Mergers and acquisition (M&A) activity and investments in cybersecurity picked up once again in the fourth quarter after dropping off somewhat sharply in Q3. The activity put the sector on track to close out the year in better shape than many had expected, with overall funding topping 2020's pace (even though it dipped compared to 2021).

"M&A and financing deal count and volume in 2022 are still above 2020 levels despite current economic uncertainty," says Eric McAlpine, managing partner at Momentum Cyber. "Cybersecurity is still a very active market relative to historical levels over the past decade."

McAlpine says Momentum tracked a total of 37 M&A deals in Q4 through November. That compares to 50 total acquisitions in Q4 2021.

"M&A activity in the cybersecurity services market continues to be higher than any other sector in the industry," he says. In fact, M&A volumes in 2021 and 2022 year-to-date in cybersecurity services top total volumes for the previous five years combined, he adds.

To boot, McAlpine predicts that M&A activity in cybersecurity will continue its momentum in 2023 as startups run into challenges with raising more capital, or run out of money, or adjust their valuation expectations downward. He predicts a "sea change in thinking by investors away from growth at all costs to funding profitable growth."

M&A Activity Regained Momentum After 3Q Slowdown

Two major cybersecurity acquisitions in October had an outsize impact on overall deal volumes in the last quarter of the year. One was Vista Equity Partners' $4.6 billion acquisition of KnowBe4 on Oct. 12. Like many other private equity (PE) firms, Vista plans to make the publicly traded KnowBe4 a private firm once the acquisition is complete.

The other major fourth-quarter deal was PE giant Thoma Bravo's all-cash purchase of ForgeRock for $2.3 billion on Oct. 11.

But that's not to say there weren't other significant deals during the quarter. As examples, McAlpine points to Palo Alto Networks' $195 million acquisition of Cider Security in November; Proofpoint's purchase of Illusive for an undisclosed sum in December; and 1Password's acquisition of Passage in November, for an unknown sum.

According to numbers that S&P Global Market Intelligence tracked, the first three weeks of October alone saw more M&A money move through the cybersecurity sector than the entire third quarter.

"Between Oct. 1 and Oct. 24, cybersecurity acquirers disclosed an aggregate $6.90 billion in deal values from nine announced transactions," the analyst firm said in a recent market report. In comparison, the aggregate deal values for all M&A transactions with disclosed values during the third quarter was just $3.06 billion — down more than 75% from the $13.77 billion during the same period in 2022, S&P Global Market Intelligence said.

A Flurry of Funding Activity

Meanwhile, the last quarter of 2022 also had its fair share of funding activity in the cybersecurity sector. Notable examples include Arctic Wolf's closing of a $401 million convertible notes offering in October; Drata's $200 million Series C funding round in December that valued the firm at $2 billion; and a BlackRock-led $120 million pre-IPO financing round in Versa Networks.

"Keeping in mind that the year is not over yet, there have been 396 funding rounds totaling $16.6 billion in new investments" in 2022, says Richard Stiennon, chief research analyst at IT-Harvest. "While this does not match last year's $24 billion, it exceeds the record funding of 2020 by 60%."

The numbers are not too shabby for a year for which disaster was predicted, Stiennon notes: "And the year is not over. I would not be surprised if we hit $17 billion."

By IT-Harvest's count, there were nearly two dozen cybersecurity funding rounds disclosed in the last three months of 2022. These included a $196.5 million series G funding round at Snyk that valued the firm at a $7.4 billion; NetSPI landing $410 million in growth funding; and Akeyless raising $65 million for its secrets management technology.

Data that Momentum tracked showed that through the end of November, the most active sectors for M&A deals were managed security service providers; risk and compliance; and security consulting and services segments. The most active segments for financing deals during the same period were risk and compliance; identity and access management; application security; and network and infrastructure security.

The Impact of Industry Activity on Enterprise Security Teams

Marc van Zadelhoff, CEO at Devo, expects that the cybersecurity market will weather any recession that might materialize, better than other sectors.

"In the second half of 2022, security was the last industry to observe a slowdown in spending, let alone IT spending," he says. "Before midway through 2023, I firmly believe that security will be the first industry to emerge out of the recession, given the explosion of data and threats and the need for a solid security posture."

However, security teams must show their capabilities and provide immediate ROI, van Zadelhoff says. "Now is the time to lay the groundwork for cybersecurity investment and for security decision-makers to learn the language of the CFO and practice their cyber pitch."

At the same time, some say a prolonged recession — or fears of one — could put a damper on security spending and trigger other changes in the industry over the next year and in the short term. They advocate that enterprise security team be aware of the potential implications of these changes and be prepared for them.

Security teams, for instance, need to be prepared to show measurable return on investments and do more with less in situations where their organizations might be looking to cut security spending, says Richard Caralli, senior cybersecurity advisor at Axio.

This is in anticipation of a slowdown in core spending in 2023 on technology acquisition, which could lead to some contraction in certain cybersecurity sectors and more potential consolidation and acquisition activity.

"At that point, you can expect to have to reevaluate any technologies that are caught up in these activities," Caralli says.

The fact that CISOs and people in charge of purchasing decisions are increasingly looking for more integrated platforms could be another driver for funding activity in the cybersecurity sector in 2023.

"The cybersecurity market is approaching bloated status," says Hank Thomas, CEO at Strategic Cyber Ventures. "There are far too many vendors chasing the same dollars with comparable technology. PE firms and other later-stage investors are looking to bring in larger players to serve as anchors for rollups and bolt-on acquisitions. This will create new more comprehensive, cost efficient, and effective security platforms."