After the mother of all IT meltdowns this past summer, CrowdStrike and Microsoft (Nasdaq: MSFT) were quick to point out that the incident – impacting at least 8.5 million computers/devices – was a software glitch and not the work of nefarious hackers.

Adobe Stock 3D rendering cybersecurity

That so many users (including countless government agencies and airlines) around the globe could easily get knocked offline had sobering reverberations.

How could this happen?

Where were the redundancies?

Could this mean the start of an M&A supercycle within the cybersecurity space?

No Shortage of Break-up Targets

Certainly, U.S. lawmakers and regulators could be poised to fixate on the enormity of certain too-big-to-fail IT infrastructure/security players, including Microsoft and CrowdStrike, as well as Cisco Systems (Nasdaq: CSCO), Palo Alto (Nasdaq: PANW) and several other firms of consequence.

Elisabeth Rudman, a Morningstar DBRS managing director, says in a research note that the incident could raise regulatory questions about the oligopolistic nature of critical IT infrastructure.

“There could be some regulatory fallout resulting from this,” adds Toronto-based Timothy O’Brien, managing director, corporate ratings/diversified industries at Morningstar.

Indeed, the scarily far-reaching July 19 incident went way beyond the inconveniences for airline passengers, insists Thoma Bravo‘s Chip Virnig, a Miami-based partner.

“It was a huge wake-up call in terms of our overall reliance on the digital world and the need to make it secure,” he says.

Virnig made reference to his sense that there will be, in c-suites everywhere, fresh rounds of conversations pertaining to upgrades and redundancies.

“Which bodes well for the cybersecurity space,” he points out.

The Tech Giants are Coming

Despite Google’s failed attempt to buy start-up Wiz this past summer when the AI-driven cybersecurity firm opted to go public instead, the mere overture itself suggests it’s game-on for cloud players seeking to get into the sector, according to Thomas Smale, CEO of FE International, a tech M&A advisory firm.

“Given the recent CrowdStrike outages, the tech giants want to be players in the space, and see acquisitions as a way to grow and catch up,” Smale explains. “I wouldn’t be surprised if Google makes another offer on a company similar to Wiz.”

Microsoft is already a major player in the industry, deriving tens of billions in revenue from cybersecurity.

Because Google’s audacious offer for Wiz – a historic $23 billion – will reset valuation expectations, it’ll mean other players likely could come to market sooner than planned, Smale adds.

Trends to Watch

Around the time cybersecurity was making splashy headlines, several firms were busy closing cybersecurity deals.

Insight Partners, Apax Partners and Silver Lake reportedly are among the firms most visibly hitching portfolios to cybersecurity.

Thoma Bravo, perhaps the busiest of all of the financial buyers, spent last year completing its deal to acquire ForgeRock and combining it with Ping Idenity, which it acquired in 2022. Most recently, it sold cybersecurity firm Venafi to publicly traded CyberArk (Nasdaq: CYBR) for $1.5 billion.”

Connecting these various deals is a common theme – identity/access management – with this latter deal pointing to an under-the-radar trend that will drive deals in the future.

Digital transformation and on-going cloud migration have led to an exponential increase in the number of machine identities, Virnig explains. “We’re talking about things such as workloads, code, applications, IoT devices and containers [for code],” he says.

According to CyberArk, the number of machines is rapidly outpacing the growth in their human counterparts, with more than 40 machine identities for every human identity. Left unprotected, they serve as a lucrative hunting ground for cybercriminals, the company says.

Another less-discussed data security topic (relative to “risks/opportunities surrounding AI”) is cybersecurity insurance.

Morningstar reports that cybersecurity insurance is the fastest-growing subsector in insurance M&A – and is expected to remain so for the rest of the decade.

The identity/access management subsector, or IAM, routinely sticks out as the busiest sub-category of total cybersecurity M&A transactions, according to Garrett Bekker, research analyst, S&P Global Market Intelligence.

A decade or so ago, PE was less than five percent of total cybersecurity M&A, but in recent years it has soared to as much as 40 percent. Bekker says there are 15 subsectors for cybersecurity companies (there are more than 4,000), and IAM (there are hundreds of companies in this bucket) is usually among the top three in terms of number of announced deals. Last year saw more than 200 such deals.

“Every IAM company has an AI angle these days,” Bekker says.

Cybercriminals do as well. The black hats are leveraging fast-evolving generative AI programs to come up with ever more devious ways to access corporations’ data. Ransomware and other hacker attacks increased 50 percent in 2023 versus 2022, per Datto Security.

Most notably, the recent attack on a widely used network for car dealerships wreaked havoc in this sector.

Meanwhile, less talked-about forms of AI technology – such as machine learning, behavioral AI and causal AI, the bedrock of cybersecurity for more than a decade – are advancing.

Security providers are able to ramp up automated techniques for threat detection and mitigation.

Wiz demonstrated remarkable growth over the past few years, scaling through acquisitions such as Gem and Lacework.

“In today’s regulatory climate, things are tense when the tech giants are involved,” Smale says.

Wiz may not have wanted to risk the time and energy of an acquisition that could have been in the public eye and destined for extra hurdles. But, rivals and other upstarts could seek to expand by acquisition as the largest players meet with regulatory constraints.

Industry members point out that the demand for cybersecurity will come from companies with the deepest pockets and able to prioritize cybersecurity and invest in it. Full-stack automation solutions will be in demand as companies take a 40,000 foot view of all of the common software vulnerabilities across the entire scope of what they do, not just from an anti-hacker perspective, but the whole picture, one middle-market technology banker told Mergers & Acquisitions.

Not only is AI a huge tailwind for a new cycle of innovation in cybersecurity, it’s something that these types of companies already have been harnessing for a long time.

“Obviously, we think cybersecurity is a great sector in which to invest,” Virnig says. “Digital transformation has created high demand for advanced and adaptable cybersecurity solutions that can combat increasingly sophisticated threats and attacks, including attack vectors that are driven by AI, which is at the forefront of every cybersecurity conversation.”