BitSight Technologies is restocking its war chest to try and win the emerging market for cybersecurity ratings.
Today the Cambridge, MA-based tech company announced it raised $60 million in a Series D funding round led by Warburg Pincus, the global private equity firm that has backed the likes of CrowdStrike in cybersecurity, DBRS in credit ratings, and Reorg Research in information services—three sectors that relate to BitSight’s business, CEO Tom Turner points out.
The Series D round included investments from previous BitSight backers Menlo Ventures, GGV Capital, and Singtel Innov8. The new funding brings BitSight’s total venture capital haul to $155 million, with almost $100 million of that cash still in the bank, Turner says.
“Our vision for BitSight is there needs to be a company like us delivering [security] ratings to the market that is strong, standalone, and independent,” Turner says in a phone interview. “Having this kind of capital behind us, with an investor like Warburg Pincus, helps us … continue to scale, which we have been doing rapidly, and also to be able to make the right kind of investments.”
Founded in 2011, BitSight was a pioneer in the field of security ratings, which provide independent assessments of the strength of companies’ and organizations’ cyber defenses. BitSight’s software culls publicly accessible data to produce a security rating, akin to a financial credit score, for around 125,000 companies and organizations, Turner says. The numerical score—which ranges from 250 to 900—can be used to vet potential acquisition targets; monitor the risk of a breach of data shared with vendors and partners; shape the terms of cybersecurity insurance policies; help with internal evaluations of security policies; and more.
BitSight has also created a software platform through which customers can monitor security risks among their network of suppliers and service providers (a payments processor, say)—and the risk profiles of the suppliers to their suppliers, Turner has said. The vendors can also go on the platform and provide more context about their security operations, even if they’re not a BitSight customer.
There are signs the security ratings industry is starting to mature. For one, competition is increasing.
BitSight’s rivals include New York-based SecurityScorecard, which got started five years ago and has raised at least $62.1 million from Moody’s, Intel Capital, Sequoia Capital, GV (Google’s venture capital arm), and other investors. There’s also three-year-old RiskRecon, which has offices in Salt Lake City, UT, and Boston, and has raised at least $15 million from Dell Technologies Capital, General Catalyst Partners, and F-Prime Capital Partners.
Other companies have added security assessments to expand their products and services. Proficio, a Carlsbad, CA-based cybersecurity company, entered the fray this month with a new risk-scoring system that assesses its customers’ network security controls. And San Jose, CA-based FICO—an industry leader in measuring and understanding consumer credit risk—added business security scores to its offerings with the acquisition of University of Michigan spinout QuadMetrics two years ago.
They’re all betting that a strong security rating will become as important to businesses as a healthy credit score. Outside observers agree: a 2017 report from Gartner, the research and advisory firm, projected security ratings will become a standard business tool by 2022.
Turner points to a few trends driving interest in such risk assessments. A barrage of data breaches and other cyber attacks on businesses in recent years has made cybersecurity an urgent discussion in board rooms, not just IT departments. That has helped spur another subsector of cybersecurity: cyber insurance policies, the terms of which can be enhanced with better data about security risk. Meanwhile, businesses are responding to new regulations around the world that pertain to cybersecurity, Turner says.
“The market is still relatively early-stage, but I think the total available market is going to be very, very big,” Turner says.
He declined to share BitSight’s revenue figures, but he says it has more than 1,200 paying customers worldwide. “We had 11 when I joined the company four years ago,” Turner says.
More than 60 percent of BitSight’s revenue comes from North America, and it has more than 250 customers in Europe and a “smaller customer footprint” in the Asia-Pacific region, Turner says. BitSight’s cash reserves will be used, in part, to continue expanding internationally, he says. The company will also grow its team from 350 employees to around 400 this year, he adds.
“We’re not trying to be profitable” at this stage, Turner says. “We’re certainly investing in the market and the growth of the company, but doing it in a capital-efficient way.”
Turner says the goal is to take BitSight public, and he thinks the latest venture capital infusion should be enough to fund the company until it’s ready for an initial public stock offering. “I’m not going to make the mistake … of setting timelines,” he says, before adding that an IPO won’t happen in the next two years.
“I think there’s no reason for us to think about an acquisition,” Turner continues. “It’s hard to imagine [an acquirer] that—while many companies will be interested in a ratings organization—that you’d still be able to maintain your independence and provide the key objectivity that companies want in the marketplace when they think about security performance.”
Translation, for any smart startup: If the price is right, BitSight would probably sell before going public. But we’ll see how things play out.
