Axio, a cybersecurity risk assessment platform, today announced the closing of a $23 million Series B round led by Temasek’s ISTARIS, which includes investors NFP Ventures, IA Capital Group and the former BP CEO Bob Dudley. Axio CEO Scott Kannry tells TechCrunch that the proceeds — bringing New York-based Axio’s total capital to $30 million — will be used to develop products and engineering teams, support go-to-market capabilities and expand into ” Key Regions” are used.
Axio was co-founded in 2016 by Kannry and Dave White, who say they were inspired by the difficulties companies often face when making cybersecurity investment decisions. Kannry led the cyber insurance team at Aon for several years, while Dave came from Carnegie Mellon and has spent the majority of his career developing cybersecurity frameworks, including a model – C2M2 (Cybersecurity Capability Maturity Model) – promoted by the US Department of Energy was acquired.
“We’ve seen CEOs and boards struggle to even address discussions about cyber risk. At the time, the general view was that cyber was fundamentally a technical problem that would be solved by investing in IT by the people running IT,” Kannry said in an email interview with TechCrunch. “With the wave of high-profile breaches affecting virtually every sector, industry and size of company, boards and CEOs are realizing that cybersecurity is fundamentally a business issue that literally needs to be discussed in financial terms.”
Axio aims to help companies answer questions such as: For example, whether they should invest in cyber controls (e.g. endpoint security) or in cyber insurance, and how much budget a security team needs to reduce the likelihood of a loss, Kannry said. The product generates reports that quantify cyber risk in financial terms, without resorting to ratings and technical jargon, allowing departments to input information to generate metrics that show how an organization is improving – or not – over time.
Startups like BitSight offer similar products that assess the likelihood of an organization being hurt. But Kannry says Axio differentiates itself with a focus on modeling the impact of cyber scenarios. In other words, when assessing risk, Axio cares less about probabilities and more about their worst impacts.
Axio recently introduced dynamic scenarios that enable organizations to model “what if” scenarios to understand how to prioritize their security controls. It has also formed strategic partnerships with several major cyber insurers, who use the Axio platform as part of their cyber insurance underwriting processes, according to Kannry.
“Our platform allows security leaders to review their existing security controls, quantify their cyber risk in dollars, and stress test their insurance coverage to understand if they have adequate coverage. [It moves] beyond legacy and compliance-driven approaches to cybersecurity to more risk-based models [look] on cybersecurity holistically and in the context of spend,” Kannry said. “Over the past two years, we have seen a significant increase in the number of security leaders using our platform to assess and quantify their cyber risk. Many of our core customers in the energy sector and critical infrastructure, while in some cases spending millions of dollars a year on cybersecurity controls, began critically examining their cyber programs after high-profile attacks such as SolarWinds and the ransomware-driven shutdown of Colonial Pipeline. At the same time, cyber insurers and reinsurers have asked us to provide deeper, quantified risk visibility to support their underwriting teams.”
It is certainly true that companies, especially public companies, are under pressure to better manage cyber risk. Earlier this year, the U.S. Securities and Exchange Commission proposed new reporting rules related to cybersecurity postures and policies for all publicly traded companies. While not yet formally adopted, the proposed requirements include regular updates about previously discovered cybersecurity incidents and disclosure of management’s role in mitigating risk and implementing cybersecurity procedures.
Certain forms of cyber attacks are now becoming more common. According to cybersecurity firm Sophos’ 2022 report, 66% of organizations were hit by ransomware attacks in the past year, up from just 37% in 2020.
Spurred on by these pressures, Gartner predicts that by 2025, 40% of all public boards will have dedicated cybersecurity committees.
“Despite significant increases in cybersecurity spending in recent years, cyber threats continue to pose significant challenges for organizations across all industries, particularly for critical infrastructure operators who have historically been the heart of our customer base,” added Kannry. “The rise in state-sponsored cyberattacks, geopolitical instability and ransomware-as-a-service have all demonstrated the vulnerability of the critical infrastructure sector to attack… The pandemic [also] changing the cyber risk landscape for our customers, particularly in the critical infrastructure space. Organizations went remote, enabling remote access for employees and systems, and introduced a range of new collaboration technologies and tools that introduced additional attack vectors.”
The cybersecurity industry, once the VC darling, has recently been hit with layoffs as macroeconomic factors take their toll. But Kannry says Axio has had no trouble attracting customers at all, with a customer base that now totals over 350 companies, including utilities, oil and gas companies, and energy grid trade associations.
While he declined to disclose the financials, Kannry said he was “very pleased” with the round size and contract terms, which he expects will see Axio double the size of its 35-person team by the end of the year. “We have an aggressive product roadmap through 2023,” he said. “[We’ll] We will use some of the funds to accelerate investments in our AI, machine learning and data science teams to add deeper automation capabilities.”
https://techcrunch.com/2022/08/04/axio-lands-23m-to-help-companies-quantify-cyber-risk/ Axio lands $23M to help companies quantify cyber risk – TechCrunch