficiency.

Case study: Volaris Group, part of Constellation Software Inc.

Volaris Group, a division of Constellation Software Inc., effectively showcases the real-world implementation of the 6clicks Hub & Spoke solution. Specializing in acquiring vertical market software companies, Volaris navigates complex challenges in standardizing risk and compliance across its acquisitions. They have migrated off a legacy GRC platform to modernize and scale their risk management processes, enhancing cybersecurity and operational efficiency across a portfolio of over 250 entities that includes 7,000 employees and generates $3.4 billion in revenue. The centralized Hub manages corporate-mandated control assessments, policy management, and incident risk management, while some business units further adopt 6clicks for vendor risk management and compliance with other standards like ISO 27001, SOC 2, NIST CSF, and others.


For portfolio managers, navigating the complexities of cybersecurity, risk, and compliance across multiple businesses can be streamlined with the 6clicks Hub & Spoke solution. This architecture enhances control and consistency across investments and ensures efficient integration and management of new acquisitions, making it an indispensable tool for pre and post-M&A activities.


Frequently asked questions

How does the 6clicks pricing work for portfolio managers?

The pricing of the 6clicks Hub & Spoke solution is designed to be scalable and cost-effective, making it suitable for private equity firms with multiple entities. Pricing is based on the number of spokes or entities managed, allowing for flexibility as firms scale up or down.

Dr. Heather Buker

Written by Dr. Heather Buker

Heather has been a technical SME in the cybersecurity field her entire career from developing cybersecurity software to consulting, service delivery, architecting, and product management across most industry verticals. An engineer by trade, Heather specializes in translating business needs and facilitating solutions to complex cyber and GRC use cases with technology. Heather has a Bachelors in Computer Engineering, Masters in Engineering Management, and a Doctorate in Information Technology with a specialization in information assurance and cybersecurity.