Axio, a platform for cybersecurity risk evaluation, today announced the closure of a $23 million Series B round led by Temasek’s ISTARI, with participation from investors NFP Ventures, IA Capital Group and former BP CEO Bob Dudley. Axio CEO Scott Kannry tells TechCrunch that the proceeds — which bring New York–based Axio’s total capital raised to $30 million — will be put toward product and engineering team development and supporting go-to-market functions and expanding across “key geographies.”
Axio was co-founded in 2016 by Kannry and Dave White, who say they were inspired by the difficulty companies often have making decisions around cybersecurity investments. Kannry led the cyber insurance team for several years at Aon, while Dave came from Carnegie Mellon and spent the bulk of his career architecting cybersecurity frameworks, including a model — C2M2 (Cybersecurity Capability Maturity Model) — adopted by the U.S. Department of Energy.
“We saw how CEOs and boards of directors struggled with even approaching discussions around cyber risk. At that time, the common view was that cyber was fundamentally a technical problem, solved through investments in IT by the people who run IT,” Kannry said in an email interview with TechCrunch. “Now, given the wave of high-profile breaches affecting virtually every sector, industry and size of organization, boards and CEOs recognize that cybersecurity is fundamentally a business problem, which literally requires the discussion of it in financial terms.”
Axio aims to help businesses answer questions like whether they should invest in cyber controls (e.g., endpoint security) versus cyber insurance and how much of a budget a security team needs to reduce the likelihood of a loss, Kannry said. The product produces reports that quantify cyber risk in financial terms without resorting to scores and technical jargon, allowing departments to input information to generate metrics showing how a company is — or isn’t — improving over time.
Startups like BitSight offer similar products that assess the likelihood an organization will be breached. But Kannry says that Axio differentiates through a focus on modeling the impact of cyber scenarios. In other words, Axio worries less about probabilities when evaluating risk and more about their severest effects.
Axio recently introduced dynamic scenarios that let companies model “what if” scenarios to help them understand how to prioritize their security controls. It also inked strategic partnerships with several large cyber insurers, which Kannry says leverage Axio’s platform as part of their cyber insurance underwriting processes.
“Our platform allows security leaders to baseline their existing security controls, quantify their cyber exposure in dollars and stress-test their insurance coverage to understand if they are sufficiently covered. [It moves] beyond legacy and compliance-driven approaches to cybersecurity to more risk-based models that [look] at cybersecurity holistically and in the context of spending,” Kannry said. “Over the past two years, we’ve seen significant uptick in security leaders leveraging our platform to assess and quantify their cyber risk. Many of our core customers in energy and critical infrastructure, despite spending in some cases millions of dollars per year in cybersecurity controls, began to critically evaluate their cyber programs in the wake of high-profile attacks like SolarWinds and the ransomware-related shutdown of Colonial Pipeline. At the same time, cyber insurers and reinsurers have asked us to provide deeper, quantified risk visibility to support their underwriting teams.”
It’s certainly true that there’s pressure on businesses, particularly public ones, to better manage cyber risk. Earlier this year, the U.S. Securities and Exchange Commission proposed new reporting rules that pertain to cybersecurity postures and policies for all publicly traded companies. While they haven’t been formally adopted, the suggested requirements include periodic updates about previously revealed cybersecurity incidents and disclosures of management’s role in mitigating risk and implementing cybersecurity procedures.