When UnitedHealth Group’s subsidiary Change Healthcare was hit by ransomware in February 2024, the damage wasn’t confined to one business unit. Attackers used compromised credentials to access a server without multi-factor authentication, exfiltrating up to 6 TB of data and exposing an estimated 190 million individuals. The total cost has exceeded $2.5 billion, according to UnitedHealth’s Q3 2024 earnings report, and the fallout shut down claims processing at 94% of U.S. hospitals.

The lesson for every diversified organization is straightforward: a single subsidiary’s security gap can cascade across an entire portfolio. Yet most cybersecurity tools are built for individual companies — not for the holding companies, private equity firms, and multi-subsidiary enterprises that need consolidated visibility across dozens of entities at once. ARC is Resilience’s answer to that problem.

The visibility gap in complex organizations

For organizations managing enterprise-scale cyber risk, the challenge goes well beyond deploying firewalls and endpoint detection at each subsidiary. The real problem is structural: group security teams are accountable for the posture of entities they often cannot directly monitor. Each subsidiary may run its own IT stack, maintain its own vendor relationships, and operate at a different level of security maturity. The parent organization, meanwhile, needs a consolidated view of where the greatest financial exposure sits.

Static, spreadsheet-based risk assessments compound the problem. They offer snapshots, not ongoing visibility. By the time a parent company’s risk manager aggregates manual questionnaire responses from every subsidiary, the data is already stale — and the gaps between assessments leave room for threats to evolve undetected. One multi-sector holding company in Resilience’s portfolio described this dynamic precisely: each subsidiary managed risk independently, making it nearly impossible to compare exposures or align priorities across the portfolio.

That’s the gap Arc was built to close. Resilience’s multi-entity risk assessment solution gives each subsidiary its own risk profile with localized visibility into controls, vulnerabilities, and financial exposure, while rolling all of that data into a unified portfolio view for parent-level decision-makers. Ongoing monitoring replaces point-in-time audits, and quantified loss modeling expresses risk in dollars rather than color-coded heat maps.

Why single-entity tools fall short

Most cybersecurity platforms are designed around a single organizational boundary. They assess one company’s controls, model one company’s risk, and generate one company’s reports. That works fine for standalone businesses. But for a private equity firm overseeing 15 portfolio companies, or a global manufacturer with regional operations on four continents, single-entity tooling creates three persistent problems.

There’s no aggregated view. Parent-level leaders — CFOs, risk managers, board members — can’t see which entities carry the most financial exposure without manually stitching together data from disparate sources. Manual assessments are too slow: by the time a spreadsheet-based review is complete, operational demands have already forced the organization to absorb unknown risks. And security teams lack the ability to quantify risk in financial terms that translate across subsidiaries, making it difficult to justify investments or communicate meaningfully to leadership.

What portfolio-level multi-entity cyber risk management looks like

The practical impact of Arc shows up in the numbers. A multi-sector holding company with over $300 million in revenue used Arc to reduce potential extreme loss by more than $10.4 million in 2025 by enacting controls across three portfolio companies based on Cyber Action Plan recommendations. The company maintained 97–100% risk profile completion across the portfolio, giving the parent risk manager consistent, data-driven visibility for the first time.

A global manufacturing firm with more than $2 billion in revenue saw similar results. After a ransomware incident exposed the limitations of annual MSSP audits, the company adopted Arc to unify assessment across its regional operations. The result was a 50% reduction in annual security planning time and $3 million in mitigated potential extreme loss through targeted controls, including enhanced MFA and malware scanning for backup systems.

The operational case for ongoing assessment

Beyond risk reduction, continuous multi-entity assessment addresses a problem that security leaders at complex organizations know well: the sheer amount of time consumed by manual processes. Arc saves an average of 130 or more hours per entity on security control assessments and reduces time spent aggregating roll-up data for board reports by 75%. For organizations with even a modest number of subsidiaries, that adds up to an average cost savings of $900,000 per year on portfolio risk assessment alone.

That efficiency matters for more than the security team’s calendar. When assessment data is continuously updated and expressed in financial terms, security leaders can have a fundamentally different conversation with the C-suite. Instead of presenting technical vulnerability counts, they can walk into the boardroom and explain what the CFO actually cares about: which entities pose the greatest financial threat, where security spend will produce the largest measurable risk reduction, and how the portfolio’s overall exposure is trending over time.

The takeaway for multi-entity leaders

The Change Healthcare breach demonstrated that subsidiary risk is parent risk. For holding companies, PE firms, and diversified enterprises, the ability to see, compare, and act on cyber risk across every entity isn’t a nice-to-have — it is the difference between proactive governance and waiting for a crisis to reveal what you didn’t know. Multi-entity cyber risk management starts with continuous visibility and ends with decisions measured in dollars.