The Key Role of CISOs in M&A Activity in the Security Industry
CISOs and M&A Activity in the Security Industry
A cybersecurity company’s strong value profile makes it an attractive target for M&A. However, CISOs must play a significant advisory role throughout the M&A lifecycle to ensure a successful integration process and mitigate cyber risk post-acquisition.
Many deal teams overlook the need for Cyber Due Diligence during an M&A. A failure to complete this due diligence can have dire consequences and result in a blemished valuation that could derail the deal.
Buyers and Financial Sponsors
The security industry continues to be a strong market for mergers and acquisitions. Recently, French aerospace and defense firm Thales acquired cybersecurity company Imperva for $3.6bn. Private equity giant Thoma Bravo also announced the completion of its purchase of identity and access management provider ForgeRock, merging it with its own portfolio company Ping Identity.
Cyber risk is a significant component of any business operating model and is a critical factor in M&A due diligence. Whether you are preparing your company for sale or evaluating new platforms for investment, conducting M&A due diligence with the help of cybersecurity experts can close potential avenues of attack and ensure that your value creation plans will be realised post-acquisition.
While many industries are feeling the pinch of COVID-19 and global economic uncertainty, buyers are still interested in acquiring companies with solid fundamentals. The cybersecurity sector offers a unique combination of stability, profitability, growth and scale.
Stability: Buyers and financial sponsors look for stability in a business, such as lows and highs on an annual basis. Cybersecurity firms tend to have a steady revenue profile because of their recurring services or client service demands, making them an attractive buy.
Profitability: The ability to generate healthy EBITDA margins is another important consideration for M&A. Cybersecurity firms often offer a range of value-add services and charge premium pricing to meet clients’ needs. This can provide a substantial lift in valuations.
Growth: The cybersecurity market is massive and growing rapidly, presenting an opportunity for companies to grow through acquisition or organically. M&A activity in the space is expected to continue to rise over the next 6-12 months as investors look for quality assets and growth opportunities.
The combination of end-user preference for comprehensive solutions, early stage equity investor caution, lender conservatism and insatiable corporate acquirer appetites for quality assets is creating a combustible mix that will drive future M&A activity in the space. With M&A activity in the sector set to rise, now is a great time to start planning for your eventual exit strategy.
Strategic Buyers
A strong capital market environment and sector demand are fueling M&A activity for cybersecurity firms. Private equity firms and well-capitalized strategic buyers are leading a flight to quality, seeking targets that have innovative technology and a solid track record of financial performance. With a lack of IPO options, many smaller firms have little choice but to pursue M&A deals.
The M&A process is a vulnerable time for companies and requires a thorough and diligent risk assessment. During the acquisition, sensitive information can shift between businesses and expose vulnerabilities and potentially illegal activities that need to be addressed. It is essential to have a holistic approach to M&A risk assessments and to incorporate the latest threat intelligence into this analysis.
During the M&A process, the acquiring firm will likely have to review and evaluate the target company’s information security systems, policies, practices and procedures. In addition, the acquiring firm will want to ensure that the target’s data is protected, which may require penetration testing and active threat hunting. It is critical to have the right team of experts on hand to perform this critical due diligence.
The M&A landscape is changing and the big players, especially hyperscalers, are stepping up their M&A efforts. For example, Google has already made a couple of significant purchases in 2022 (Mandiant and XM Cyber). Microsoft has been hedging its bets with the purchase of Activision, while Palo Alto and Cisco are continuing their expansion into the space with the recent acquisitions of Zero Trust solutions provider Perimeter 81 and SASE solution provider Imperva. Combined with Cisco’s recent investment of nearly $30 billion in cybersecurity, this is a clear signal that big players in the M&A space are reviving their interest in the sector. The resurgence of M&A in this space will be good news for small to mid-market security startups that have been unable to raise sufficient funding for their growth plans on their own.