CyberGRX, the world’s largest third-party cyber risk exchange, announced today that it raised $40 million, bringing its total financing to more than $100 million.
Third-party data breaches have been making headlines for years. In 2013, the debit and credit card information of more than 70 million Target customers was stolen when a third-party vendor’s login credentials were hacked, resulting in an $18.5 million multi-state settlement — the largest ever for a data breach. More recently, Marriott International was hacked through the IT company that managed its Starwood guest reservation database. As many as half a billion people’s addresses, credit card details and passport numbers were stolen.
Fred Kneip, the CEO of CyberGRX, explained that these kinds of attacks are so common because large companies like Target and Marriott are usually pretty secure, so hackers will go through less protected third-parties to get the information they want.
CyberGRX was created to help these companies make educated decisions on what third parties they want to work with.
“We focus really on helping people understand that ecosystem of third parties. What are the ones they should be paying attention to? What’s the risk associated with them and how do they manage that over time?” Kneip said. “It’s really a platform to help people address that exposure and make informed, risk-based decisions around who they partner with.”
The exchange automates and centralizes what Kneip describes as a “ridiculously repetitive and outdated process.” Before CyberGRX, companies would send third parties an Excel spreadsheet with anywhere from 10 to 1,000 questions about their security policies. Someone at that third party would have to answer essentially the same questions every time someone asked about their company.
“The example I often use is ADP, the payroll company. Their security was assessed 4,500 times last year, which means someone had to respond to 4,500 independent requests for review of their program,” Kneip said. “That’s a massive waste.”
CyberGRX streamlines this process by collecting the necessary info about these third parties and housing that data on their exchange where it is visible to their customers. So, instead of sharing the same information 4,500 times, a third party can simply refer a company to the information CyberGRX has gathered.
Kneip says the typical Fortune 500 company works with 10,000 third parties — that’s 10,000 windows potential hackers can climb through to gather some of our most sensitive data. And these vulnerabilities aren’t going away any time soon. Risk Based Security published a report earlier this year that the number of reported breaches has increased by 54 percent and the number of exposed records was up by 52 percent, deeming 2019 the “worst year on record for breach activity.”
That means companies like CyberGRX will be even more important going forward. Kneip says this recent funding means the company can expand its sales, product development and engineering teams to better meet the demands of its customers.
The Denver-based company is also using the money to help grow their presence both in their home city and beyond. Kneip says they are in the midst of building offices in the United Kingdom and Australia.
Through this growth, Kneip hopes CyberGRX can continue enabling its customers to grow securely.
“If you are a company that has any kind of sensitive information, you need to be aware of your third parties,” Kneip said. “We’re really empowering companies to manage that ecosystem for the first time.”
