In The News

OT Risk Management Firm DeNexus Raises $17.5 Million

Industrial cyber risk management firm DeNexus has raised $17.5 million in a Series A funding round led by Punja Global Ventures with participation from AXA XL, Prosegur Tech Ventures and HCS Capital.

Rimmo Jolly, co-founder of Punja, will join the board of directors, while Libby Benet, global chief underwriter officer at AXA XL, will join as a board observer. The funds will be used to expand the firm’s go-to-market team, and to enhance its product offerings.

Increasing cyber threats and government regulations on critical industries all complicate the process of selecting the most cost efficient and security effective way to build resilience into industry. DeNexus offers a risk management platform, called DeRisk, that focuses on discovering and quantifying OT risk – allowing and assisting critical industry customers to choose the most effective risk management approach (accept, avoid, mitigate or transfer) for individual OT risks. 

DeRisk is an AI and ML-driven data analytics platform that focuses on managing the cyber risk to the underserved operational technology of critical industries – the OT networks. DeNexus’ CEO Jose Seara explains the basic principle behind DeRisk. “Our platform learns about threats, threat actors and exploits from the external databases, such as MITRE, that publish threat details. Internally we analyze the OT networks of our customers, including the individual components, to discover any known vulnerabilities; and we also add details of any existing security controls used by the company.”

All these factors are brought together to discover risk-bearing vulnerabilities. “The fact that a device is vulnerable and can be exploited doesn’t necessarily mean that it drives risk if there is a control that isolates that vulnerability from the attackers,” adds Seara. DeRisk then runs a simulation to discover if and to what cost an attacker could combine the threat, the vulnerability and lack of existing mitigating controls in an attack against the customer’s own OT network.

It is this data that can be used for risk management decisions: accept the risk, avoid it, mitigate it with new or additional security controls, or transfer it to cyber insurance. He gave a more detailed example involving risk transfer. The customer, who owns the risk, might decide transfer is the best solution. But without the DeRisk analysis, neither the customer nor the insurer really understands the cost of that specific risk.

“For both parties,” he says, “it’s about properly pricing the risk that is transferred. Understanding this could lead to a reduced premium, or even an increased – but more accurate – premium. Currently, many insurance companies are buying more risk than they know, and are probably mispricing that risk.”

Risk management is not about ignoring risk, it is about understanding the risk and the cost of the risk, and responding in the most efficient manner. For cyberinsurance, overpricing risk could lead to the loss of customers, while underpricing it could threaten the viability of the insurance industry. The same principle applies within OT networks: you need to know the risk, understand the cost of that risk, and then respond accordingly. Without effective risk management, firms are likely to spend more than necessary on misplaced security controls or remain insecure and more likely to be breached.

Read more on Security Week >