In line with prior expectations, financing deals, and mergers and acquisition (M&A) activity in the cybersecurity sector appears to have dipped in the second quarter. However, analysts tracking the market have a more upbeat assessment for the rest of 2023 — compared to three months ago — with most now expecting a modest recovery on both fronts by the end of the year.
A lot of the optimism has to do with enterprises continuing to invest heavily in cybersecurity, despite a slowdown in other expenditures. Market research firm IDC expects that organizations will spend some $219 billion this year on security products and services — or some 13% more than they did in 2022 — to address threats, to support hybrid work environments, and to meet compliance requirements. The areas that will receive the most spending are managed security services, endpoint security, network security, and identity and access management.
"While the theme of conservatism and expectations for continued headwinds have remained throughout the first half of the year, we do expect to see strategic activity slowly begin to rebound in the second half of 2023 and into 2024," says Eric McAlpine, founder and managing partner of analyst firm Momentum Cyber. Financing and M&A activity will both eventually pick up as companies that were able to make do financially so far begin to feel the need for fresh capital to fuel their business, he says.
Data from Pinpoint Search Group shows that cybersecurity companies raised a total of some $1.9 billion in 97 funding rounds in Q2. That was 35% lower than last quarter's $2.9 billion, and some 55% lower than the funding that cybersecurity firms raised in the year-ago quarter.
"As interest rates cooled multiples and the exit market, cybersecurity-focused venture capital (VC) certainly slowed down, particularly in comparison to 2021 and 2022," says Alex Doll, partner at cybersecurity investment firm Ten Eleven Ventures. "Valuations got tighter and the demands of investors to see clear signs of demand and traction were elevated," he says. Hiring by VC-backed companies too slowed considerably as companies re-forecast expectations and planned for longer runway times, Doll says.
A Handful of Big Investments in Cyber in Q2
There were several significant investments that venture capital firms and others made in cybersecurity companies last quarter. Easily the biggest among them was the $190 million that managed detection and response (MDR) vendor BlackPoint Cyber raised in a growth investment round led by Bain Capital, with participation from Accel and several other investors. BlackPoint will use the funds to fuel further development of the company's MDR, managed application control, cloud response, and logging and compliance technologies.
Another big transaction was the $132 million that online identity verification vendor ID.me secured in April in a Series D funding round led by Viking Global Investors with participation from Morgan Stanley Counterpoint, CapitalG, FTV Capital, and others. The investment brought to $275 million the total amount the McLean, Va.-based company has raised from investors since its 2010 launch.
Two other funding transactions hit the $100 million mark. One was a $100 million investment in Cybereason that Softbank and other investors made in April to support the company's growth plans in the XDR and EDR market. So far, Cybereason has raised over $850 million from various investors, including Google. The latest cash infusion came just six months after the company laid off 17% of its workforce last October and highlighted the continued confidence investors have in Cybereason.
Meanwhile, a Series B funding round of $100 million that Cyera raised in June highlighted investor interest in the emerging market for "data security posture management" technologies.
"While investment in Q2 has been down overall, high-performing companies with solid fundamentals are continuing to receive large rounds of financing, even in a challenging economic environment," McAlpine notes.
Strategic Mergers & Acquisitions Continue
Pinpoint said it counted 18 M&A transactions in the cybersecurity sector in Q2 — a significant drop from the 31 similar transactions it counted in the first quarter of the year.
The biggest of the lot — from a strategic standpoint — was F-Secure's $223 million acquisition of Lookout's mobile consumer security business. McAlpine says F-Secure has described the purchase as allowing it to nearly triple its market presence in the US and strengthen its position in the communication service provider segment.
Rik Turner, an analyst with Omdia, identified Cisco's purchase of Lightspin in March and Armorblox in May — both for an undisclosed amount — are two other acquisitions to watch. Cisco's purchase of Lightspin gives it a presence in the cloud security posture market, though it is still some way behind the likes of Palo Alto Networks in that space, Turner says.
"It will be interesting to see whether it combines that technology with what it got two months later when it bought Armorblox," Turner notes.
IBM's purchase of Polar, again for an undisclosed sum, bears watching as well, Turner says. "We've been watching DSPM, which, until this acquisition, was a sector made up almost entirely by start-ups," he notes. IBM's entry into the space could trigger a landgrab in the market by other major vendors, Turner notes.
New Opportunities for Private Equity Firms
Meanwhile, falling valuations continued to create new investment opportunities for private equity (PE) firms as they did in Q1. Among the more notable PE transactions in 2023 was Crosspoint Capital's acquisition of Vancouver-based endpoint-security vendor Absolute Software for $657 million in May and Cinven's purchase of governance, risk, and compliance software vendor Archer for an estimated $1.3 billion in April.
Crosspoint's purchase price represented an approximately 34% premium over Absolute's share price of $8.58 on May 10, 2023. When the acquisition is complete, Absolute's shareholders will receive $11.50 in cash per common share.
"One thing to watch is how Crosspoint is amassing a veritable stable of cyber firms," Turner says. The firm already owns or has stakes in Forescout, ExtraHop, ReversingLabs, Digicert, RSAC, McAfee, Cyware, and others, Turner notes, adding that it's possible that Crosspoint could do some "corporate engineering" and bring different bits of these companies together at some point. Or the PE firm could "simply inject some capital into all of them with a view to spinning them back out when the time is right," he says.
Meanwhile, Cinven did not disclose the financial details of its purchase of Archer from RSA Security in April. However, data that Momentum Cyber compiled from various industry sources for its second-quarter financial roundup, estimated the transaction value at $1.3 billion.
Sectors that have received significant funding throughout 2023 include identity and access management, data security posture management (DSPM), and data detection & response (DDR), McAlpine says. He adds, "We're also seeing increased attention from investors on startups helping companies use emerging forms of AI — large language models and generative AI — securely."
Going forward, Doll from Ten Eleven Ventures says that while VC funding has slowed overall, compared to other sectors, cybersecurity continues to present an attractive opportunity for investors. "For the right companies, capital is definitely available," Doll says. Cybersecurity also continues to be a priority for enterprise organizations, and there are signs of new investments in areas such as AI: "We think investing in the sector will accelerate again in the next 12 to 18 months," Doll notes. "There's a lot of growth ahead, as attacks persist — in fact, enabled by AI — and new attack vectors, such as AI itself become more apparent."