Axio, a cybersecurity risk assessment platform, today announced the close of a $23 million Series B led by Temasek’s ISTARI, with participation from investors NFP Ventures, IA Capital Group and former BP CEO Bob Dudley. Axio CEO Scott Kanry tells TechCrunch that the proceeds — which bring New York-based Axio’s total capital raised to $30 million — will go toward product development and engineering teams and helping go-to-market features and expanding into “key geographies”.
Axio was co-founded in 2016 by Canry and Dave White, who say they were inspired by the difficulties companies often face when making decisions about cybersecurity investments. Canry led the cyber insurance team for several years at Aon, while Dave came from Carnegie Mellon and spent most of his career designing cybersecurity frameworks, including a model—C2M2 (Cybersecurity Capability Maturity Model)—adopted by the Department of US energy.
“We’ve seen CEOs and boards of directors struggle with even the looming discussions around cyber risk. At the time, the general view was that cyberspace was fundamentally a technical problem, solved through investment in IT by the people who run IT,” Kanry said in an email interview with TechCrunch. “Now, given the spate of high-profile breaches affecting nearly every sector, industry and size of organization, boards and CEOs are recognizing that cybersecurity is a fundamentally business issue that literally demands to be discussed in financial terms.”
Axio aims to help businesses answer questions such as whether they should invest in cyber controls (e.g. endpoint security) versus cyber insurance, and how much of the budget the security team needs to reduce the likelihood of loss, Kanri said . The product produces reports that quantify cyber risk in financial terms without resorting to scores and technical jargon, allowing departments to input information to generate metrics that show how a company is improving or not improving over time.
Startups like BitSight offer similar products that assess the likelihood of an organization being breached. But Kanri says Axio differentiates itself through a focus on modeling the impact of cyber scenarios. In other words, Axio worries less about probabilities when assessing risk and more about their most severe effects.
Axio recently introduced dynamic scenarios that allow companies to model what-if scenarios to help them understand how to prioritize their security controls. It has also signed strategic partnerships with several major cyber insurers, which Kannry says use Axio’s platform as part of their cyber underwriting processes.
“Our platform allows security leaders to determine their existing security controls, quantify their cyber exposure in dollar terms and stress test their insurance coverage to see if they are adequately covered. [It moves] beyond legacy and compliance-based approaches to cybersecurity to more risk-based models that [look] to cyber security holistically and in the context of costs,” Kanri said. “Over the past two years, we have seen significant growth in security leaders using our platform to assess and quantify their cyber risk. Many of our major energy and critical infrastructure customers, despite spending in some cases millions of dollars annually on cybersecurity controls, have begun to critically evaluate their cyber programs as a result of high-profile attacks such as SolarWinds and the Colonial ransomware-related shutdown of Pipeline. At the same time, cyber insurers and reinsurers have asked us to provide deeper, quantified risk visibility to support their underwriting teams.”
It is certainly true that there is pressure on businesses, especially public ones, to better manage cyber risk. Earlier this year, the US Securities and Exchange Commission suggested new reporting rules that address cybersecurity positions and policies for all publicly traded companies. Although not formally adopted, the proposed requirements include periodic updates on previously disclosed cybersecurity incidents and disclosure of management’s role in mitigating risk and implementing cybersecurity procedures.
Meanwhile, certain forms of cyberattacks are becoming common. According to According to cybersecurity firm Sophos’ 2022 report, 66% of organizations were affected by ransomware attacks last year, up from just 37% in 2020.
Driven by this pressure, Gartner predicts that 40% of all public boards will have dedicated cybersecurity committees by 2025.
“Despite significant increases in cyber security spending in recent years, cyber threats continue to pose significant challenges for companies in every sector, particularly for critical infrastructure operators who have historically been at the heart of our customer base,” added Canry. “The rise of state-sponsored cyberattacks, geopolitical instability and ‘ransomware-as-a-service’ have demonstrated the vulnerability of the critical infrastructure sector to attacks… The pandemic [also] has changed the cyber risk landscape for our clients, particularly in the critical infrastructure sector. Companies moved away, enabling remote access for employees and systems, and introducing a range of new technologies and collaboration tools that introduced additional attack vectors.”
The cybersecurity industry, once a VC darling, was forged from abbreviations lately, as macroeconomic factors take their toll. But Kanri says Axio has had no trouble securing customers at all, with a customer base that now numbers more than 350 companies, including utilities, oil and gas providers and energy grid trade associations.
Although he declined to disclose financials, Kanri said he was “very pleased” with the round size and terms of the deal, which he expects will allow Axio to double the size of its 35-person team by the end of the year. “We have an aggressive product roadmap through 2023,” he said. “[We’ll] to use funds in part to accelerate investments in our artificial intelligence, machine learning and data science teams to add deeper automation capabilities.”