Consolidation Opportunities in a Red-Hot Cyber Market
With the number and severity of cyber-attacks continuing to grow, companies across the board are finally taking notice of their cyber risks. But with organisations struggling to build in-house cyber security operations (primarily as a result of the skills shortage), this has created a huge opportunity for third-party cyber security companies to fill the void with their software and service offerings. The knock-on effect of this has been a flurry of high-value cyber security deals and vendor consolidation.
According to Pitchbook data, the total capital invested in cybersecurity deals grew at a CAGR of 30% per year between 2012 and 2019. In 2020, both the number and value of deals contracted heavily as a result of the global pandemic. However, as of July 2021, the cyberspace deal environment seems to have become red-hot again, with global deals worth €21 billion. 2021 could be a record year for cybersecurity deals.
There are multiple investors in the space, including cyber natives (young companies formed who provide cyber software or services), global consultancies, technology firms, professional services organisations, telcos, engineering businesses and defence companies. The US market is the most mature and advanced globally, but the UK and Europe are not that far behind. Alfonso Marone, UK Head of Deal Advisory for TMT at KPMG UK, delves into the topic/
Consolidation expected to continue
Although there are clear political divides between East and West, and although in some industries such as defence there is a need for obvious reasons to ‘buy local’ in terms of cyber services, we can expect to see consolidation in the global market, for a number of reasons.
Firstly, cyber is inherently a global issue – attackers can strike more or less anywhere, from anywhere. Secondly, software is an inherently suitable product category for scalability and market concentration. Thirdly, on the cyber services side, we also expect consolidation as providers look for economies of scale and scope, build client trust through having a global presence and also, as large international organisations, increase their chances of winning the cut-throat war for talent.
However, there are a number of key challenges that investors need to overcome in order to realise effective deals:
- The maturity of potential targets: Cyber security is still a very young market and investors may need to invest at a somewhat earlier stage than they are used to in other sectors.
- Technical diligence: Can cyber security startups substantiate the claims they make about the efficacy and uniqueness of their product? Technical due diligence can be challenging.
- Technical integration: It can be a complex process to integrate acquired systems and services and make them interoperable with the existing suite, whilst achieving economies of scale to make it economic.
- Retaining key employees: When a small business is acquired, key staff including potentially the founder(s) may be hard to retain. But keeping them may be vital to the success of the integration due to their expertise and knowledge of the product.
- Off-limit sectors or geographies: In many countries, only local firms are allowed to serve customers in certain sensitive industries.
It is essential that investors recognise this set of very cyber-specific investment challenges. In my view – and experience of working with a wide range of clients across the sector – there are three considerations that are of utmost importance for interested investors throughout the deal cycle.
Three essential areas of focus
Firstly, deal origination. Given the fragmentation of the market and the fact that many potential targets are still relatively small, deal origination can be a challenge. Well-connected local deal sources are needed who can advise and alert a potential investor on targets that may have real substance and potential.
Secondly, pre-signing due diligence must be absolutely robust. This must include both commercial and technical due diligence.
Thirdly, the target operating model (TOM). The difficulties of technical integration that we have discussed, together with the employee retention challenges, mean it’s vital investors think in detail about the post-deal TOM they are aiming for and how that can be achieved in the integration of any target business.
The case for investment in the cybersecurity sector remains compelling. But, like anything that’s hot, it requires careful handling!