The current state of the cybersecurity M&A market

In this article, Clint Bundy, Managing Director with Bundy Group, was recently interviewed by Gary Cohen and Tyler Wall, the hosts of the Industrial Cybersecurity Pulse Podcast. The topic was to discuss the mergers and acquisitions (M&A) and capital placement activity that is occurring within the cybersecurity market. Given the tremendous amount of transaction activity for cybersecurity companies, Clint, Gary and Tyler had quite a bit to discuss. Clint also provided insights regarding what cybersecurity company owners can do to prepare for a potential sale or capital raise now and create additional value in their company.

Which groups or investors are buying in the cybersecurity space?

Clint indicated that for owners it is important to know their options, including who might be potential parties on the other side of a transaction. He segregated cybersecurity buyers into the following two categories:

• Strategic buyers. These are companies with existing operations that are either active today in cybersecurity or are technology-driven firms seeking to add cyber capabilities. These organizations can be publicly traded, financial sponsor-owned, management or founder owned.
• Financial sponsors. This group can be defined as investment groups looking for platform acquisitions in an industry with the goal of growing that initial investment by organic and inorganic means. For the latter, financial sponsors typically seek add-on acquisitions to rapidly grow the revenue, capabilities and organizational infrastructure. Eventually, the financial sponsors will sell the larger platform with the expectation that it will generate a healthy return for the investment fund.

Clint noted how many new groups are aggressively seeking platform investments in the cybersecurity sector. With each successful financial sponsor exit from a cybersecurity investment, it signals to other sponsors the opportunity to achieve the same outcome in the industry.

Why the interest in cybersecurity right now?

The cybersecurity M&A market has been attractive and active for years, but what is the reason for this buyer attraction to the segment? Simply put, strategic buyers and financial sponsors are looking for stability, profitability, growth and scale, and the cybersecurity sector offers those fundamentals.

• Stability: Buyers and financial sponsors evaluate the consistency of the industry. For instance, are there highs and lows with the performance on an annual basis? Or does the firm have a steady financial profile on a year over year basis? The cybersecurity sector excels in this area because so many firms have recurring revenue-driven models or continuous client service demands, which create a steady stream of financial performance.
• Profitability: Cybersecurity companies are value-added solutions providers, which give them pricing power with their clients. Furthermore, well managed cybersecurity companies should be able to achieve robust EBITDA margins, a key underwriting aspect for buyers in any transaction.
• Growth: In 2022, the cybersecurity market was estimated to be valued at a $174 billion, and it is projected to grow to $266 billion by 2027. If a cyber solutions security firm can execute and serve clients appropriately, then this massive market growth should provide ample lift for an individual company.
• Scalability: In short, this refers to a firm’s size. The underlying fundamentals include the company’s infrastructure, team and financial performance. A firm with scale has material presence in the market, and the larger the organization then the greater the power and leadership the firm has within its industry.

What have the past few years been like for M&A and capital placement activity in the cybersecurity market?

The cybersecurity M&A market has been active for the past 10-15 years, but 2018 is when one sees a substantial increase in activity occur. The increase is reflected in two metrics: the number of closed deals and the total cumulative transaction value of all market deals.

To be specific, in 2020 there were 471 cybersecurity transactions, which totaled $38 billion in transaction value.

In 2021, the number of cybersecurity deals increased to 480, which realized over $112 billion in total transaction value.

In 2022, the number of cybersecurity deals decreased to 410, approximately a 15% decline, and the total value of deals dropped to $48 billion, representing a 57% decline in transaction value. Simply put, the reason for the substantial decline in total transaction value was because of the pull-back in larger middle market and corporate-sized deals relative to 2020 and 2021. With hopeful stabilization in the credit markets, Clint expects the larger cybersecurity transactions to experience a resurgence.

Add-on acquisition activity is a frequent occurrence

A key means for achieving growth can be through add-on acquisitions. The strategic buyers and financial sponsors already in the cybersecurity market are actively looking to acquire such capabilities as new proprietary software/technology platforms or technology services, new clients, or added talent and management bench depth. Furthermore, it gives the firm the opportunity to increase the buyer’s financial profile at the immediate close of a transaction. Finally, an add-on acquisition tends to be a lower risk strategy relative to larger transactions, especially since the capital outlay isn’t as demanding on the buyer. In short, many seasoned buyers prefer the “buy” versus “build” approach in this market.

What is the landscape for 2023 for cybersecurity M&A activity and the potential challenges?

Cybersecurity owners and executives are often asking the question to the Bundy Group today about the state of the M&A market. At present, there are headwinds from a macroeconomic standpoint:

• Rising inflation
• Challenges finding talent
• Uncertainty if the economy is headed towards recession

These headwinds can influence the cybersecurity market, and, to some extent, the valuations a company can receive in a sale.

However, the counterbalance to these headwinds, and another reason why Bundy Group remains optimistic about the industry, is the amazing growth in the cybersecurity market. Buyers are recognizing this continued cybersecurity market growth in a more challenging macro environment. From an M&A perspective, there is a supply and demand imbalance. There are more aggressive buyers and financial sponsors than cybersecurity companies to buy or invest in. This imbalance is creating a seller’s market, which plays to the advantage of owners and their respective company valuations.

Bundy Group remains bullish on the cybersecurity M&A market for 2023. A question remains if 2023 market performance can achieve the same activity levels as 2021. The cybersecurity market has strong fundamentals to drive M&A activity, and Bundy Group anticipates continued robust activity in the $10 million to $150 million transaction volume range.

What process should a company take before pursuing a cybersecurity sale or capital raise?

From a seller’s perspective, it’s important to start as early as possible in assessing the strengths and weaknesses of the company using the stability, profitability, growth and scale metrics. That could include reviewing company financials and key performance indicators, understanding the company’s enterprise resource planning (ERP) systems and level of data offered, evaluating the nature and purchasing tendencies of the client base and assessing the strength of the executive and operational teams. Furthermore, Clint recommended an advisory team, which is there to support an owner in a sale of a company. This would help ensure that the organization is best prepared for a sale and then realizes maximum value in a competitive sale process.

Final thoughts on cybersecurity M&A

For owners, whether you’re thinking of a sale now, later, or never, an owner should educate themselves and stay updated on the trends and activities within the cybersecurity market. To be specific, that includes staying current on valuation metrics, the steps for preparing a business for sale and knowing which buyers are active and a strong fit for a seller. A cybersecurity company is an owner’s asset, and it is in the owner’s best interest to cultivate it in case an owner ever decides to sell and realize a strong valuation.