Much like the rest of technology, merger and acquisition (M&A) activity for cybersecurity companies has been in a slump this year. There are a number of reasons why that won’t last, but still, the decline has been noteworthy.
For the first seven months of this year, there were a mere 34 startups that got acquired, according to data from Crunchbase. That is a level not seen since 2017, when there were 52 acquisitions.
What’s going on? There are a variety of factors at work. With interest rates rising precipitously and growing fears of an economic slowdown, there has been less willingness to take on financial commitments. This has also been evident in declining venture capital funding for startups and the slumping IPO market too. That gives startups and their investors few options for exits or raising capital.
M&A can be risky even in the best environments. Consider research from L.E.K. Consulting. Based on 2,500 deals, it found that more than 60% destroyed shareholder value. Some of the reasons for that include challenges with integration, problems with due diligence, lack of a clear strategic rationale, optimistic projections, and high takeover valuations.
But M&A is a feast-or-famine business that can quickly turn. And this may happen sooner than later.
“Despite slower deal volumes in 2023, M&A interest in cybersecurity remains high and I expect we’ll see an uptick in activity later this year and into 2024,” said Chris Stafford, who is a partner in West Monroe’s M&A Practice.
See the Top Cybersecurity Startups
4 Drivers for an M&A Comeback
There are four reasons why a turnaround in mergers and acquisitions is a near-certainty; these pent-up forces will be unleashed at some point.
- Startup Runways Dwindle
A key factor that will likely drive more dealmaking activity is that CEOs of cybersecurity startups may not have much of a choice. The second quarter saw a 63% plunge in venture capital funding for deals in the sector, according to Crunchbase.
“As we approach the end of the year and get 18 months or so out from when fundraising became more difficult, we are likely to see more companies approach the end of their runway,” said Seth Spergel, who is a managing partner at Merlin Ventures. “Those that aren’t able to show enough traction to bring in new money or convince existing investors to provide them with additional cash will likely be more open to lower acquisition offers.”
- Private Equity Firms Have Trillions to Spend
On the other side of that equation, there is growing motivation for buyers to ramp up their efforts. Private equity firms are sitting on considerable dry powder. S&P estimates that this has reached a record $2.49 trillion for the middle of 2023. All those trillions will get put to work if valuations and opportunities become favorable enough.
- Big Tech Companies Are Sitting on Tons of Cash
Strategic buyers have benefited from rising stock prices, and the largest tech companies are sitting on mounds of cash. For example, Microsoft has $111 billion on its balance sheet and Cisco has $23 billion. Cisco has already been putting some of that cash to use in cybersecurity M&A — more on that in a moment.
In the meantime, there is growing optimism in the C-suite. In a survey from Grant Thornton LLP, nearly all of the respondents — who are M&A professionals — said deal volume will increase in the second half of the year. About 11% predicted there would be a significant increase.
- Changes in Customer Spending to Align Security Stacks
Another factor in favor of renewed M&A for cybersecurity startups is changing customer spending priorities. “It’s no surprise that many enterprise CISOs are suffering from ‘tool fatigue’ — having too many tools from too many vendors complicating an already complex threat environment,” said Robert Watson, Director of the Risk & Cyber Strategy Consulting Practice at Tata Consultancy Services (TCS). “Enterprise security customers are trying to align their security stacks and consolidate their ‘tool ecosystems’ so they can focus on more strategic risk across their people, process, and technology spectrum. Strapped security teams are also looking for automation to support their strategic consolidation efforts. These trends, in turn, are driving cybersecurity solution providers to find ways to deliver more integrated solutions to meet the demand.”
In other words, consolidation is likely to be a major trend. Of course, one way to accomplish that is through M&A.
Also read: Security Buyers Are Consolidating Vendors: Gartner Security Summit
Some of the Biggest Security Acquisitions of 2023
This year hasn’t been completely without big M&A deals, and a few have been noteworthy. Let’s take a look at some of the interesting deals we’ve seen this year.
Rubrik Buys Laminar
In August, Rubrik announced the acquisition of Laminar, which operates a data security posture management (DSPM) platform. The company is fairly new, having been launched in 2021. It has raised about $67 million. As for the price tag on the deal, it’s estimated at $200 to $250 million.
Laminar’s system allows for customers to deal with the problem of security data across public clouds like AWS, Azure, Google and Snowflake. The deal is a part of Rubrik’s transformation to move beyond data recovery solutions.
There is also buzz that the company may have an IPO during the next 12 months or so.
Also read: Some Cybersecurity Startups Still Attract Funding Despite Headwinds
Check Point Software Buys Perimeter 81
Check Point Software announced the purchase of Perimeter 81 in August. The deal came to $490 million in cash.
Perimeter 81, which was launched in 2018, runs a converged network and security platform to manage in-office and remote workforces. The company has over 3,000 customers and more than 200 employees.
In 2022, Perimeter 81 raised $100 million at a $1 billion valuation. Those investors took a big haircut on the deal, but those kinds of discounts are what will get the M&A market going again.
Perimeter 81 has made a number of our top cybersecurity product lists, including best zero trust solutions and best SASE solutions.
Thales Buys Imperva
In July, Thales agreed to buy Imperva for $3.6 billion. Imperva helps customers with securing applications, APIs and data. The company was founded more than 20 years ago.
As for Thales, it’s a French aerospace and defense company. But the company has been bolstering its cybersecurity assets, such as with acquisitions for companies like Gemalto, Excellium and S21SEC.
It’s a good buy for Thales. Imperva is on our list of the top cybersecurity companies and has made a number of our top product lists, including the important DDoS protection market.
Cisco, HPE and IBM Find Deals
A few tech giants are also seeing some bargains in cybersecurity startups.
Cisco has long pursued a strategy of growth through acquisition, and has been one of the most active acquirers again this year, picking up cloud security startup Lightspin, AI security company Armorblox, and identity security startup Oort.
In other notable M&A activity, HPE acquired SASE startup Axis Security, IBM acquired cloud security startup Polar Security, and Tenable acquired Ermetic, one of our top Cloud Security Posture Management (CSPM) vendors.
Some Public Companies Go Private
Lastly, private equity companies seem to be finding some value in publicly traded cybersecurity companies amid the downturn. Absolute Software, KnowBe4, Sumo Logic and Magnet Forensics were among the publicly traded cybersecurity companies going private in billion-dollar deals this year.
Read next: Top VC Firms in Cybersecurity