PE dealmaking thrives in cybersecurity sector
Private equity's breach of the cybersecurity industry is quickly expanding.
PE dealmaking activity in the space is going strong so far this year as investors look to take advantage of the sector's declining valuations and stable business model characterized by low client churn and high margins.
Other forces driving industry consolidation, and opening the door to PE deals, include its fragmented state—which lends itself to buy-and-build strategies—and customers' increasing desire to do business with a single cybersecurity firm for all their needs, instead of buying piecemeal offerings from small niche producers.
So far in 2022, private equity sponsors and their portfolio companies have backed 162 cybersecurity deals worldwide valued at $34.9 billion, including both add-on and platform acquisitions, according to PitchBook data through Aug. 18. If dealmaking continues at its current pace, it could surpass last year's tally of $36.4 billion across 308 transactions.
Brendan Burke, a senior analyst at PitchBook, said the record deal value was driven in part by investors carrying out take-private deals of mature companies at discounted prices amid falling valuations in the technology industry.
"Private equity has finally been able to get attractive prices on high-growth market leaders that were priced too high before this year," he said. "They've been able to continue their platform strategies across separate market segments and move toward consolidated product offerings for their platform companies."
Thoma Bravo, one of the busiest investors in this sector, recently announced it will take Ping Identity private in a deal that values the enterprise identity management provider at $2.8 billion. The news came shortly after the tech investor bought identity security company SailPoint in a $6.9 billion take-private transaction.
Consolidation opportunities are another factor driving the deal flow, according to Manish Thakur, a managing partner at Option3, a New York-based firm investing in cybersecurity deals.
End users of cybersecurity products increasingly prefer a full suite of complementary cybersecurity services from one provider rather than fragmented innovations, he said.
"When we spoke to clients of some cybersecurity companies, here is what they kept saying: 'We don't want more cybersecurity companies. We've already got too many; we want fewer; we want them to be integrated.'" he said. "That means consolidation, not just innovation."
Option3 last year pivoted from venture funding in early-stage startups to acquiring late-stage middle-market companies for buy-and-build strategies as the firm recalibrated its investment strategies to follow the shifting market.
Option3 is currently pursuing a platform acquisition in the market and is planning to raise a $250 million buyout fund dedicated to that strategy, Thakur said.
The cybersecurity industry offers PE firms many opportunities to carry out buy-and-build strategies, in which investors make acquisitions to supplement portfolio companies and consolidate product suites, Burke said.
A number of PE firms are looking out for these opportunities. KKR made a platform acquisition in April, buying Barracuda Networks from Thoma Bravo for a reported $3.8 billion. Advent International acquired security operations startup Cysiv as an add-on for its portfolio company Forescout.
Cybersecurity companies' lower customer churn rate compared to other SaaS businesses and their ability to generate high margins are also a big draw to PE companies.
And, as hacker attacks rise in the public and private sectors, cybersecurity development has become an increasingly urgent issue. Governments have earmarked billions of dollars to strengthen their cyber capabilities. The $1 trillion infrastructure legislation signed by President Joe Biden in 2021 included grants to fund local and state government cybersecurity projects.
The Australian government is another example, having budgeted A$9.9 billion to bolster its cyber intelligence.
Cybersecurity investments have also been popular among tech companies, which have pursued sizable acquisitions in this sector. Google, for instance, this year inked a deal to buy cybersecurity provider Mandiant for $5.4 billion, beefing up cybersecurity offerings in its cloud unit. The company also acquired security operations platform Siemplify last year.
Correction: An earlier version of this story contained incorrect information about 2021 and 2022 deal value and deal count in the cybersecurity industry due to a data retrieval error. (Aug. 26, 2022)
Featured image by Song_about_summer/Shutterstock
This article originally appeared on PitchBook News