Financial activity in the cybersecurity industry declined sharply in the first quarter of 2023 compared to the same period in 2022, and analysts tracking the sector expect little improvement until at least the second half of the year.
Even that expectation is tinged with some uncertainty over how the market will respond — in the short and long term — to Silicon Valley Bank's (SVB) stunning collapse in mid March and the resulting impact on venture capital funding in the sector.
And meanwhile, next quarter in fact might be the slowest for cybersecurity startup funding in years, at least one researcher predicts.
Continued Financial Headwinds for Cyber
"Conservatism and expectations for continued headwinds throughout 2023 were the recurring themes across the public cybersecurity company annual earnings calls held throughout the first quarter," says Eric McAlpine, founder and managing partner at Momentum Cyber. "[Strategic decision makers] are approaching the rest of the year with great caution and that has downstream impact for everyone else in the ecosystem."
The cautionary tone comes amid lingering fears of a broad economic recession, falling stock prices and huge layoffs at technology giants such as Amazon, Meta, Microsoft, and Tesla. Though analyst firms such as IDC expect cybersecurity spending to increase 12.1% in 2023 to $219 billion, there are some fears that inflation and rising technology costs could dent the gains organizations are hoping to get from the increased spending.
McAlpine says that through Feb. 28, Momentum Cyber has tracked 32 cybersecurity M&A deals totaling $2.6 billion in disclosed deal value and 102 financing deals totaling $2.5 billion in value. That is down sharply from the M&A deal volume of $13.8 billion across 79 deals that Momentum Cyber tracked in the year-ago quarter. In Q2 last year, that number surged to a record $89.8 billon before dipping sharply in the last half of the year.
"Both M&A and financing deal count and dollar value are down considerably from the same period in 2022 as we continue to deal with turbulent markets," he says.
Market research firm Omdia reported a similar slowdown in the first quarter of 2023 with analyst Ketaki Borade describing the volume of M&A transactions so far this year as just over half of last year's volume in the same period: 44 versus 97 in 2022.
Notable M&A examples in the first quarter of 2023 include Thoma Bravo’s $1.1 billion acquisition of Magnet Forensics, Francisco Partners' purchase of Sumo Logic for $1.7 billion, and SailPoint's acquisition of SecZetta for an undisclosed sum in January.
Broad Investment Slowdown, Including in VC
It was not just M&A activity that slowed in the first three months of 2023. Venture capital and other investment activity in cybersecurity companies declined as well says Richard Stiennon, chief research analyst at market research firm IT-Harvest.
Stiennon says IT-Harvest tracked a total of 41 investments totaling some $1.35 billion in cybersecurity companies through March: "That is at an annual rate of only $8 billion [which is] considerably down from 2022, which saw investments of $17 billion, and 2021, which set an all-time high of $24 billion."
Of the 41 investments, there were seven rounds of $50 million or more which accounted for $893 million of the total $1.35 billion, Stiennon says. There have been no initial public offerings (IPOs) so far this year.
Despite the general slowdown in cybersecurity M&A and investment activity, the first three months of 2023 had its share of major transactions. Easily the standout among them was Israeli cloud security vendor Wiz' capital raise of $300 million in a Series D financing round in February that valued the company at an astounding $10 billion, Stiennon says. That made Wiz the highest valued private cybersecurity firm ever.
Stiennon points to a $205 million growth funding round that identity management vendor Saviynt secured from AB Private Credit Investors and $180 million in equity investments and strategic financing that MDR vendor Deepwatch raised in February, as two other major deals in 2023's first quarter. Yet another was a $500 million capital raise by Alphabet spinoff Sandbox AQ in February.
As has always been the case, some segments within the cybersecurity industry received more love from investors than other segments. Rik Turner, an analyst with Omdia, identified the segments that have received the largest amounts of funding so far in 2023 as network security, security management, and SecOps. These sectors have perennially been attractive to investors, he says.
"Others such as cloud, application, and data security are now also mainstays within the overall totals," Turner says. "[The trend] speaks to the growing amount of cloudification of app infrastructures, which was already underway before the pandemic, but was undoubtedly turbocharged by it."
Several of the technologies that investors are betting on are also — unsurprisingly — the areas where enterprise organizations are spending most of their security dollars on as well. In a recent Dark Reading virtual event, Chenxi Wang, founder and general partner of Rain Capital, identified cloud security, network security, identity and access management, SecOps, and application security as some of the top spending priorities for organizations currently.
In comments to Dark Reading, Wang says based on her observation, overall deal volumes and the velocity of strategic deals decreased in the first three months of 2023. "We observed the same thing on the venture side. Less companies are getting funded compared to last year."
A Cautious Cyber-Investment Outlook for the Rest of 2023
Wang and other industry analysts have a somewhat cautious outlook on M&A and investment activity in the cybersecurity sector for the rest of the year.
One major issue is how SVB's demise will playout over the rest of the year. Wang believes — like many others — that the SVB collapse will make it harder for startups and early-stage companies — especially those with a high-risk appetite — to get funding.
"In the long run, it means less companies will cross the chasm to scale up and become a sustainable business," she says.
McAlpine is less concerned about the short-term implications of SVB's implosion. The immediate slowdown in financial activity that the bank's collapse triggered has already begun reversing itself. But the longer-term impact may not be evident for years.
"Going forward, we're advising companies to avoid putting all their eggs in one basket," he says. "Working with multiple banks, for example, [such as] one global bank and one regional bank, can help to avoid business interruptions during this period of volatility in the banking system."
He expects that things will start to loosen up sooner rather than later. Financing and M&A activity can't remain in a state of limbo forever, he says. Many companies will still need capital to reach the next stage of their business, even if they're able to adjust and extend their runway near term. "We also expect to see more companies take a parallel approach where they pursue financing and M&A at the same time," he says. "This gives them optionality if one or the other doesn't materialize at a valuation that's acceptable to founders and investors."
Steinnon, who expected a lot of funding that didn't happen last year to be pushed into 2023, says he is underwhelmed by what he has seen so far this year. But he predicts investment and M&A activity will begin ticking upward starting in the third quarter and will at least match 2020's total of $10 billion.
He predicts that the second quarter of 2023 will be the slowest investment quarter in years in the cybersecurity industry.
"Fallout from SVB's failure is going to have a negative impact on all funding, including in cybersecurity," he says. "I fully expect private equity to take advantage of decreased valuations [and] to snap up deals from the public and private sectors."