Peter Thiel's Founders Fund prides itself on being a venture capital firm that operates as nimbly as the startups that it backs. Anyone at the firm can scout out interesting companies to invest in, and — as long as there's consensus — make a commitment to fund the startup.
That lets the Founders Fund move quickly when it sees the right opportunity. And on Tuesday, the Fund announced its first-ever investment in cybersecurity, in a deal that it says came together in the span of one week.
The Founders Fund is coleading with Lightspeed Venture Partners a $37 million funding round in Arceo.ai, a San Francisco startup that analyzes the cybersecurity risks that businesses face. The startup, founded by two cybersecurity industry veterans, recently came out of stealth mode.
"One of the things that makes Founders Fund unique is that we don't have a thesis," Founders Fund partner Trae Stephens, who led the Arceo.ai deal for Founders Fund, told Business Insider. "Once it becomes a thesis or a category, it's too late. We'd rather invest in an exceptional founder with a hard business rather than an average founder with a great business."
According to Stephens, Arceo.ai cofounders and co-CEOs Raj Shah and Vishaal Hariprasad fit the bill. The former U.S. Air Force pilots had started two prior companies together and were tackling the murky territory of enterprise cybersecurity risk analysis.
"They have lived and breathed the security mission in every aspect of their lives, having spent time at the defense innovation unit," Stephens said. "If you are a business, you know you should be spending to defend yourself, but it's not clear how. Insurance ends up being a really important piece of the puzzle, and in cyber that was never figured out. Raj and [Vishaal] both have a great sense of how that works and are the types of people you would expect to build a good company in this space."
The pair developed a risk model using public and private data from attacks on different businesses in various industries and shared their findings with insurance companies. They told Business Insider that Arceo.ai works with a range of insurance carriers to provide better enterprise cyber coverage based on their models.
An existential threat that all modern businesses are exposed to
Hariprasad told Business Insider that theft of usernames and passwords is a threat many businesses are just starting to wake up to. Multifactor authentication is a preventative measure that is fairly easy to implement but hasn't seen the broad adoption Hariprasad expected. He said that Arceo.ai educates Chief Information Security Officers about the benefits of multifactor authentication and the insurance provider could offer discounts to businesses that take action based on Arceo.ai's recommendations.
"The insurance industry helped mitigate fires as a business risk in the 1800s," Shah told Business Insider. "It was an existential threat to the business then, but now no one really worries about it. We aspire to enable that in the cyber world so businesses can sleep more soundly."
The $37 million in venture capital is the second round of funding for Arceo.ai, whose existing investors include Lightspeed and CRV. Both firms ultimately joined this funding round, as well.
As an early employee at Thiel's secretive data-mining company Palantir and former public sector cybersecurity employee, Stephens said he's seen insurance become a larger portion of the cybersecurity equation over the last 10 years. He said it's "irresponsible" for a business to forgo cyber insurance that could protect them from losses stemming from ransomware or spear-phishing attacks. He further says that since those policies are still in development, Arceo.ai could have a major role in shaping the entire industry.
"Ten years ago if you asked an enterprise CISO what their defensive posture was, there was a general idea that we could spend money and developer time to ensure networks are protected against threats and that was it," Stephens said. "What you hear now is there is no amount of money or time we could spend because it is nearly impossible to defend against all these threats, so we need a multifaceted approach that didn't exist a decade ago."
According to Stephens, Founders Fund is the only major venture firm that hasn't made a significant bet in cybersecurity, and he attributed that to an oversaturated market without a clear direction before Shah and Hariprasad entered the scene.
"Most of the cybersecurity industry is doing more of the same, so you get an idea pretty quickly that nobody actually knows what they're doing," Stephens said. "If they did, there would be like five companies, not 2,000 that all are selling the same thing. The glut of companies out there demonstrates that everyone disagrees about the right way to do it."