BitSight Buys Startup VisibleRisk, Gets $250M From Moody’s

‘We believe Moody’s decision to partner with BitSight is a clear validation of our ratings and data, our successful business model, and our trustworthiness as a business partner,’ says BitSight CEO Steve Harvey.

BitSight has purchased cyber risk assessment startup VisibleRisk and received a $250 million investment from credit ratings giant Moody’s to help customers identify and quantify risk.

Boston-based cybersecurity ratings firm BitSight said it plans to create a Risk Solutions division led by VisibleRisk Co-Founder and CEO Derek Vadala to help chief risk officers, CISOs, c-suite executives and boards of directors financially quantify risk. The Moody’s investment values BitSight at $2.4 billion and makes Moody’s the largest shareholder in the company, albeit with a minority stake, the company said.

“Creating transparency and enabling trust is at the core of Moody’s mission,” Moody’s President and CEO Rob Fauber said in a statement. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of cyber loss.”

[Related: SolarWinds Hack Could Cost Cyber Insurance Firms $90 Million]

Moody’s stock was up $3.46 (0.90 percent) to $385.99 per share just after trading opened Monday morning. The credit ratings giant said it plans to leverage BitSight’s extensive cyber risk data and research across its growing suite of integrated risk assessment product offerings. BitSight executives weren’t immediately available for additional comment.

BitSight was founded in 2011, has raised $150.6 million in outside funding, and employs 478 people, up 6 percent from 450 workers a year earlier, according to Crunchbase and LinkedIn. VisibleRisk was founded in 2019, has raised $25 million in outside funding, and employs 46 people, up 121 percent from 21 workers a year earlier. VisibleRisk was established as a joint venture by Moody’s and Team8.

“We believe Moody’s decision to partner with BitSight is a clear validation of our ratings and data, our successful business model, and our trustworthiness as a business partner,” BitSight President and CEO Steve Harvey wrote in a blog post Monday. “[Our] position…will grow larger as BitSight data becomes more deeply integrated in financial, credit and pricing decisions.”

Harvey said BitSight’s partnership with Moody’s will expand the delivery of the company’s Security Ratings solution and data-driven insights across the global marketplace and to new executive audiences. The two organizations will integrate security, risk, and financial data sets to empower the marketplace to make better, risk-informed decisions, according to Harvey.

“As CISOs continue to navigate the C-suite and boardroom, they will be asked to make critical strategic decisions regarding risk, quantify their organization’s financial exposure, prioritize security initiatives, justify budget allocation and resources, and effectively report on their program effectiveness to internal and external stakeholders,” Harvey wrote in the blog post.

Meanwhile, VisibleRisk’s data collection capabilities – including its proprietary, automated technical collection tools that gather internal data – complement BitSight’s external observations to deliver an enhanced view of organizational security performance, he said. The deal will allow BitSight to expand its Financial Quantification tool to analyze and calculate an organization’s financial exposure to cyber risk.

“I’m excited to welcome the entire VisibleRisk team to BitSight,” Harvey wrote in the blog post. “VisibleRisk is composed of exceptional executives, technical teams, and subject matter experts with experience in cyber risk quantification, financial quantification, cyber insurance, credit ratings, and penetration testing.”

This is the second acquisition in BitSight’s decade-long history, coming nearly seven years after the company purchased Portuguese threat intelligence vendor AnubisNetworks. Moody’s said it began incorporating cyber risk into credit analysis in October 2015, nearly four years before the credit ratings giant joined forces with Team8 to create a global cyber risk standard, which would become VisibleRisk.