Mastercard jumps into the risk-assessment race with RiskRecon acquisition

Mastercard is getting into the security assessment business.

The credit giant announced Monday it has agreed to acquire RiskRecon, a Salt Lake City-based startup that grades companies based on their ability to withstand cyberattacks and protect personally identifiable information. The companies did not disclose the terms of the deal.

RiskRecon is one of several firms that collect publicly available data — such as what kind of web servers companies use and whether their protected information turns up on the dark web — to make cybersecurity assessments. Mastercard has an obvious financial interest in understanding which companies are more likely to be breached.

CEO Ajay Banga has pushed for awareness that most data breaches start at small and medium-sized businesses (SMBs) and then spread to larger ones. Banga is a member of the Cyber Readiness Institute, a Washington nonprofit that distributes cybersecurity advice to SMBs.

“Mastercard has been one of the brands that has stood out as a true innovator, focusing on the real problems of real business,” RiskRecon co-founder Kelly White said in a statement. “By becoming a part of their team, we have an opportunity to scale our solution and help companies in new industries and geographies take steps to better manage their cybersecurity risk.”

RiskRecon previously had raised $40 million from investors including General Catalyst, Accel and F-Prime Capital. The latest funding round occurred in August 2018. Competitors like SecurityScorecard and BitSight have raised $112 million and $151 million, respectively.

Mastercard previously acquired NuData, which specializes in securing connecting devices, and Ethoca, an anti-fraud firm.

The RiskRecon deal is expected to close in the first quarter of 2020.