Axio receives $23M to aid businesses in calculating their cyber risk.
Cybersecurity risk assessment platform Axio has announced the completion of a $23 million Series B investment, which was led by Temasek’s ISTARI and included investors NFP Ventures, IA Capital Group, and former BP CEO Bob Dudley. Axio CEO Scott Kannry tells TechCrunch that the funds would be used to develop the company’s product and engineering staff, support go-to-market operations, and expand across “important geographies,” bringing the total amount of funding obtained by the New York-based company to $30 million.
Kannry and Dave White, co-founders of Axio, claim they were motivated by the frequent challenges businesses encounter when making judgments about cybersecurity investments. While Dave came from Carnegie Mellon and spent the most of his career architecting cybersecurity frameworks, including a model — C2M2 (Cybersecurity Capability Maturity Model) — accepted by the U.S. Department of Energy, Kannry managed the cyber insurance team at Aon for several years.
“We observed how difficult it was for CEOs and boards of directors to begin talking about cyber risk. In those days, it was widely believed that cybercrime was primarily a technological issue that could be resolved by investments made in IT by those in charge of running IT, according to Kannry, who spoke with TechCrunch through email. “Boards and CEOs now acknowledge that cybersecurity is fundamentally a business problem, which literally needs the discussion of it in financial terms,” according to the article. “This is due to the flood of high-profile breaches affecting practically every sector, industry, and size of organisation.”
According to Kannry, Axio wants to assist businesses in deciding whether to invest in cyber controls (such as endpoint security) as opposed to cyber insurance and how much of a budget a security team needs to limit the possibility of a loss. With the help of departments entering data, the programme generates reports that measure cyber risk in financial terms without the use of scores or technical language. These reports demonstrate whether or not a firm is improving over time.
Similar products that determine the likelihood that an organisation may be compromised are offered by startups like BitSight. Kannry claims that Axio distinguishes itself by concentrating on modelling the effects of cyber situations. In other words, when assessing risk, Axio is more concerned with the worst possible outcomes than with probability.
Dynamic scenarios, which Axio just developed, allow businesses to simulate “what if” scenarios to better understand how to prioritise their security policies. Additionally, it entered into strategic alliances with a number of sizable cyber insurers, which, according to Kannry, use Axio’s platform in the course of their cyber insurance underwriting procedures.
“With the help of our platform, security leaders can benchmark their current security measures, evaluate their financial cyber exposure, and stress-test their insurance coverage to see whether they are adequately protected. When compared to more risk-based models that “look at cybersecurity holistically and in the context of spending,” Kannry added, it “moves beyond traditional and compliance-driven approaches to cybersecurity.” “In the past two years, there has been a noticeable increase in the number of security leaders using our platform to evaluate and quantify their cyber risk. In spite of spending in some cases millions of dollars annually on cybersecurity controls, many of our key clients in the energy and critical infrastructure sector started to critically assess their cyber programmes in the wake of high-profile attacks like SolarWinds and the Colonial Pipeline shutdown caused by ransomware.
There is definitely pressure on companies, especially public ones, to properly manage cyber risk. The U.S. Securities and Exchange Commission earlier this year recommended new reporting guidelines for all publicly traded corporations that deal with cybersecurity postures and policies. The suggested measures, which have not yet been legally implemented, include regular updates about previously disclosed cybersecurity incidents and disclosures of management’s involvement in risk mitigation and cybersecurity process implementation.
