Axio, a cybersecurity risk assessment platform, today announced the close of a $23 million Series B round led by Temasek’s ISTARI, with the participation of investors NFP Ventures, IA Capital Group and former BP CEO Bob Dudley. Scott Kannry, CEO of Axio, tells MovieUpdates that the proceeds — bringing New York Axio’s total capital to $30 million — will be spent developing product and engineering teams and supporting go-to-market functions and expansion into ‘key regions’.
Axio was co-founded in 2016 by Kannry and Dave White, who claim to be inspired by the difficulty companies often face when making cybersecurity investment decisions. Kannry led the cyber insurance team at Aon for several years, while Dave came from Carnegie Mellon and spent most of his career designing cybersecurity frameworks, including a model — C2M2 (Cybersecurity Capability Maturity Model) — adopted by the U.S. Department of Energy.
“We saw how CEOs and boards of directors struggled with even approximate discussions of cyber risk. At the time, the common view was that cyber was essentially a technical problem solved by investment in IT by the people who run IT,” Kannry said in an email interview with MovieUpdates. “Now, given the wave of high-profile breaches affecting virtually every sector, industry, and size of organizations, boards and CEOs are recognizing that cybersecurity is essentially a business issue that needs to be literally discussed in financial terms.”
Axio aims to help companies answer questions such as whether they should invest in cyber controls (for example, endpoint security) versus cyber insurance and how much budget a security team needs to reduce the likelihood of loss, Kannry said. The product produces reports that quantify cyber risk in financial terms without resorting to scores and technical jargon, allowing departments to input information to generate metrics showing how a company is improving — or not — improving over time.
Startups like BitSight offer similar products that estimate the likelihood of an organization being breached. But Kannry says Axio is distinguished by a focus on modeling the impact of cyber scenarios. In other words, Axio is less concerned about probabilities when evaluating risk and more about its most serious effects.
Axio recently introduced dynamic scenarios that allow companies to model “what if” scenarios to help them understand how to prioritize their security controls. It has also signed strategic partnerships with several major cyber insurers, which Kannry says use Axio’s platform as part of their cyber insurance underwriting processes.
“Our platform enables security leaders to baseline their existing security controls, quantify their cyber exposure in dollars, and stress test their insurance coverage to understand if they are adequately covered. [It moves] from legacy and compliance-driven approaches to cybersecurity to more risk-based models that: [look] in cybersecurity holistically and in the context of spending,” Kannry said. “Over the past two years, we have seen a significant increase in security leaders using our platform to assess and quantify their cyber risk. Many of our core customers in energy and critical infrastructure, despite spending in some cases millions of dollars a year on cybersecurity audits, began to critically evaluate their cyber programs in the wake of high-profile attacks such as SolarWinds and the ransomware-related shutdown of Colonial Pipeline. At the same time, cyber insurers and reinsurers have asked us to provide deeper, quantified risk visibility to support their underwriting teams.”
It is certainly true that there is pressure on companies, especially public ones, to better manage cyber risks. Earlier this year, the US Securities and Exchange Commission proposed new reporting rules that cover cybersecurity attitudes and policies for all publicly traded companies. While not yet formally adopted, the proposed requirements include periodic updates on previously disclosed cybersecurity incidents and disclosure of management’s role in mitigating risk and implementing cybersecurity procedures.
Meanwhile, certain forms of cyber-attacks are becoming more common. According to cybersecurity firm Sophos’ 2022 report, 66% of organizations were affected by ransomware attacks last year, up from just 37% in 2020.
Spurred on by this pressure, Gartner predicts that 40% of all public administrations will have dedicated cybersecurity committees by 2025.
“Despite the significant increase in cybersecurity spending in recent years, cyber threats continue to pose a major challenge to businesses in every industry, especially critical infrastructure operators, which have traditionally been the heart of our customer base,” added Kannry. . “The rise of state-sponsored cyber-attacks, geopolitical instability and ‘ransomware-as-a-service’ have all shown that the critical infrastructure sector is susceptible to attack… The pandemic [also] changed the cyber risk landscape for our clients, especially in the critical infrastructure sector. Companies went remote, enabling remote access for employees and systems, and introduced a range of new technologies and collaboration tools that introduced additional attack vectors.”
The cybersecurity industry, once VC’s darling, has been plagued with layoffs lately as macroeconomic factors take their toll. But Kannry says Axio has had no trouble winning customers, with a customer base now of more than 350 companies, including utilities, oil and gas suppliers and energy network industry associations.
Though he declined to disclose financial details, Kannry said he was “very happy” with the round size and deal terms, which he expects Axio to double the size of its 35-man squad by the end of the year. “We have an aggressive product roadmap to 2023,” he said. “[We’ll] using funds in part to accelerate investments in our AI, machine learning and data science teams to add deeper automation capabilities.”