One of the hardest places for companies to protect from cyberattacks is the holes opened by companies closest to them—their partners, customers and vendors.

The most famous case may be Target Corp., which lost data on 40 million debit and credit accounts along with personal information for as many as 70 million customers after hackers penetrated its network in 2013 by stealing the credentials of a Target refrigeration contractor.

Target’s chief executive and its chief information officer resigned, and a proxy adviser, Institutional Shareholder Services, urged that seven of Target’s 10 board members be ousted for failing to protect the company.

In an effort to avoid similar problems and to set an industry standard for assessing security risks, venture capitalists and several large companies—some named and some not—have banded together to form CyberGRX, a startup that has been in the works for more than 18 months. GRX stands for Global Risk Exchange.

The Denver-based company has raised $9 million in a Series A round led by Allegis Capital and includes numerous other investors and advisers.

Some of them—including Aetna Chief Information Security Officer Jim Routh, MassMutual Chief Information Risk Officer Sri Dronamraju and Blackstone Chief Information Security Officer Jay Leek—are helping CyberGRX design a software platform and business processes that will guide companies in assessing their own security risks and the risks of their partners.

“If you’re shopping for a home, you can go to Zillow and there are countless homes, but you’re probably going to hire a home inspector to look at the piping and make sure there are no foundational issues,” said Chief Executive Fred Kneip, who previously headed security for the investment management firm Bridgewater Associates. “So let’s understand how you think about the core components of a cybersecurity program and its levels of maturity and effectiveness.”

Allegis Capital founder Bob Ackerman said he has been thinking about the problem since at least 2014 and couldn’t find companies on the market with a comprehensive enough approach. A Blackstone portfolio company, Optiv Security LLC, is also working on CyberGRX because its customers are concerned about third-party security risks, Mr. Ackerman said.

The challenge with current cybersecurity assessments is that they are labor-intensive, expensive and prone to disagreements over what questions should be asked and how they should be phrased, according to CyberGRX’s founders.

Fortune 500 companies generally have thousands of partners and may only evaluate the most important ones, although “you don’t have to be a big partner to represent a significant cyberrisk,” Mr. Ackerman said.

Companies may be loath to admit they have risks. “If it’s self-reported, no one will say I don’t have [a password rotation policy],” said GV General Partner Karim Faris, an investor, although even asking the question can spark a company to get one.

Mr. Faris said CyberGRX’s success will depend on its ability to figure out the most effective set of questions that will work across a wide range of companies and balance those with on-site visits where inspectors know what to home in on.

Mr. Leek said CyberGRX relies on the strength of its relationships with chief information security officers at global companies who are collaborative, understand security risks and agree with CyberGRX’s approach.

CyberGRX expects to release a product in early 2017. Founders say a standard security assessment could provide a foundation for other industries, like cyber insurance.

Investors who participated in the funding include Blackstone, TenEleven Ventures, Rally Ventures, GV (formerly Google Ventures) and MassMutual Ventures along with several individuals and unnamed strategic investors.

Board members include Mr. Ackerman, Mr. Kneip, Mr. Leek, TenEleven Ventures founderMark Hatfield, ClearSky Power & Technology Fund Managing Director Alex Weiss and Cylance CEO Stuart McClure.

Allegis Capital Leads Round with Participation from Major Cybersecurity Investors; Platform
Being Developed in Close Collaboration with Early Adopters at Leading Institutions

DENVER – July 14, 2016 – CyberGRX, provider of the most comprehensive third-party cyber risk management platform, today announced that it closed $9M in Series A funding led by Allegis Capital, with participation from Blackstone, TenEleven Ventures, Rally Ventures, GV (formerly Google Ventures), MassMutual Ventures and several other strategic investors. The company will use the funding to deliver the CyberGRX platform to market. The platform is developed in partnership with its early adopters, which include chief security and risk officers from Aetna, Blackstone, MassMutual and several other leading institutions across business sectors.

As enterprises’ dependence on their partner ecosystems grows, so does their exposure to breaches from these key vendors, partners and customers. A recent Ponemon Institute report, “ Data Risk in the Third-Party Ecosystem,” found that nearly half (49 percent) of all organizations had recently reported that they experienced a data breach caused by a vendor, and nearly three out of four (73 percent) enterprises expect third-party related incidents to increase. And the damage, both in terms of reputation and actual dollars and shareholder value lost, is real. A recent survey of 170 large enterprises by consulting firm Deloitte found that 28 percent of respondents had faced major business disruption due to third-party data breaches, and more than one in four (26 percent) organizations suffered reputational damage as a result. An astounding 87 percent of the enterprises surveyed admitted to “disruptive incidents” with third parties in the last 2-3 years. It is evident that boards, CEOs, business leaders, and risk and security managers need a better way to manage this exploding third-party cyber risk.

Despite this growing need, substantial inefficiencies continue to exist on both sides in the current approach. Enterprises focus the vast majority of their time collecting data, rather than performing risk management and mitigation processes to reduce the residual security risk third parties represent. At the same time, vendors and partners spend too much time, energy and money completing questionnaires and hosting on-site security assessments.

“CyberGRX is built by security practitioners who bring a risk-based perspective to security control assessment,” said Fred Kneip, CEO of CyberGRX. “CyberGRX helps enterprises not only automate and standardize the collection of information, but also prioritize, evaluate and remediate risk. Instead of incrementally improving what people do today, CyberGRX fundamentally changes the way organizations address cyber risk in an increasingly interdependent world.”

Commercially available in early 2017, CyberGRX provides the most comprehensive third-party cyber risk management platform, addressing existing inefficiencies and creating benefit for both enterprises and for their partners and vendors. Through its innovative design, automation and advanced analytics, the CyberGRX platform enables enterprises to cost-effectively and collaboratively identify, assess, mitigate and monitor an enterprise’s cyber risk exposure across its entire vendor, partner and customer ecosystem.

About CyberGRX

CyberGRX provides the most comprehensive third-party cyber risk management platform to cost-effectively identify, assess, mitigate and monitor an enterprise’s risk exposure across its entire partner ecosystem. Through automation and advanced analytics, the CyberGRX solution enables enterprises to collaboratively mitigate threats presented from their increasing interdependency on vendors, partners and customers. CyberGRX is based in Denver, CO with offices in McLean, VA. For more information, visit www.cybergrx.com or follow @CyberGRX1 on Twitter.

Contact:
Ted Weismann
fama PR for CyberGRX
(617) 986-5009
CyberGRX@famapr.com