On one hand, where the global cybercrime market (both organised and unorganised) is growing leaps and bounds and is projected to reach $10.5 trillion USD annually by 2025 (estimated; also to become the world’s 3rd largest economy), on the other, there’s a Merger & Acquisition (M&A) tsunami that has hit the cybersecurity space. Though this sector has always been hot for the M&A activity, the last two years have been exceptional and saw most high-value, high-voltage deals than ever before. Some of those deals have gone rogue too (Symantec sold to Broadcom then to Accenture) but that’s a separate discussion for some other day.
The data for the entire last year is yet to come in open domain, however, in the United States alone, the number of cybersecurity M&A deals hit 151 in the first three quarters of 2021. In 2018 this number was 80. In 2019 it was 88 and in 2020 the total number of M&As were 94, according to data from 451 Research.
Let me digress a little from the cliché that is US. Let’s, for a moment, focus on Israel. According to the Israeli Export Institute data, the overall cybersecurity exports from Israel were estimated at $11 billion in 2021. Last year, there were also 40 acquisition deals of Israeli companies by local and foreign firms with an estimated worth of $3.5 billion.
There’s more to it. As many as four Israeli cybersecurity companies went public in 2021 including SentinelOne, which through an IPO, raised $1.2 billion at a massive $9 billion valuation. It was touted as the largest IPO by a cybersecurity firm so far.
It’s true that technology sector has been witnessing a boom in M&A deal volumes and 2021 wasn’t an exception. Generally, there is a great deal of hustle-bustle in this arena but the deals in cybersecurity were exceptionally large and outshined the rest by a huge margin.
Across the technology and telecom sectors that are tracked by 451 Research, the deal volume jumped by 11.1% y-o-y in 2021. The application software saw a higher volume (19.3%). However, the number of acquisitions in the cybersecurity subsector catapulted 60.6% in 2021.
Yet another data that is mindboggling is that a large number of venture capital backed companies being grabbed by the PE firms and others. According to Crunchbase numbers, 129 venture-backed companies were acquired by private equity companies or strategics this year—shattering last year’s record of just 79 deals. Those deals were consummated even as more than $20 billion was poured into cybersecurity start-ups by venture and institutional investors.
Besides start-ups if we talk of the funds raised by cybersecurity companies, it is astounding.
The Indian cybersecurity services and product industry’s combined revenue stood at $9.85 billion in 2021. It grew at a CAGR of 40% in the last two years, mentions a report by Data Security Council of India (DSCI). Titled, ‘India Cybersecurity Industry Report – Services & Product Growth Story’ the report says that Indian cybersecurity start-ups grew from $740 million in 2019 to reach $1.37 billion in 2021
Going back to Israel, the amount raised by the cybersecurity companies in 2021 nearly tripled as compared to 2020. It is astonishing to know that the annual 2021 figure for Israel accounts for 40% of the total funds raised by cybersecurity firms worldwide in 2021.
If we talk of the Europe, it is no less exciting. As reported by Acuris Capital Intelligence there were about 44 European cybersecurity deals by Sept 2021, with €7.4 billion invested. “This means that, in value terms, 2021 was already in uncharted territory and will also likely top last year’s notably high deal count,” it said. Even in the first year of the pandemic, there were 57 cyber-related transactions in Europe in 2020.
To me, it doesn’t sound so shocking that cybersecurity domain has been witnessing a lot many M&As as compared to the other tech. Whether it is PE firms, larger tech companies or even mainstream security companies, everyone equally placed bets in the game.
(See below a list of key mergers and acquisitions in the cybersecurity domain in past two years)
What could be the possible reasons?
These two years have seen unprecedented growth in cyberattacks. From a small local data breach to an enormously large attack like that of SolarWinds, Colonial Pipeline, Kaseya or the Java-based software known as “Log4j,” the impact on business has been severe.
A cybersecurity company SonicWall said it recorded a 148% increase in global ransomware attacks through the Q3, 2021. According to Trend Micro, the banking industry was disproportionately affected, and experienced a 1,318% year-on-year increase in ransomware attacks in the first half of 2021.
Well, that was just a small glimpse of how hard attackers have come down on the industry. Most of the world is working from home, which means the attack surface has widened and companies need to secure more than ever – from cloud to end devices, from datacentres to edge devices, from networks to apps – like everything.
Another big reason to M&A frenzy is the amount of investment that has gone into creating cybersecurity start-ups. The sharks are now eating small fish. This consolidation was obvious. Also, companies use these acquisitions to either consolidate their existing portfolio or to branch out.
In the domain of cybersecurity, technology can never be evolved simply because adversaries are always experimenting. The legacy players in cybersecurity take the M&A route to not only stay on top of the innovation curve, but also to address the changing demands of customers.
But will this trend continue or is it a temporary phenomenon? Well, every new vulnerability or security threat gives birth to a new domain for which the existing technologies aren’t enough. That means niche start-ups or legacy players have to invest more in R&D and therefore the trend is likely to continue. It’s also true that if the legacy cyber companies like Symantec or McAfee or FireEye don’t evolve with time, and expand either by acquisition or innovation, the will either be severely undervalued or be dead, simple!