When investors evaluate a company, they consider P/E ratio, market share and products in the pipeline. But now there's a new measure of a company's worth: cybersecurity risk.
The risk of a devastating attack has become such a threat that the famed private equity firm KKR has instituted a new cybersecurity evaluation of its portfolio companies—and is prodding the most at-risk firms it controls to beef up their protections. It's something of a sign of the times that the firm most famous for its corporate raider status of the 1980s is now worried about another kind of raider: cyberattackers.
In an effort that began late last year, KKR has started looking at 70 companies that it owns, dividing them into red, yellow and green categories based on the amount of cyberrisk they have.
Losses from cybercrime and cyberespionage may be as high as $100 billion annually in the U.S., security firm McAfee estimates.
"We really believe that cyber is a critical part of the entire ecosystem for a company and whether that's because you're in the credit card business or the retail business, the health-care business, the financial services businesses, all of them are touched by cyber and we want to be in a proactive position," said Edward Brandman, KKR's chief information officer.
KKR engaged two firms to help make the evaluations: BitSight Technologies, which analyzed the companies' security performance using publicly available Internet data, and the security company Stroz Friedberg, which helped KKR prioritize the risk to its portfolio companies.
"KKR owns companies like First Data and HCA. Those companies have a high degree of risk associated with cyber, given the nature of their data," Brandman said. "They also happen to be the companies, fortunately, that got the highest scores from a positive standpoint, so that was encouraging. But I think a finance or health-care company has a much higher degree of risk than an industrial company that is making wellheads."
Not every investor has the resources of a KKR to throw at the problem, but Brandman said all investors need to factor cyberrisk into their decisions. And he touts BitSight's scores of company risk as a good place to start.
"To the extent that a model like that gets traction, and people could go and look just like they look at a Moody's score, S&P ratings or what a research analyst might say on a company, I think that that has the potential to provide a benchmark that people can use," Brandman said.
—By CNBC's Eamon Javers.