Axio raises $23M to help companies quantify cyber risk – Meczyki.Net

axioA platform for cybersecurity risk assessment, today announced the closure of a $23 million Series B round led by Temasek’s ISTARI, with participation from investors NFP Ventures, IA Capital Group and former BP CEO Bob Dudley. Axio CEO Scott Kannery told Meczyki.Net that the proceeds — which raise New York-based Axio’s total capital to $30 million — will be used to support product and engineering team development and go-to-market operations, and to support “key geographies.” ” will be placed to expand.

Axio was co-founded in 2016 by Kannery and Dave White, who say they were inspired by the difficulty that companies often make decisions around cybersecurity investments. Kannery led the cyber insurance team at Aon for several years, while Dave came from Carnegie Mellon and spent his career building cyber security frameworks, including the C2M2 (Cyber ​​Security Capability Maturity Model) – the model adopted by the US Department of Energy. Spent a big chunk.

“We saw how CEOs and board of directors struggled to even discuss cyber risk. At the time, the general opinion was that cyber was fundamentally a technical problem, which should be addressed by the people who run IT through investments in IT. “Now, given the wave of high-profile breaches affecting nearly every sector, industry and size of organization, the board and CEO believe that cyber security is fundamentally a business problem that requires discussion of it financially.”

Axio aims to help businesses answer questions such as whether businesses should invest in cyber controls (e.g., endpoint security) versus cyber insurance and how much a security team should budget to reduce the potential for loss, Connery he said. Produces product reports that score and quantify cyber risk in financial terms without resorting to technical jargon, allowing departments to input information to generate metrics about how a company is – or is not – over time Improvement.

Startups like BitSight offer similar products that assess the likelihood of an organization being dissolved. But Kannery says Axio sets itself apart by focusing on modeling the impact of cyber scenarios. In other words, Axio worries less about possibilities and more about their dire implications when evaluating risk.

Axio recently introduced Dynamic Scenarios that let companies model “what if” scenarios to help them understand how to prioritize their security controls. It also forged strategic partnerships with several large cyber insurers who, Kannery says, leverage Axio’s platform as part of their cyber insurance underwriting processes.

image credit: axio

“Our platform allows security leaders to stress-test their insurance coverage to baseline their existing security controls, to quantify their cyber risk in dollars, and to understand whether they are adequately covered. gives. [It moves] A more risk-based model for cyber security that goes beyond legacy and compliance-driven approaches [look] Cyber ​​security as a whole and in terms of spending,” said Kannery. “Over the past two years, we have seen a significant increase in security leaders leveraging our platform to assess and quantify their cyber risk. Many of our core customers in energy and critical infrastructure, despite spending millions of dollars per year in some cases in cybersecurity controls, have begun to critically evaluate their cyber programs in the wake of high-profile attacks like SolarWinds and Colonial’s ransomware-related shutdown. done. line pipe. Also, cyber insurers and reinsurers have asked us to provide in-depth, quantifiable risk visibility to support their underwriting teams.

It is certainly true that there is pressure on businesses, especially public ones, to better manage cyber risk. Earlier this year, the US Securities and Exchange Commission as proposed New reporting rules that relate to cybersecurity currencies and policies for all publicly traded companies. Although they have not been formally adopted, the suggested requirements include periodic updates about cyber security incidents that have already occurred and disclosures of management’s role in mitigating risks and implementing cyber security procedures.

Meanwhile, some forms of cyberattacks are becoming more common. according According to a 2022 report by cybersecurity firm Sophos, 66% of organizations were affected by ransomware attacks last year, up from just 37% in 2020.

Inspired by these pressures, Gartner forecast By 2025 40% of all public boards will have dedicated cyber security committees.

“Despite significant increases in cybersecurity spending in recent years, cyber threats continue to pose significant challenges for companies in every sector, particularly for critical infrastructure operators, who have historically been the center of our customer base. I’ve been there,” Kannery said. “State-sponsored cyberattacks, geopolitical instability and the rise of ‘ransomware-as-a-service’ have all demonstrated the vulnerability of critical infrastructure sector attacks… [also] Transformed the cyber risk landscape for our clients, especially in the critical infrastructure sector. Companies were moving away, enabling remote access for employees and systems and introducing a range of new technologies and collaboration tools that were introducing additional attack vectors.

The cybersecurity industry, once a VC darling, has been hit by layoffs recently as macroeconomic factors take their toll. But Kannery says Axio has had no trouble keeping customers safe, with a customer base that now totals more than 350 companies, including utilities, oil and gas providers and energy grid trade associations.

Although he declined to disclose financial information, Cannery said he was “very pleased” with the round size and the terms of the deal, which he expects Axio to double the size of its 35-person team by the end of the year. will allow. “We have an aggressive product roadmap in 2023,” he said. ,[We’ll] We are using the funding partly to accelerate investments in our AI, machine learning and data science teams to add deeper automation capabilities. ,