Investors drop $20M on startup CyberGRX’s platform for auditing supply-chain cyber risks
Silicon Valley venture capitalists are betting $20 million on a cybersecurity startup that launched in March and is staffed with former NSA and CIA talent.
Denver-based CyberGRX on Tuesday announced it had successfully raised funding to help develop and expand its main product, a software tool that is used to gauge security risks associated with a wide array of different third-party vendors.
“As enterprises’ dependence on their partner ecosystems grows, so does their exposure to breaches from these key vendors, partners and customers,” explained CyberGRX CEO Fred Kneip, “the combination of outsourcing, globalization and the digitization of business has created new security and resiliency risks that many businesses are just starting to address [and understand].”
Founded by former Blackstone executives, CyberGRX describes its platform — called the “third party global cyber risk exchange” — as a sort of rating agency like Standard & Poor’s or Moody’s.
CyberGRX has now raised $29 million total. Investors include Bessemer Venture Partners, Aetna Ventures, Allegis Capital, ClearSky, Google Ventures, MassMutual Ventures, Rally Ventures and TenEleven Ventures.
Security vulnerabilities in software and hardware products sold by third-party vendors have allowed hackers to execute some of the most infamous data breaches in recent years, including incidents at Target and Home Depot. Examples of third-party vendors include point-of-sale companies, which are commonly integrated into a business’ larger internet network.
“Our main competitor is a company’s cobbled together processes of shared spreadsheets, services and GRC tools. We do not compete with companies that provide scanning tools to derive a security score from the outside, as the CyberGRX platform provides an inside-out view,” said Kneip.
In broad strokes, CyberGRX offers a sort of “Consumer Reports” type service to clients — by working closely with third-party vendors to evaluate and collect intelligence about a range of different products in order to identify potential user concerns.
Dossiers of threat intelligence are built using information from “design partners,” a collage of business partnerships established by CyberGRX’s executive team, and a series of open-source feeds, such as news reports from Thomson Reuters. In this model, most of the assessment data is voluntarily shared by either third-party vendors or via a myriad of CyberGRX member companies.
“The Risk-Assessment-as-a-Service model streamlines and automates processes as a ‘one-stop shop’ for third-party cyber risk management,” described Kneip, “for third parties, the CyberGRX Exchange serves as an easy communication platform, allowing them to be assessed once and use the results across multiple customers and frameworks.”
In 2008, Goldman Sachs attempted to create a similar cyber risk-based assessment framework with Moody’s but the platform never took off.
Security assessment reports for more than 10,000 vendors are available through CyberGRX’s shared database, today, which customers access by paid subscriptions. The database itself is continuously updated as new information is collected and analyzed by an internal team.