Freshly Funded Startup Grades Fortune 500 on Cyber Risk ‘Credit Scores’

August 11, 2016, 3:47 PM UTC
GCSE Results Are Released In The UK
LONDON, ENGLAND - AUGUST 21: Girls react while opening their GCSE results at Stoke Newington school on August 21, 2014 in London, England. As hundreds of thousands of students opened their GCSE results today it has emerged that the proportion of GCSEs awarded A - C grade has risen to the highest in three years. (Photo by Dan Kitwood/Getty Images)
Dan Kitwood—Getty Images

When insurers are determining whether to cover a house, they typically require an inspector to come do a walkthrough. The checkup helps underwriters assess what level of risk they’re taking on, and to draft policies accordingly.

UpGuard (née ScriptRock), a startup based in Mountain View, Calif., offers the digital equivalent of such evaluations for the cybersecurity market. The company’s tech has two components: One that crawls the public web and appraises an organization’s external digital risk factors (currently free of charge), and a second that searches inside a company to rate the quality of its internal system configurations and software (paid).

The firm then spits out reports and FICO-like “credit scores”—on a scale from zero to 950—representing snapshots of a client’s cyber risk.

Get Data Sheet, Fortune’s technology newsletter.

UpGuard will announce a $17 million Series B fundraising round on Thursday, Fortune has learned. The round is co-led by new investor Pelion Venture Partners and existing investor Square Peg Capital with participation from Insurance Australia Group and existing investors, including Valar Ventures and August Capital.

“We give people simple overarching score to communicate risk in a consistent fashion,” says Mike Baukes, co-founder and co-CEO. Baukes started the company with his co-founder, Alan Sharp-Paul, in 2012 after the two had spent years in the financial services industry—predominantly involving compliance governance around M&A activity with large banks—in Australia and the United Kingdom.

“We went to lot of really bad meetings together and got angry together,” Sharp-Paul puts it bluntly. As the world grew more connected and the breaches became more frequent, “it became progressively harder for companies to trust what they have,” he says. So the pair got to work building a solution.

For more on insurance, watch:

UpGuard has about 100 customers to date, including ADP, Home Depot (HD), Williams-Sonoma (WSM), Cisco (CSCO), Rackspace (RAX), Allianz, and the New York Stock Exchange. About 15 of those customers have signed up for the company’s “cybersecurity threat assessment reports” in addition to its regular internal assessments.

Christophe Attias, director of operations at Amadeus, a Spanish IT provider for the airline industry, tells Fortune that his company began using UpGuard to help manage and monitor IT system configuration issues in 2014. (The need for such supervision is underscored by Delta’s (DAL) recent days of flight delays and cancellations.) Amadeus is now in talks to start receiving UpGuard’s security-scanning reports.

Garrett Koehn, president at CRC Insurance, one of the largest wholesale insurance brokers in the United States, tells Fortune that he uses the product to get a glimpse of prospective customer’s security postures. “I can ping, like a hacker does, and effectively look for vulnerabilities to webpages,” he says. At a glance, “that allows us to quickly and easily score companies,” he adds.

The cyber insurance market it heating up. Analysts expect it to hit $7.5 billion by 2020, according to PwC. UpGuard’s competitors include BitSight and Security Scorecard on the security assessment side, and Evolven on the IT configuration side.

Fortune asked Upguard to crunch some numbers on the companies topping this year’s Fortune 500 list. Here’s what external assessments look like for the leaderboard. (Cyber risk score—from zero to 950—in parentheses; higher is better.)

  1. Wal-Mart (WMT) (783)
  2. Exxon Mobil (XOM) (523)
  3. Apple (AAPL) (877)
  4. Berkshire Hathaway (BRK-A) (228)
  5. McKesson (MCK) (304)
  6. UnitedHealth Group (UNH) (362)
  7. CVS Health (CVS) (339)
  8. General Motors (GM) (439)
  9. Ford Motor (F) (430)
  10. AT&T (T) (689)


The data breach risk scores above are based on about 2,000 publicly available data points, according to a document explaining UpGuard’s methodology, shared with Fortune. These include things like making sure the company encrypts traffic with strong ciphers, uses up-to-date software, has valid certificate authorities, applies phishing protections, and keeps employees happy (as determined through sentiment analysis).

The companies with the best scores on the Fortune 500 are Alphabet (GOOG) (931), UPS (UPS) (929), USAA (USAA) (908), Commercial Metals (CMC) (884), S&P Global (884), and J.P. Morgan Chase (JPM) (881).

UpGuard’s founders stress, unsurprisingly, that the company’s paid internal scans provide an even better indication of a company’s resilience to electronic thievery. The point, says Baukes, is to “understand, discover, and control what you have.”

“And more importantly to fortify it,” he adds.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward