Cybersecurity dealmaking in North America has taken a hit, since reaching a record 370 deals worth USD 83.1bn in 2021.

The number of transactions has fallen by roughly a quarter in each subsequent year, according to Mergermarket data. Deal volume grew 8% to USD 54bn in 2023, but that was inflated by Cisco Systems’ [NASDAQ:CSCO] USD 29.7bn acquisition of Splunk last September.

Many cybersecurity startups raised capital at frothy valuations during the exuberant dealmaking of 2021. Three years on, several now need to raise more capital to jumpstart lacklustre growth but face down rounds. Rather than succumb, they either slow down investment, thereby further slowing growth or pursue a sale.

Growing cybersecurity startups with little customer churn, low costs, and a growing addressable market, are still getting funded, says Al Yang, CEO of SafeBase, a provider of risk assessment for software vendors. His four-year-old startup recently raised USD 33m in Series B funding after he was approached by investors.

The bipolar state of the market is best illustrated by two cloud security vendors, Lacework and Wiz. In 2021, Lacework was valued at USD 8.3bn and Wiz commanded a USD 6bn valuation. Bankers would name-drop them in the same sentence. In recent weeks, Lacework held unconsummated talks to sell to Wiz for USD 150m-200m. Wiz, meanwhile, raised USD 1bn at a USD 12bn valuation earlier this month.

What’s hot

Identity was one of the most talked about segments of cybersecurity at this year’s RSA Conference in San Francisco, the industry’s biggest confabulation.

Large pure play cybersecurity firms such as CrowdStrike [NASDAQ:CRWD] and Palo Alto Networks [NASDAQ:PANW] lack an identity offering and may look to close the gap with acquisitions, says Beyond Identity’s CEO Jasson Casey.

Other hot areas in cybersecurity are cloud security, operational technology (OT), and how to deal with artificial intelligence. Post quantum cryptography (PQC), which aims to secure systems against threats from quantum computers, also kept executives talking at RSA.

One deal that is indicative of where the cybersecurity market is headed was DuckDuckGo’s acquisition of data removal service Removaly, says one banker. In a world where personal data on the web can be manipulated into spam emails or deep fake videos, that deal “speaks to how important privacy is.”

While Mergermarket data suggest a retrenchment in dealmaking, anecdotally executives see increased activity.

“The number of companies available that are willing to have discussions are as high or higher than a couple of years ago,” says Todd Moore, global head of data security products at Thales [EPA:HO]. The French defense contractor acquired application and data security vendor Imperva from Thoma Bravo last July for USD 3.6bn. It remains “always hungry” for more deals and is especially interested in data security posture management (DSPM), another buzzy cybersecurity acronym.

Slow but healthy

Private equity buyouts of North American cybersecurity companies have slowed down too, sinking to 10 in 2023, the lowest number in a decade.

The economic and political instability of the last two years have disrupted the predictability financial sponsors crave, notes Barry Mainz, CEO of Forescout Technologies, which was taken private by Advent International in 2020. Gone is the typical model of buying and selling a company in three-to-five years, he says.

Thoma Bravo’s GBP 4.3bn buyout of UK-based Darktrace last month suggests the pendulum may be swinging back.

Some of Thoma Bravo’s many cybersecurity companies in its portfolio could seek an exit next year. Email security provider Proofpoint, which Thoma Bravo took private for USD 12.3bn in April 2021, is looking at a potential public listing in 2025, according to one source. Zero-trust security provider Rubrik’s strong IPO in late April shows a potential path forward. Given its size, a strategic buyer is a distant possibility that would be limited to Cisco or IBM [NYSE:IBM].

Because many sponsor-backed cybersecurity companies have modest 10%-to-20% topline growth but still desire elevated multiples, they may have difficulty exiting, cautions another banker. If they can recalibrate their story to one of margin expansion, that will get people excited, adds West Riggs, head of ECM at Truist.