Axio, a platform for cybersecurity risk evaluation, today announced the closure of a $23 million Series B round led by Temasek’s ISTARI, with participation from investors NFP Ventures, IA Capital Group and former BP CEO Bob Dudley. Axio CEO Scott Kannry tells TechCrunch that the proceeds — which bring New York–based Axio’s total capital raised to $30 million — will be put toward product and engineering team development and supporting go-to-market functions and expanding across “key geographies.”
Axio was co-founded in 2016 by Kannry and Dave White, who say they were inspired by the difficulty companies often have making decisions around cybersecurity investments. Kannry led the cyber insurance team for several years at Aon, while Dave came from Carnegie Mellon and spent the bulk of his career architecting cybersecurity frameworks, including a model — C2M2 (Cybersecurity Capability Maturity Model) — adopted by the U.S. Department of Energy.
“We saw how CEOs and boards of directors struggled with even approaching discussions around cyber risk. At that time, the common view was that cyber was fundamentally a technical problem, solved through investments in IT by the people who run IT,” Kannry said in an email interview with TechCrunch. “Now, given the wave of high-profile breaches affecting virtually every sector, industry and size of organization, boards and CEOs recognize that cybersecurity is fundamentally a business problem, which literally requires the discussion of it in financial terms.”
Axio aims to help businesses answer questions like whether they should invest in cyber controls (e.g., endpoint security) versus cyber insurance and how much of a budget a security team needs to reduce the likelihood of a loss, Kannry said. The product produces reports that quantify cyber risk in financial terms without resorting to scores and technical jargon, allowing departments to input information to generate metrics showing how a company is — or isn’t — improving over time.
Startups like BitSight offer similar products that assess the likelihood an organization will be breached. But Kannry says that Axio differentiates through a focus on modeling the impact of cyber scenarios. In other words, Axio worries less about probabilities when evaluating risk and more about their severest effects.
Axio recently introduced dynamic scenarios that let companies model “what if” scenarios to help them understand how to prioritize their security controls. It also inked strategic partnerships with several large cyber insurers, which Kannry says leverage Axio’s platform as part of their cyber insurance underwriting processes.
“Our platform allows security leaders to baseline their existing security controls, quantify their cyber exposure in dollars and stress-test their insurance coverage to understand if they are sufficiently covered. [It moves] beyond legacy and compliance-driven approaches to cybersecurity to more risk-based models that [look] at cybersecurity holistically and in the context of spending,” Kannry said. “Over the past two years, we’ve seen significant uptick in security leaders leveraging our platform to assess and quantify their cyber risk. Many of our core customers in energy and critical infrastructure, despite spending in some cases millions of dollars per year in cybersecurity controls, began to critically evaluate their cyber programs in the wake of high-profile attacks like SolarWinds and the ransomware-related shutdown of Colonial Pipeline. At the same time, cyber insurers and reinsurers have asked us to provide deeper, quantified risk visibility to support their underwriting teams.”
It’s certainly true that there’s pressure on businesses, particularly public ones, to better manage cyber risk. Earlier this year, the U.S. Securities and Exchange Commission proposed new reporting rules that pertain to cybersecurity postures and policies for all publicly traded companies. While they haven’t been formally adopted, the suggested requirements include periodic updates about previously revealed cybersecurity incidents and disclosures of management’s role in mitigating risk and implementing cybersecurity procedures.
Meanwhile, certain forms of cyberattack are becoming common. According to cybersecurity firm Sophos’s 2022 report, 66% of organizations were hit with ransomware attacks last year, up from just 37% in 2020.
Spurred by these pressures, Gartner predicts that 40% of all public boards will have dedicated cybersecurity committees by 2025.
“Despite significant increases in cybersecurity spending in recent years, cyber threats continue to pose significant challenges for companies across every sector, especially for critical infrastructure operators, who have historically been at the heart of our customer base,” Kannry added. “The rise of state-sponsored cyberattacks, geopolitical instability and ‘ransomware-as-a-service’ have all demonstrated the critical infrastructure sector’s susceptibility to attacks … The pandemic [also] changed the cyber risk landscape for our customers, especially in the critical infrastructure sector. Companies were going remote, enabling remote access for employees and systems and introducing a range of new technologies and collaboration tools that were introducing additional attack vectors.”
The cybersecurity industry, once the VC darling, has been hammered by layoffs recently as macroeconomic factors take their toll. But Kannry says Axio has had no trouble at all securing clients, with a customer base that now totals over 350 companies, including utilities, oil and gas providers and energy grid trade associations.
While he declined to reveal financials, Kannry said that he was “very happy” with the round size and deal terms, which he expects will allow Axio to double the size of its 35-person team by the end of the year. “We have an aggressive product roadmap into 2023,” he said. “[We’ll] be using funds partly to accelerate investments in our AI, machine learning and data science teams to add deeper automation capabilities.”