A service of

Cybersecurity M&A slows down, but should rebound in late 2023

Dealmaking for North America’s cybersecurity companies has declined since 2021’s feverish levels.

The number of deals in 1Q23– both M&A transactions and capital raises – dropped 43% year-on-year to 53, the lowest level since 4Q18. Meanwhile, total disclosed transaction volume fell 69% to USD 4bn, the lowest quarterly figure since 3Q20.

But cybersecurity remains one of the most active parts of the tech sector, given the rise in state-level espionage from China, cyber warfare by Russia following its Ukraine invasion, and ransomware attacks such as BlackCat.

A persistently wide bid-ask spread is largely to blame for the slowdown, with the private market yet to catch up with the fall in public market valuations, according to Gurinder Sidhu, head of cybersecurity investment banking at UBS.

Many startups remain well-funded, having raised capital in the last 18 months. But those that were last financed in late 2021 or before will have to raise funding again later this year. Many have not grown into their valuations, having been forced to cut costs at the expense of growth as expectations of a recession loom. If their growth is not what a venture capitalist wants, they will be forced either into a down round or a sale, said Sidhu.

That in turn will reduce the bid-ask spread and open up M&A activity, probably by the end of 2023, said Sidhu.

Already, valuation multiples have taken a hit, according to one executive, dropping to 5x annual recurring revenue from 20x just 18 months ago.

Cybersecurity firms also have stopped making the multi-billion-dollar acquisitions they did four or five years ago. In today’s uncertain macroeconomic climate, they remain much more disciplined and focused on profitable growth. Instead, the bidder pool has skewed towards private equity.

Going private 

Until 2019, strategic buyers dominated deal volume, before sponsor-led buyouts began to dominate in 2020 onwards, according to Mergermarket data. Buyout volumes, after seeing meteoric growth throughout 2021 and remaining strong into 3Q22, only began to fall in the final quarter last year. Meanwhile, the number of buyouts has declined in the last five quarters, hitting a five-year low of 11 last quarter.

Even so, private equity firms see the valuations of publicly listed cybersecurity stocks as “somewhat artificially depressed” given the sector’s strong tailwinds, said a partner at one major PE firm.

With the vast pile of dry powder plus the still-robust private credit markets, more take-privates are expected.

A record six North America-based cybersecurity firms were taken private in 2022, double 2021’s haul, according to Mergermarket data. Another three have done so in less than five months of 2023 – Absolute Software, Magnet Forensics, and Sumo Logic.

The flurry of cybersecurity firms that went public in 2020-21, many of which are sub-scale yet enjoy good growth, could be targeted by PE next. Some already have, notably ForgeRock, KnowBe4 and Sumo Logic.

Kill complexity

There is a renewed emphasis on platform plays in cybersecurity — the idea of managing the security of your network from a single 'pane of glass'. Customers do not want the complexity of dealing with roughly 200 point solutions that often fail to integrate with each other well. That is pushing PE firms like Francisco Partners, Insight Partners, Thoma Bravo and Vista Equity towards cybersecurity platforms and consolidating some of the submarkets within cybersecurity.

“It should be an interesting opportunity to consolidate some of these submarkets,” said the PE partner. “There is lots of capital to facilitate it.”