A six-year-old company that is building a platform and portfolio of tools aimed at automating organizations’ responses to data breaches and protecting executives from personal liability is getting $6.5 million in seed money and bringing on as an adviser the former chief security offer for Uber who last year became the face of legal consequences those in that position can face.
Venture capital firm SYN Ventures, along with seed-stage investor Overline, is putting up the money for the San Francisco company, with Tim McKnight, a partner at SYN Ventures and now a board member at BreachRx, said in statement that implementing the company’s technology “protects companies, shareholders and customerswhile meeting the increasingly complex and quickly changing needs of regulators globally.”
The company, which has more than 70 customers, plans to use the money to grow its engineering and go-to-market teams.
According to BreachRx, its technology automatically generates incident response plans to cyberattacks for companies and delivers guidance to executives to carry them through every step of the process, including in its communications with regulators. Its software-as-a-service (SaaS) platform includes Cyber RegScout, a product released last year that automates the analysis of regulations regarding cybersecurity, privacy, and data protection.
“Integrated privileged communication channels and audit trails ensure compliance with rapidly evolving standards and proactively protect CISOs and executive leadership from personal liability,” BreachRx says on its website.
Protecting the CISO
Such protection is becoming increasingly important to company executives in the wake of the 2022 conviction of former Uber CSO Joe Sullivan for obstructing the Federal Trade Commission (FTC), failing to report a wrongdoing, and participating in what Justice Department prosecutors called a coverup of a 2016 hack into systems of the ride-sharing company, with the bad actors threatening to expose the data of 50 million Uber customers. He was sentenced to three years of probation last year and fined $50,000.
In October, the U.S. Securities and Exchange Commission (SEC) charged software maker SolarWinds and CISO Timothy Brown with fraud and internal control failures in connection with the massive hack in 2020 by a Russia-linked threat group that exposed government and enterprise networks and put a focus on the growing threat of software supply-chain attacks.
The cases and the federal government’s increasing pressure to shift the responsibility for data breaches from users to organizations have sent a chill through executive office suites at a time when the number and sophistication of cyberattacks are increasing.
Doing the Right Thing
“CISOs now find themselves in the spotlight,” cybersecurity firm HolistiCyber wrote last year. “The call to ‘show receipts’ becomes louder, and CISOs need to maintain solid proof of the reasoning for decisions made during a breach. Even when facing pressure from the company or reluctance to disclose, CISOs need to bear in mind that taking steps to cover up cyber attacks, or providing false information to investigators could land them in the hot seat.”
BreachRx in a blog in February detailed several reasons why business incident response is a key concern for CISOs this year, including new regulations – including the SEC’s controversial breach disclosure rules – the personal responsibility being laid on CISOs for breaches as evidenced by the cases involving Sullivan and Brown, and the expectation of rapid incident reporting not only from regulators but also cyber-insurance companies, partners, and customers.
“Recent high-profile breaches, new regulations, and the ever-evolving threat landscape lead to an extraordinary eight incidents per day globally in 2023, and have put immense pressure on CISOs to strengthen their security postures,” the company wrote. “Incident response is a key area that clearly should be a major priority for CISOs this year. CISOs, however, need to shift their mindset from the legacy incident response approach to the emerging business incident response paradigm.”
Learning from Experience
Since being sentenced to probation, Sullivan has been speaking at events, doing interviews with media outlets, and consulting with companies and their executives. In an interview with Axios, he said hooking on with BreachRx falls in line with the work he’s been doing. He spoke about a cybersecurity industry where CISOs work in environments that don’t give them the people or money they need to do their job and now they have to worry about legal actions against them.
“We’re in a broken place,” Sullivan told the news site. “The people who are the most intelligent about how to navigate us out of this are handcuffed by fear because they think the regulators are going to come after them.”
That said, the situation isn’t going to change anytime soon.
“I don’t think the SEC has gone rogue,” he said. “This is an inevitable change that’s happening, and until the (cybersecurity) problems start to diminish to a manageable level, (government’s) expectations are going to rise.”
Recent Articles By Author
GIPHY App Key not set. Please check settings