Cyber Risk Auditor Raises $20M Amid ‘Viral’ Customer Growth
CyberGRX believes it has solved a security problem that has long vexed many companies: How to ensure that third-party suppliers don’t provide a way for hackers to attack their networks? As Target can attest, these vendors—such as point-of-sale companies or caterers—can amount to a soft underbelly of a corporate network.
The solution is to create a clearinghouse for cyber-risk in which a third party, CyberGRX, vets the suppliers and confirms they are taking the right steps to keep hackers away. CyberGRX’s clearinghouse model, which is being used by the likes of private equity firm Blackstone and insurer Aetna, also saves chief security officers from spending hundreds of hours vetting individual vendors.
CyberGRX, which launched publicly in March, announced Tuesday it has raised a $20 million Series B round, led by Bessemer Venture Partners, and joined by other initial investors, including Aetna Ventures, Allegis Capital, ClearSky, GV (formerly Google Ventures), MassMutual Ventures, Rally Ventures, and TenEleven Ventures. The company has now raised $29 million in total.
“The adoption rate is very strong—in fact, it’s viral,” David Cowan of Bessemer told Fortune. “We have more customers than we can serve—there are already 10,000 vendors cached within our system.”
The way the approach works is that customers who wish to use the clearinghouse complete an initial questionnaire about their cyber risks. CyberGRX then maintains the risk profiles and updates them every quarter. Companies that require extra assurances in specific areas can request CyberGRX to conduct additional vetting, though Cowan says few have needed to do this so far.
Get Data Sheet, Fortune’s technology newsletter.
The process can spare chief security officers from the tedious task of auditing dozens or hundreds of vendors to ensure they follow proper cyber-hygiene. Meanwhile, it ensures vendors do not have to prove their security competence over and over to each new customer—they can simply show they have been vetted by CyberGRX.
“There was such a gross inefficiency in the market—simply doing an audit once and making it available to everyone yields huge benefits, especially in cost,” said Cowan. “Anytime you take a manual industry and digitize it, you get enormous benefits re analytics and information.”
It’s too soon to say, of course, whether CyberGRX will achieve the goal of its investors, who believe it will become akin to a ratings agency like S&P or Moody’s, but for cyber-risk. It’s possible many enterprises will be reluctant to rely on a third party for such critical risk assessment, while a failure by CyberGRX to properly vet a vendor could undermine confidence in the platform.
But so far, CyberGRX’s clearinghouse concept appears to be going strong, aided by its original design partners, who also included ADP and MassMutual, in addition to Blackstone and Aetna.
Finally, the service could get a boost thanks to a push by federal and state regulators for companies to tighten up their cyber-security game. In Colorado, for instance, financial regulators are getting ready to impose new cyber-security measures on broker-dealers and investment advisers.