UPDATED: The recent denial-of-service attacks on Internet tech provider Dyn that caused outages at many popular websites follow a string of cybersecurity breaches that have affected Yahoo Inc. (Nasdaq: YHOO), Hillary Clinton’s campaign, Colin Powell, the U.S. National Security Agency, and election systems in Arizona and Illinois. The hackings all demonstrate that nobody is safe from the threat of cybercrime — not government agencies, presidential candidates, corporations, or other individuals.
A significant majority of dealmakers (82 percent) report that acquirers are putting increased emphasis during their due diligence processes on the cybersecurity policies and practices of target companies, according to a recent survey conducted by global law firm Morrison & Foerster.
The growing threats have increased the value of companies that provide protection, and private equity firms are quickly investing in the sector. Technology deals reached record-setting levels in 2015. In the first half of 2016, they led global M&A activity for the first time, with $294.8 billion worth of deals, according to Dealogic. Cybersecurity is one of the primary drivers of growth in M&A in the technology sector. (See related chart of select cybersecurity deals).
For corporate America, the massive 2014 security breach at Target Corp. (NYSE: TGT), which led to the resignation of the company’s president, sounded a loud alarm. “The Target breach was a turning point. A CEO lost his job over it and all the boards of big companies really woke up. Now we are seeing PE firms take aggressive action to manage cyber risk in their investments,” says Jason Kaufman, a managing principal and the head of M&A with The Chertoff Group, whose investment banking subsidiary Chertoff Capital specializes in cybersecurity deals. The Washington D.C.- based firm was founded by former Secretary of the U.S. Department of Homeland Security Michael Chertoff.
M&A activity in the cybersecurity sector is expected to continue. “Cybersecurity is a fragmented industry with lots of growth. This is enticing to dealmakers. There are always new threats companies need to defend against,” says Kaufman. “Unfortunately, the bad guys seem to find a way to be a step ahead so there will always be the need to develop new tools to address these problems.”
There are 1.5 million cyberattacks each year, which is about 4,000 attacks per day, according to IBM (NYSE:IBM). Businesses are attacked 16,856 times a year. (See related chart of notable cyberattacks). Although the vast majority of these attacks don’t get past corporation’s defenses, an average 1.7 per week succeed. Juniper Research has predicted that the cost of data breaches will reach $2.1 trillion globally by 2019.
Kaufman reported that he recently saw a deal go on hold because the PE investor discovered a cyber breach in the target. “Cyber has become standard due diligence, on par with legal and accounting.”
The cyber industry is a fragmented industry today, with more than 3,000 cybersecurity vendors. Cybersecurity companies have proliferated as the threat of cyberattacks has increased, and they have had little trouble, if any, securing venture funding. In the last five years, venture capitalists have poured $12 billion into 1,200 cybersecurity companies, according to the Chertoff Group.
Need for consolidation
Not all cybersecurity technologies overlap, because many different layers of protection are needed to keep individuals and businesses safe online. But there is a need for consolidation in the cybersecurity sector, which is driving M&A activity.
“You have a very fragmented industry that needs to consolidate,” says Scott Stevens, a managing director with William Blair. “Larger players in the market are trying to provide customers with broader offerings and make it less confusing for customers to buy what they need to secure their organizations.”
Companies, individuals and the government are buying up these products. Total worldwide spending on cybersecurity from 2017 through 2021 is expected to eclipse $1 trillion, according to Cybersecurity Market Report, published by Cybersecurity Ventures. Spending on cybersecurity is now about $74 billion a year.
M&A activity in the cybersecurity sector has also been fueled by a slower initial public offering market and deflated stock prices. Many cybersecurity companies that have reached scale and that would have found liquidity in an IPO market in the past have instead decided not to go public. “There’s been a 25 percent pull back in valuations,” says Chertoff Group’s Kaufman. “This has made it more attractive for cyber companies to pursue an M&A transaction and it’s made it more attractive for public cybersecurity companies to go private. There isn’t a private equity firm that’s focused on tech that doesn’t have a cybersecurity investment thesis to take advantage of these conditions.”
Thoma Bravo has been on the forefront of taking public companies private. Not only are they able to do so at good prices, but they are able to help companies grow more easily out of the public eye. “A lot of companies that went public weren’t set up for profitable growth,” says Seth Boro, a managing partner with Thoma Bravo. “We take these companies private and can help them set up their businesses to sustain profitable growth. If public companies miss a quarter of revenue it can take years to recover from that. Private companies have a lot more flexibility to achieve growth and implement business model transitions.”
The list of companies that delisted or chose to sell to a strategic or private equity firm instead of going public continues to grow. In July, Imprivata (NYSE: IMPR) agreed to be taken private by Thoma Bravo for about $544 million, or $19.25 a share. The company, which helps healthcare providers protect patient information, went public in 2014 at $15 per share.
In June, Blue Coat Systems Inc., which was owned by Bain Capital, filed to go public in an offering that would have raised $500 million. However, instead of going public, Bain agreed to sell the cybersecurity firm to Symantec (Nasdaq: SYMC), a global cybersecurity provider, for $4.65 billion in cash. Bain had acquired the Sunnyvale, California-based company from Thomas Bravo for $2.4 billion in 2015. Silver Lake Partners and Bain Capital remain investors in the company. Also in June, security giant Avast agreed to acquire fellow cybersecurity company AVG (NYSE: AVG) in a take-private deal for $1.3 billion. Boston-based TA Associates has a stake in Avast.
