Cybersecurity M&A Activity Shows No Signs of Slowdown

But valuations have dropped — and investors are paying closer attention to revenues and profitability, industry analysts say.

5 Min Read
Closeup of finger on computer key with the words mergers and acquisitions
Source: kenary820 via Shutterstock

Cloud security vendor Lacework's recent announcement that it will reduce head count as part of a restructuring plan — just months after it secured $1.3 billion in a record-setting funding round — may have shocked the high-flying cybersecurity sector, but industry analysts say the layoffs do not signal any broad, imminent industry slowdown.

General economic conditions appear to have made investors a bit more cautious, however: Private equity (PE) investments — which accounted for nearly 40% of merger and acquisition activity last year — are down compared with the same period in 2021, as are company valuations overall.

Even so, M&A and venture capital activity in the cybersecurity industry remains robust and shows little sign of a major slowdown. Just in the last few days, for instance, ReliaQuest announced plans to purchase Digital Shadows for $160 million; Netskope acquired WootCloud for an undisclosed sum; and Lookout acquired SaferPass. In late May, Broadcom announced its intent to buy VMware for $61 billion in a deal that, if approved, will bring VMware's Carbon Black security under Broadcom's roof.

Multiple Drivers

"There are multiple dynamics at play for M&A" activity in the cybersecurity space, says Fernando Montenegro, an analyst with Omdia. "The established vendor being acquired for their cash flow. The adjacent technology being acquired by a security vendor to enter a market. The technology tuck-in and/or 'acqui-hire' into an existing vendor," he adds. Expect VCs, private equity, and corporate development teams to be a little more cautious, but still active, he notes.

"The industry has had a strong pace of acquisitions and fundings over the years, and we expect that to continue," Montenegro says. "What is changing is that there appears to be much more focus on demonstrating actual capabilities and momentum while being mindful of run rate."

There's also the understanding that too-large funding rounds raise expectations on delivery that may be more difficult to attain in a tightening economic environment, he notes.

Richard Stiennon, chief research analyst at IT-Harvest, says Lacework's decision to downsize and restructure may, in a way, be the result of its own success. The company experienced hypergrowth of some 272% last year and went on a hiring spree. After that, the company might have thought it wise to pause and consolidate while it catches up with expectations on sales growth, Stiennon explains. "There is categorically no broad consolidation in cybersecurity and there will not be until threat actors give up and go home," he says. "We will always need new ways to counter new threats."

That said, the antivirus space for the first time is now truly consolidating, according to Stiennon. Thanks to Microsoft giving away good-enough security with Windows Defender and the availability of stronger endpoint protection capabilities from vendors such as CrowdStrike and SentinelOne, the traditional AV vendors are fading away, he says.

Fast and Furious Pace

Data that S&P Global Market Intelligence compiled earlier this year showed there were 42 cybersecurity transactions through March 18, 2022, with a median deal value of some $97 million. Google's $5.4 billion purchase of Mandiant was easily the biggest of those deals and accounted for most of the $6.77 billion in total transaction value of announced deals in the cybersecurity industry through that date. In comparison, there were 36 transactions over the same period in 2021, with a median deal value of $185 million. In all, in the first quarter of 2022 there were 59 deals compared with 49 last year. But total deal value at $9.3 billion was significantly smaller than last year's $17.6 billion, according to S&P Global Market Intelligence.

Rising interest rates, inflation, and concerns over potential economic headwinds appear to have driven down security vendor valuations compared with last year, says Garrett Bekker, an analyst with S&P Global Market Intelligence. Even so, investors appear willing to pay hefty multiples to acquire security firms and the appetite for buying them does not appear to have diminished significantly, he says. That's because most existing drivers remain in place, such as cloud adoption, the move to zero-trust access models, and the proliferation of ransomware and other malware.

One potential red flag is the slowdown in private equity investments so far this year, Bekker says. For the past two decades, there has been a steady increase in PE-funded mergers and acquisitions — from 40 in 2002 to 80 in 2010, and 209 in 2021 — or 37% of all transactions in the space, he says. There has been a near 20% drop-off in PE transactions in 2022 compared with the same period last year, Bekker says. 

"It's a fairly large drop-off," he notes. "We'll be looking to see whether that persists or is an aberration."

Closer Scrutiny

Speculation about potential recession and recent turmoil with tech equities is causing venture investors to scrutinize funding more carefully, says Joseph Blankenship, an analyst with Forrester Research. Many investors are also advising the firms they've invested in to slow their burn rate and concentrate on building revenue, with an eye toward profitability. "I do predict that the increased scrutiny, reduced risk appetite, and decreased funding will lead to fewer startups entering the cybersecurity market." It will also push existing firms to find faster exits.

"What we’re seeing now is a continuation of the M&A activity," Blankenship says, At the same time, he adds, buyers are looking to consolidate vendors and the technology portfolios from major cybersecurity vendors are more attractive than they've been previously.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights