Dealmaking on the rise in cyber security sector
An increasing demand for cyber security services means M&A activity in the sector is defying current headwinds. Jason Sinclair reports on the growing interest in IT defence systems.
The number of cyber threats is going up and, to catch up with that, corporations need to have the right IT security in place, says Florian Depner, director at ICON Corporate Finance. “They need to continuously invest in upgrades and infrastructure,” he says. “This is an ongoing arms race and the attackers are driving spend and investment, with no end in sight at the moment.”
ICON has taken the temperature of the cyber security landscape, published in its Q3 2022 sector update. The firm’s research found that global M&A activity and fundraising has held up against a gloomy macroeconomic picture, but with some experts saying that any global downturn could lead to an increase in cyber attacks – and all agreeing that cyber will continue to be ‘mission critical’ spending for corporates.
M&A deal activity is on track to surpass pre-COVID-19 levels, according to ICON’s report, with $15.4bn of venture capital being invested in 572 deals globally in the first nine months of 2022. While private equity has been a driver of recent M&A, Depner says: “A lot of these businesses are still in high-growth mode and are consuming a lot of cash. Not all of them are profitable and that rules them out of being a private equity investment because there’s higher risk and private equity isn’t quite so risk-friendly as venture capital.”
“Cyber security thrived under the pandemic,” says Depner, “and continues to thrive versus other tech sectors that are suddenly regarded as being quite risky because they are tapping into more discretionary spending. Cyber security is not just a ‘nice to have’.
“You’re seeing big numbers of lay-offs in other tech subsectors at the moment,” he continues. “But that is not likely to happen in cyber security any time soon. And this is why you can clearly see them pulling away from other verticals in terms of being able to attract venture capital money and decent valuations.”
Grown-up cyber
The figures speak of a maturing market where deal activity for solid assets will only increase as cyber providers reach private equity thresholds. Derek Neil, a corporate finance partner at BDO, says that cyber “has always been attractive as an M&A target. The business model, as an essential business protection tool, has only increased in importance since the pandemic. What was once the focus of the IT team in the basement is now a board-level issue.
“The challenge,” Neil says, “has always been to find anything of scale, as there are a limited number of businesses to invest in. We’ve seen IT services businesses seeking acquisitions as they diversify their revenue and make their customers more ‘sticky’.”
He says that as the economic landscape grows more challenging, certain sectors become more difficult to invest in, “meaning those sectors that are resilient to a recession attract even more focus. The combination of private equity dry powder, IT services, businesses looking to diversify and fewer investable sectors has increased the attractiveness – and therefore pricing – of cyber businesses.”
James Wild, UK head of M&A at RSM, sees another strength in the sub-sector’s business prospects. RSM’s The Real Economy report found that more than a quarter of the mid-market businesses surveyed had suffered a ‘successful’ cyber attack in the previous year, with 72% of surveyed businesses fearing an attack in 2023.
“With the increasing adoption of remote working, an organisation’s security perimeter is widened and thus creates further security challenges. Therefore there is an ever-increasing demand for cyber security services, which is attracting investment in the market,” Wild says. “As a result, we have seen significant appetite from UK and US PE funds in the cyber sector, including Livingbridge, LDC and Tenzing. For example, we advised Celerity, a cloud and managed IT service provider, on its £15m minority investment from BGF, with cyber services being a focus going forward.”
Andy Morgan, head of TMT corporate finance at Grant Thornton, says that “cyber security is obviously an active area and it’s right at the centre of the sphere of interest from many different start points. You’ve got cyber-security specialists, but then you’ve also got a lot of players who are coming from broader IT services and managed services who see they need a stronger security offering and are expanding. Security is also a core part of the competencies for B2B telecoms and unified communications specialists, where there is a lot of PE-driven buy-and-build activity.”
Morgan has seen a “broad church” of deal activity, ranging from the £1.7bn IPO of Cambridge-based Darktrace, to the sale of SecureData to French multinational Orange. Meanwhile, in the government and public sector arena, secure cloud and infrastructure builder Aker Systems was sold to LDC in July 2020. LDC sold it on to Abry Partners 14 months later.
“There are a lot of routes for PE to get exposure to the cyber market,” he says. “Some are product-driven and some rest on consulting and services. But one of the things that’s clear is that if you’re a services provider or a technology provider, you’ve always got to have a security offering.”
For businesses, Morgan continues, “the threat and cost aspect of getting it wrong and the business interruption side that comes with that is significant. Equally, if you want to win business, if you’re tendering or contracting, you’ve got to convince people of your compliance with cyber essentials – it’s key on so many tender lists now. And if you haven’t got your cyber security right, then you probably won’t qualify on some of the tenders in terms of procurement.”
A managed service
For mid-market firms that don’t have the capability to protect themselves in-house, “there’s probably an incentive to look for a single-point provider to be your trusted provider and package whatever the right solutions are, in a way that works for your organisation, then increasingly deliver that as a managed service.” This, says Morgan, is seeing businesses migrate from a ‘product strategy’ to a ‘managed services strategy’, with the latter band of providers looking like a growth market.
“It’s pretty fertile ground for private equity,” he says, “and it’s been at the forefront of trying to find those platforms and then looking at how they scale them. PE has probably been more active in the services than the product end of the business, which is more a venture capital space.”
The product market – with the exception of outliers such as Darktrace – is dominated by US and Israeli companies, often grown with military partnerships. And it’s in the US that the majority of ICON’s largest reported transactions have taken place, including Thoma Bravo’s acquisition of enterprise identity security company SailPoint for $6.9bn. Cumulative US deal value for 2022 is estimated at $10bn, while the equivalent figure for UK & Europe is $1.4bn.
Meanwhile, IPOs in the sub-sector are less common. Obviously there is an uncertain outlook in public markets. The US has seen a large number of take-private transactions and ICON estimates the number of cyber-security unicorns at “70 and growing steadily”.
The major specialised cyber-security funds are almost exclusively US-based, but the UK still ranks relatively high for opportunities, according to Depner: “You have great cooperation between the government and private sector, coming out of the National Cyber Security Centre, with public money nurturing with seed finance,” he says.
Morgan warns not to “regard anything as being recession-proof”, but does say that “it’s one of the top couple of things that people will continue to spend money on because they have to. So it’s going to stay on the priority investment list.”
As Eric Bell, MD with US firm Progress Partners, recently said while describing the “massive war chests of dry powder” held by the US private equity giants investing in cyber: “Technology is constantly evolving as malicious actors and nation state-sponsored organisations attempt to exploit vulnerabilities in IT systems and critical infrastructure. As a result, new market opportunities arise and buyers are willing to pay up to acquire capabilities that accelerate their product roadmap, give them access to new markets or help them capitalise on emerging trends.”
“From a transactional perspective,” Morgan adds, “I think the fact that the end market spend is resilient will be helpful in supporting deal activity, plus the fact that you still have lots of people looking to acquire who are converging on the cyber-security space from different angles.” Valuations may be compressing slightly because “you can’t divorce valuation completely from what’s going on in debt markets and the price of capital”, but nonetheless, “if you’ve got a business that’s ticking the boxes people want to see, whether it’s from a product perspective, or scalability, or equity metrics, then there’s still a lot of capital out there looking to be deployed, so you’ll probably find somebody who will pay the strategic premium for the right asset.”
Practice makes perfect
Sarah Barry, partner at RSM UK, advised on the sale of Kent-based IT and cyber-security learning network Practice Labs to US company ACI Learning (backed by Philadelphia private equity house Boathouse Capital).
Barry recounts the deal: “The shareholders were not actively looking to sell the business. However, they identified that there were opportunities to further scale and grow the business with the support of a larger company. With the support of ACI Learning, Practice Labs could continue its impressive growth in content and subscribers, and utilise the synergies on offer from being part of a larger group. The company received a number of approaches, but the cultural fit and overlap in product and content offering made ACI Learning an ideal acquirer.
“As with most international deals, there were logistical difficulties due to having an overseas buyer in a different time zone. However, the deal process ran relatively smoothly. ACI Learning was pragmatic in its approach to the deal as it was aiming to complete the acquisition by the financial year end, which helped streamline some of the process and negotiations.
“The Practice Labs deal mirrors what we have seen across the wider edtech sector. It gained momentum during the pandemic as the traditional education practices were disrupted and people took the opportunity to reskill online. This led to a significant amount of consolidation in the market as companies sought to acquire subscribers and content.”