Cybersecurity investment activity surged in 2021, taking in more than $51 billion over 593 transactions in the first half of the year and surpassing all of 2020 in just six month.
Industry consolidation has driven much of the surge in mergers and acquisition with nearly as many deals this year as in 2020 — 163 versus 178 — but the value of this year's deals have been much greater — $39.5 billion versus $20.5 billion for all of 2020, according to new data from investment advisory firm Momentum Cyber.
Meanwhile, venture capitalists and investment firms financed cybersecurity companies to the tune of $11.5 billion in 430 deals, which includes venture funding, the company states in its "Cybersecurity Market Review."
While total financing has not surpassed 2020 yet, the pace of venture capital investment guarantees that it will, says Eric McAlpine, co-founder and managing partner at Momentum Cyber.
"We have never seen a space grow up so fast," he says. "For the last five years, I have been calling the peaks, saying, 'OK, we [the industry] have done 180 deals this year — we are not going to get any better than that.' But it's been like the Olympics, where athletes were breaking multiple world records every day."
The soaring fortunes of cybersecurity companies come as cybercriminals have had their own banner year. From major ransomware attacks, such as the attacks on petroleum transport network Colonial Pipeline and meat packer JBS USA, to supply chain attacks on remote management firms SolarWinds and Kaseya, cybercriminals have raked in tens of millions in payments from firms whose cybersecurity has failed.
Trends both favoring and hindering security are in play, says Jeff Pollard, vice president and principal analyst at Forrester Research.
"I think security is better off than it has ever been. That is not a high bar, but security practitioners and CISOs are better than they ever have been," he says. "Yet look at the other side: The environments are more complex than they have ever been, and the cybergangs are more organized than they have been."
Ransomware and the threat of a failure in operations, in particular, have made companies focus their efforts on better security and visibility. In addition, the pandemic-prompted move to remote work and greater reliance on cloud infrastructure has forced companies to take another look at their security preparations and technologies.
The fact that the stock market is booming helps as well, says McAlpine. The average security company traded between five and six times revenue last year, and now that ratio is eight to nine times on average, he says.
"Whenever you see a healthy and robust equity market, you will have a very healthy and robust acquisition market," he says. "Boards are feeling confident and are looking for places to put their money."
Some of the major private deals include the purchase of Proofpoint by private equity firm Thoma Bravo for $12.3 billion in April, doubling the previous largest private-equity deal in the cybersecurity market. Among top funding deals, Transmit Security raked in $543 million in a series A round and Lacework grabbed $525 million in a series D funding round.
Another factor: The rise of special purpose acquisition companies (SPACs), which are companies created to hold funds for later investments. Three of the top-10 deals in cybersecurity in the first six months of this year have happened through companies merging with SPACs, up from zero deals last year, McAlpine says. Whether that tactic pays off for investors in the company remains to be seen, he says.
"There are only a few companies that can really grow 60, 70, 100% every year at scale," McApline says.
SPACs have the ability to add predictions of future returns in their investment documents, suggesting that investors are already taking future returns into account. "The investors are basing their valuations off of forward numbers," he adds.
Yet more entrepreneurs have actual security operations experience, meaning that often companies are created to pursue products or services that CISOs and security engineers have created, says Forrester's Pollard.
"There are certain vendors out there that are approaching problems in new and unique ways — they are client-centric and customer-obsessed," he says. "Many of them are CISOs and security engineers, for example, that are creating products that actually solve problems that they had run into when they worked at companies."
Cybersecurity has also become less insular and focused on enabling businesses, which means their products are less disruptive to operations and more supportive, he says.
Whether the industry is in a bubble is hard to answer, McAlpine says. Next year will be a strong year, but it may not top 2021.
"It is hard to believe that we have already surpassed last year, and we will leap past that next year," he says. "I do think that this momentum is absolutely going to continue and 2022 will be a great year. People are bullish on cybersecurity."