Private vs. public
Other cybersecurity companies—such as Sailpoint Technology, Ping Identity and Tripwire—raised venture money and were on the path to go public, but were instead bought out by private equity firms. Sailpoint, which was bought by Thoma Bravo in 2014 instead of entering the public markets, may try its luck with an IPO in 2017. Boro says the company has been one of its greatest growth stories: “The secure identity market is becoming increasingly important and there is a lot of spending on it. Sailpoint is the highest growth company in our portfolio. It has done incredibly well.”
Ping Identity, a firm that manages employee digital identities, had expected to go public, but Vista Equity Partners bought it in June. Ping, based in Denver, raised about $128 million, according to CrunchBase data. In 2011, Tripwire abandoned its hopes of going public and sold to Thoma Bravo. In 2015, Thoma Bravo sold Tripwire to Belden Inc. for $710 million, making five times its investment in four years.
Dell Inc. (Nasdaq: DELL) is also building out its product suite. At the end of 2015, Dell announced plans for the largest technology acquisition ever by acquiring EMC Corp (NYSE: EMC) for $67 billion. EMC sells data storage, information security and other products that enable businesses to store, manage and protect their data.
In 2015, the IPO market was busy, but in 2016, there were no initial public offerings in the first quarter and only four in the second, points out Wayne Corini, a partner with Grant Thornton. But with valuations down and companies still seeking liquidity, M&A activity has increased, and Corini says the trend is likely to continue.
Both strategic buyers and private equity firms have been active in the slew of take-private deals in the cybersecurity space, although they tend to buy different types of assets. Strategic buyers like IBM, Dell and Cisco Systems (Nasdaq: CSCO) look for more emerging technologies at companies that have yet to make money. “Large strategic buyers such as IBM and Cisco remain very active acquirers as they look to build out their suites. The challenge for sellers is that there are only a select number of strategic buyers who can pay truly outlier prices,” says Stevens of William Blair.
In June, Cisco bought CloudLock for $293 million. CloudLock raised $30 million in venture funding and posted revenue of just $13.2 million in 2015. At the end of 2015, Cisco agreed to acquire cybersecurity firm Lancope for $452 million. Lancope had received venture capital from Canaan Partners, Council Capital and HIG Partners. In 2015, Cisco also bought cybersecurity firms Portcullis Computer Security, OpenDNS and Pawaa Software.
Middle-market strategic buyers are also making deals. In April, Cryptosoft, a data security company, acquired DeviceAuthority Inc., which provides authentication technology for Internet-of-things devices. In March, SuperCom (Nasdaq: SPCB), which sells secure-identity and secure payment solutions, acquired data theft protection software maker Safend Ltd. In January, FireEye Inc. (Nasdaq: FEYE), a cybersecurity firm, purchased competitor iSight Partners, which tracks cyber threats. In August, KBR Inc. (NYSE: JBR) agreed to buy Honeywell International Inc.’s (NYSE: HON) cybersecurity division.
“Strategic buyers account for two-thirds of the deal flow and they all want to build their technology capabilities,” says Chertoff Group’s Kaufman. “They see opportunities to consolidate smaller players. One way to do that is by taking companies that are struggling private.” The M&A market slowed at the beginning of 2016 because of the credit markets, but it has since recovered, while the IPO market has not.
Seeking mature targets
Private equity firms have a different strategy than strategic buyers, but they have also been very busy. The private equity firms are frequently looking for more mature companies to buy out. Private equity firms have been willing to pay more for security companies that combine growth with profitability. “The ideal cybersecurity businesses that are targets for aggressive private equity buyers are growing over 10 percent and have 10 percent to 30 percent Ebitda margins. This combination is extremely attractive,” says Stevens.
In July, the Chertoff Group’s portfolio company Delta Risk LLC agreed to acquire security consultant Allied InfoSecurity. In 2015, the group acquired a majority stake in Delta Risk and, in a separate deal in partnership with the Carlyle Group LP (Nasdaq: CG), it acquired a majority stake in Coalfire Systems Inc. Recently, Delta Risk acquired Allied Info, which specializes in managed security services, mostly in the healthcare market. Chertoff has no committed fund, but family offices willing to back deals where capital is needed.
Companies that prepare boards and senior executives to manage complex cyber risks are of interest as well. “Most cyber breaches happen because someone does something that they aren’t supposed to do; they give away a password or open something they shouldn’t,” says Kaufman. “Basic training can help stop a majority of low-level threats.”
In addition to the traditional strategic buyers and private equity firms, some non-traditional buyers want to move into the sector. In July, Belcan LLC—provider of data analytics and software consulting services to aerospace, power generation and industrial companies-- acquired cybersecurity company Intercom Consulting & Federal Systems. In June, Accenture plc (NYSE: CAN) acquired Maglan, a cybersecurity company.
Thoma Bravo has been an active seller and Boro says all kinds of strategic buyers are knocking on Thoma Bravo’s door today. “The buyer universe has expanded dramatically. We are seeing interest in our portfolio from non-traditional software buyers and the typical buyers. There’s no one type of buyer anymore,” says Boro. “It’s a huge market with attractive growth, which is hard to find in many other sectors of the economy today, and that’s why it’s attracting so much interest.”
The great news for dealmakers interested in remaining active in the space: Dealmaking should continue, driven by the market’s fast product cycles. “Without truly strong technical differentiation, what was cutting edge can become commoditized quickly,” Stevens says. “Buyers always take a hard look at the stickiness of the offering, the differentiation in the market and how extensible the solution can be in the future. The fast evolution of the market often necessitates that companies combine organic plans with M&A to maintain leading market positions.”