14 Jul WSJ | CyberGRX Emerges With $9M to Set Standards for Security Risks
By Deborah Gage | July 14, 2016 7:30 a.m. ET
One of the hardest places for companies to protect from cyberattacks is the holes opened by companies closest to them—their partners, customers and vendors.
The most famous case may be Target Corp., which lost data on 40 million debit and credit accounts along with personal information for as many as 70 million customers after hackers penetrated its network in 2013 by stealing the credentials of a Target refrigeration contractor.
Target’s chief executive and its chief information officer resigned, and a proxy adviser, Institutional Shareholder Services, urged that seven of Target’s 10 board members be ousted for failing to protect the company.
In an effort to avoid similar problems and to set an industry standard for assessing security risks, venture capitalists and several large companies—some named and some not—have banded together to form CyberGRX, a startup that has been in the works for more than 18 months. GRX stands for Global Risk Exchange.
The Denver-based company has raised $9 million in a Series A round led by Allegis Capital and includes numerous other investors and advisers.
Some of them—including Aetna Chief Information Security Officer Jim Routh, MassMutual Chief Information Risk Officer Sri Dronamraju and Blackstone Chief Information Security Officer Jay Leek—are helping CyberGRX design a software platform and business processes that will guide companies in assessing their own security risks and the risks of their partners.
“If you’re shopping for a home, you can go to Zillow and there are countless homes, but you’re probably going to hire a home inspector to look at the piping and make sure there are no foundational issues,” said Chief Executive Fred Kneip, who previously headed security for the investment management firm Bridgewater Associates. “So let’s understand how you think about the core components of a cybersecurity program and its levels of maturity and effectiveness.”
Allegis Capital founder Bob Ackerman said he has been thinking about the problem since at least 2014 and couldn’t find companies on the market with a comprehensive enough approach. A Blackstone portfolio company, Optiv Security LLC, is also working on CyberGRX because its customers are concerned about third-party security risks, Mr. Ackerman said.
The challenge with current cybersecurity assessments is that they are labor-intensive, expensive and prone to disagreements over what questions should be asked and how they should be phrased, according to CyberGRX’s founders.
Photo: CyberGRX’s Fred Kneip.
Fortune 500 companies generally have thousands of partners and may only evaluate the most important ones, although “you don’t have to be a big partner to represent a significant cyberrisk,” Mr. Ackerman said.
Companies may be loath to admit they have risks. “If it’s self-reported, no one will say I don’t have [a password rotation policy],” said GV General Partner Karim Faris, an investor, although even asking the question can spark a company to get one.
Mr. Faris said CyberGRX’s success will depend on its ability to figure out the most effective set of questions that will work across a wide range of companies and balance those with on-site visits where inspectors know what to home in on.
Mr. Leek said CyberGRX relies on the strength of its relationships with chief information security officers at global companies who are collaborative, understand security risks and agree with CyberGRX’s approach.
CyberGRX expects to release a product in early 2017. Founders say a standard security assessment could provide a foundation for other industries, like cyber insurance.
Investors who participated in the funding include Blackstone, TenEleven Ventures, Rally Ventures, GV (formerly Google Ventures) and MassMutual Ventures along with several individuals and unnamed strategic investors.
Board members include Mr. Ackerman, Mr. Kneip, Mr. Leek, TenEleven Ventures founder Mark Hatfield, ClearSky Power & Technology Fund Managing Director Alex Weiss and Cylance CEO Stuart McClure.
Find more @