As the tech world continues to grapple with how best to deal with the growing issue of malicious hacking and other security breaches, a startup that has developed a ratings system to track how well businesses are faring has raised a large growth round to expand its business. BitSight, which provides an ongoing, changing “risk security posture” of some 1,200 organizations, has raised $60 million in a Series D round led by Warburg Pincus, funding that it will use to expand its risk management solutions — specifically in areas like analytics — and overall business development.
This brings the total raised by BitSight to $155 million. Tom Turner, BitSight’s CEO, said the company was not disclosing its valuation with this round, but he hinted that it was ten times more than the company’s valuation at its Series A. That round, according to figures from PitchBook, was at $60 million post-money, meaning that the company is now valued at around $600 million.
Others in this round include Menlo Ventures, GGV Capital and Singtel Innov8, all previous investors.
Security ratings, if you are relatively unfamiliar with them, are just what they sound like: “an objective, continuous, external measure of an organization’s overall cyber security posture,” in the words of Turner.
At a time when businesses have to integrate with third parties and different divisions in their own operations on a regular basis, these ratings give a security officer the ability to track the relative security is of different aspects of the overall operation. “The ratings platform provides them with agility, enabling them to focus their scarce resources to address the biggest risks and conduct data-driven conversations with vendors to enable them to remediate issues quickly, reducing overall risk to the organization,” says Turner. Typical customers include large to mid-sized organizations, and while BitSight doesn’t provide specific names it says the list includes seven of the top 10 cyber insurers, 20 percent of Fortune 500 companies, and three of the top five investment banks, an impressive list.
Others that use these ratings are cyber insurance companies, when devising what kind of rates to charge customers, and also to monitor those customers after they are insured. And they are also used by companies, Turner says, to assess acquisition targets when a company is going through due diligence; or before making investments. The bigger picture is not just to identify security flaws or risks, but to use the data provided by BitSight to work on fixing the problems as well: there are some 100,000 third parties’ services and operations mapped and tracked in its “risk ecosystem.”
It’s a relatively new area of business insight that BitSight credits itself with having devised in 2011 — so in a way it’s not too much of a surprise that it’s the leader in its field. However, there are other competitors that have emerged, such as Security Scorecard, RiskRecon and FICO.
If you think that “security ratings” sound a little like “credit ratings”, you are not wrong. They are devised, Turner said, “using an approach similar to credit ratings for financial risk,” with external data, user behavior and public disclosures all going into the mix. Scores calculated on a scale of 250-900 with a higher rating indicating better security performance.
Ironically the fall of the latter has helped the rise of the former, with a security rating now helping to form the overall financial profile of a company, given the high costs of fixing a breach — and the impact that can have on a company’s overall valuation (just ask Verizon and Yahoo). “Following the Equifax breach, 95% of the ratings reports sent to a large financial organization were BitSight’s,” Turner said. Those who are BitSight customers can share their vendors’ security rating free of charge and can invite the vendor into the platform to see the prioritized issues to remediate. “As breaches happen, we see an uptick of vendor access reports.”
It’s the increased risk of security breaches and how BitSight might be able to help manage that, or at least make the risk more apparent to the company and those it works with, that attracted investors in this round.
“With ever-increasing security threats, cybersecurity ratings are becoming an important part of leading companies’ cyber-defense. BitSight created the category and is the leader in the security ratings market, with a proven approach and platform to help customers continuously and effectively monitor cyber risk in their business ecosystem,” said Cary Davis, MD of Warburg Pincus, in a statement. “We believe there is tremendous opportunity for BitSight globally, and we look forward to working with Tom and the rest of the talented management team in the company’s next phase of growth.”
Davis will join BitSight’s board of directors with this round.