Privitar Acquires Regulatory Intelligence Provider KormoonKormoon and Privitar Will Team Up to Reduce the Cost and Risk Related to Compliance
A growing thicket of privacy laws presents a challenge for companies that straddle jurisdictions: What's an acceptable use in one territory might be prohibited in another.
British firm Privitar says its acquisition of regulatory intelligence provider Kormoon - they're both located in central London - presents a way to help customers comply with the complex and evolving array of rules, regulations and laws that govern data usage in different parts of the world.
The company plans to use Kormoon's codified repository of data privacy rules across 46 jurisdictions globally to inform and automate policies on Privitar's data provisioning platform, says co-founder and CEO Jason du Preez. Customers are constantly demanding more automation on Privitar's platform, and building what Kormoon already has would have taken years, he says.
"We wanted to essentially own the strategic asset," du Preez tells Information Security Media Group. "Kormoon will be a strategic piece and a core part of our value proposition."
This is the first of what du Preez expects to be many deals as the data intelligence space consolidates.
A Six-Figure Burden
It typically costs organizations between $5,000 and $10,000 to understand and comply with the different data usage requirements in each jurisdiction, meaning that an organization in 10 jurisdictions could end up spending as much as $100,000 on data compliance, says Kormoon founder Paul McCormack.
Terms of the acquisition, which closed last week, weren't disclosed. All of Kormoon's nearly 20 employees will join Privitar, with McCormack continuing to lead the team and drive collaboration between the two business units. Both Privitar and Kormoon serve primarily European and North American enterprises in highly regulated industries such as financial services, healthcare and insurance.
"We could see that there was a bigger picture and a bigger story that we were able to integrate into," McCormack tells ISMG. "For us, it was seeing the broader vision of enabling customers to use data safely, ethically, in a compliant manner, and going faster with using data."
Du Preez expects by April to be taking Kormoon's regulatory intelligence and using it to automatically drive the creation of data use policies within Privitar's data provisioning platform. This means that regulatory changes across dozens of jurisdictions globally will be captured, alerted and automatically flow through to relevant policies within the Privitar platform, according to du Preez.
McCormack plans to spend the next several months working to ensure that what Kormoon's product is telling customers they need to do to adhere to data compliance requirements is actually reflected in Privitar's policies. The integration process will also address the mechanics of how the different products look and feel from a user experience standpoint as well as the taxonomies used to describe data.
What the Deal Means for CISOs
In the meantime, du Preez plans to make Kormoon's regulatory intelligence available to people in the Privitar platform so that it's more seamless for them to incorporate Kormoon's intelligence into their decision-making process. Du Preez expects this initial step will take place before the end of 2022. He isn't sure whether Kormoon's product will continue to be sold on a stand-alone basis in the long run.
Having intelligence automatically flow through to the actual data provisioning process will reduce costs significantly for use cases, projects or plans that require CISO signoff, du Preez says. The joint offering will also provide a full audit trail and complete transparency around how the rules and regulations were interpreted and applied for every single use case and data set that flows through Privitar, du Preez says.
CISOs are key stakeholders in the governance, risk and compliance framework and need to have policies and procedures in place that safeguard information and infrastructure assets, McCormack says. The combined Privitar-Kormoon offering can also help CISOs understand how to more effectively leverage data within their own organizations as well as what they can and cannot do with that data, he says.
From a metrics standpoint, du Preez says he plans to monitor the integration timeline as well as sales that can be attributed to the Kormoon value proposition. Du Preez is hoping Kormoon will help facilitate "land and expand" strategies in which customer opportunities are opened up through the sale of their intelligence product and eventually also encompass Privitar's data provisioning technology.
"The broader, bigger picture was that integration between the two worlds of Kormoon providing the intelligence, the rules, and Privitar automating those rules in terms of enabling usage of data," McCormack says. So for us, it was really seeing that broader value proposition and seeing that we can go faster and more effectively together than separately."