By Sheana O’Sullivan
With the slowdown in fundraising and M&A in cybersecurity, I was curious to look into the space as the global concern over cybersecurity has never been higher. F5 CEO François Locoh-Donou calls cybersecurity “not just as a threat to business, but… a threat to human lives; not just as a business priority, but as a moral imperative’.
At a time when organizations need to reinforce their cyberdefences, what are the trends in investment and M&A activity? What is the outlook for the future?
I communicated with contacts at some of the leading cyber companies in the US and Europe to see what they are thinking and what’s important right now. Here’s what I learned.
All the corporates highlighted the risks from the proliferation of remote workers and the need to address the security and networking needs of a hybrid work force as users, devices, applications, services, and data rapidly shift outside the enterprise data centre. As endpoint devices have multiplied, the perimeters providing access to the network have started to blur, and threats have increased.
An acquisition that highlights this ‘borderless’ theme and the latest security trend Secure Access Service Edge (SASE) which connects and secures users, devices, and locations as they work to access applications from anywhere was demonstrated by Netskope, the leader in Security Service Edge (SSE) and Zero Trust. In August 2022, Netskope acquired Infiot to enable the application of “uniform security and quality of experience policies to the widest range of hybrid work needs, from employees at home or on-the-go, to branch offices, ad-hoc point-of-sale systems, and multi-cloud environments.”
In a nod to the uncertain economic climate with the drop in valuations of public tech companies, higher inflation and a tightening monetary policy, the Corporates talked about the tougher environment to raise money today compared to 2021. Here are some of the comments I heard which capture the dynamic in fundraising:
“If companies didn’t raise within the last 10-12 months, they are not getting the funding they need now”
“It’s a crowded space looking for funding now, we see huge down rounds”
“Definitely seeing more distressed businesses with high burn that can’t raise more equity so will run out of cash in 1-2 months”
“There is a spectrum; there are also some high growth companies coming across my desk who are commanding higher valuations”
This sentiment is also highlighted in the fundraising data. Deal flow has declined for the past four consecutive quarters, dropping from 452 deals in Q1 2022 to 238 in Q2 2023 and are now close to levels last seen in 2019.
In value terms, the fundraising data also shows a decline in the amount of dollars invested in cybersecurity startups, from $9.7BN in Q4 2021 to $1.8BN in Q2 2023. While the amount of dollars invested has declined sharply and is well below the highs of the past few years, and also back to the levels last seen in late 2018. It seems reasonable to say we are seeing a return to a more normal level of activity prior to the surge in fundraising activity as the markets soared in 2021 when VCs and PE were deploying copious amounts of dry powder reserves.
Cybersecurity fundraising returns to pre-pandemic levels
All the Corporates I contacted mentioned they have been more cautious with acquisitions over the last few quarters as they keep an eye on interest rate increases and the possibility of a recession. Despite having adopted a more disciplined approach toward inorganic moves in this environment, they are still actively looking for companies to acquire and they are starting to see more deal flow in Q3.
Here are some of the comments from Corporates highlighting the changing dynamic in M&A:
“Seeing more inbounds on smaller side, less than $500K in revenue, mostly under $5M in revenues which are having a rough time raising money”
“Tech talent opportunities are abundant”
“A good time to focus on tech-focused smaller acquisitions with focus on roadmap”
“Seeing several acquihires for companies where investors were willing to take a fraction of dollars invested and were looking for a soft landing for the team”
“Companies that got frothy valuations last year, now over 30-40% of these companies are coming across my desk”
“Valuations for mediocre companies will continue to drop more”
This more cautious sentiment is certainly reflected in the data. M&A deal count through strategic acquisitions has dropped from the highs of 2021, when we saw 99 deals in Q4 2021, with a sharp decline to 45 deals in Q2 2023. Capital invested tells a similar story, we see a decline from Q2 2021 with $6.4BN invested to $890.5M in Q2 2023.
M&A volume and value through strategic acquisitions
In terms of M&A volume through PE acquisitions, we are seeing private equity buyers ramping up their take-private activities. Although this trend is expected to wind down in 2023 due to favorable market conditions, we have seen a run of cybersecurity acquisitions by PE firms.
- In February 2023, Vista Equity Partners completed its acquisition of KnowBe4, security awareness training and simulated phishing platform KnowBe4 for $24.90 per share in cash, valuing the company at about $4.6BN
- In August 2022, U.S. private equity giant Thoma Bravo announced it had completed the acquisition of SailPoint, identity security company for $6.9BN.
- In April 2022, KKR, a leading global investment firm, announced its purchase of Barracuda Networks Inc, a provider of cloud-first security solutions, from Thoma Bravo, a leading software investment firm.
M&A volume and value through PE acquisitions
I did also hear some positive comments from Corporates that point to their increased motivation to acquire in Q3 and hint at a possible uptick in fundraising and M&A in 2023:
“We are seeing a lot more deal flow now compared to earlier this year”
“Volume of inbounds since last month has been hot, security is particularly hot”
“Valuations have definitely fallen but stronger companies with lots of cash are still getting good multiples”
“We are still busy looking at companies but there is a shift from growth-oriented activity to more of a cost efficiency focus”
We’re focusing on the company’s forward trajectory, operating margin. Strong fundamentals are more important now”
While the economic climate has led to a contraction in fundraising and M&A from the highs of the pandemic, the resilience of cybersecurity tech prevails, hinting at a pickup in fundraising and M&A later this year. One corporate mentioned there are 40 cyber problems that need to be solved and there are many startups dealing with each issue.
Based on my conversations, Corporates seem increasingly motivated to acquire tech-focused companies at potential lower valuations and, also, higher quality companies at higher multiples.
With the boom in the volume of cybersecurity startups over the last few years, we will see more consolidation where the smaller companies that are challenged will be acquired and integrated by the larger players. This will enable the larger players to provide more complete cyber offerings enabling enterprises to purchase from a single vendor rather than 50-point solutions.
Consolidation will be further fuelled by advances in Cyber AI technology and new trends like SASE. Although in the early stages of AI adaption; the global market is expected to grow by US$19 billion between 2021 and 2025.
Against that backdrop, 65% of organizations are planning to increase cybersecurity spending in 2023. Gartner forecasts worldwide spending on security & risk management to grow 11.3% in 2023.
All in all, dealmakers are poised to be more discerning as they look at increased deal flow, and while there is a preference for companies with strong financial metrics or at least a clear path to profitability, it’s going to be an interesting second half in 2023!
Based on interactions with:
Palo Alto Networks