Cybersecurity M&A Balloons as Breach Danger Builds

Art by Irene Servillo

Mergers and acquisitions are up this year for firms providing cybersecurity tools and services, amid heightened attacks by criminals and increased use of artificial intelligence to counter the bad guys.

Through July, 226 cybersecurity deals globally were announced or completed, up 13.6% from 2023’s comparable period, according to investment banking firm Capstone Partners, which specializes in cybersecurity. In addition, there were 10 deals of more than $1 billion in enterprise value (market cap plus debt, minus cash) during that time, compared with three for the year-before span.

M&A premiums for investors—what they get above the company’s pre-deal-announcement value—have been lush. Example: This year, cybersecurity provider Everbridge’s stock rose 60% upon the March announcement that private equity firm Thoma Bravo was buying it in an all-cash transaction valued at approximately $1.8 billion. The deal closed in July.

Want the latest institutional investment industry news and insights? Sign up for CIO newsletters. 

Responding to a Growing Threat

Digital defenses’ growing status as must-have protection for all organizations has driven the acquisition volume. “With an increasing amount of business, social, health and education taking place online, cybersecurity is an ever-more-critical part of our overall security profile,” says Jason Klein, the CIO at Memorial Sloan Kettering Cancer Center, in an interview. “As an investment opportunity, it seems well-positioned to grow exponentially.”

Almost 10% of Russell 3000 companies got hit with cyberattacks in 2022 and 2023, per a report by ISS STOXX, which also owns CIO.

Overall, the number of data breach incidents is growing, with 3,205 in the U.S. in 2023 (involving 353 million people), more than triple from five years before, according to data provider Statista.

A rash of prominent breaches have erupted recently, whether to sell stolen data elsewhere (names, addresses, other personal information), for ransom from the victims or just for mischief.

For instance, in June, Ticketmaster disclosed that it had an unconfirmed amount of customer information stolen in an incursion. Two California residents filed a class-action lawsuit against the ticket company, charging that 560 million customers were compromised and their data put up for sale on the dark web.

Hackers in April swiped millions of AT&T customers’ call and text message records from a six-month-period in 2022, although not their personal data. According to the telecom company, at least one person had been arrested for the crime. In March, Fidelity Investments Life Insurance Co. reported that records of 28,266 customers were filched.

Then there is the mischief factor. Some hackers have no monetary motive and are simply out to embarrass or otherwise harm a person or a group. “Most instances of this conduct arise between former romantic partners, friends or acquaintances,” wrote David Opderbeck, a professor at Seton Hall University Law School, in a 2023 study on data breaches published in the Maryland Law Review.

Revenge is typically the catalyst for mischief-oriented cyberattacks. In 2017, a Louisiana federal judge sentenced a former employee of Georgia-Pacific, a paper and pulp producer, to almost three years in prison and ordered him to pay more than $1.1 million in restitution to the company. The man, Brian P. Johnson, pleaded guilty. The offense: After Georgia-Pacific dismissed Johnson, an IT specialist, he disrupted the plant’s machinery by plugged malicious code into its computer system.

Heavy M&A Activity

Despite the growing need for more security from hacking, the cybersecurity industry has lagged behind many other more-established tech purveyors in the stock market. Consider iShares Cybersecurity and Tech exchange-traded fund ticker IHAK, which covers cybersecurity companies: As of Tuesday, the ETF’s stock is up just 7.4% this year, compared with 19% for the tech-stock bellwether Invesco QQQ Series 1.

Nonetheless, it is noteworthy that cybersecurity’s merger action is doing so well, powered by the sector’s prospects. Much of the M&A activity involves private companies, whose acquisitions fail to register in the stock market.

The urge to merge is driven by a widespread need for one-stop shopping in this vital and abstruse field, driven in part by fear. Horror stories are rife. In 2017, the Wannacry ransomware attack infected 300,000 computers across 150 nations; many hospitals were paralyzed. Also that year, a breach of credit agency Equifax resulted in 147 million people having their data exposed, ranging from Social Security numbers to credit card details.

Hence, the preference for bigger is better among cybersecurity providers. “Customers prefer consolidation,” says Hendi Susanto, a portfolio manager for GAMCO Asset Management, which invests in the area. (Famed asset manager Mario Gabelli is GAMCO’s chairman and chief executive.) The preference for consolidation seems much more efficient than going to different vendors for different aspects of security, such as threat analytics, detection, firewalls and countermoves.

The Big Get Bigger

This often results in large tech companies buying small, often private, cybersecurity providers to round out their offerings. One of the biggest cybersecurity firms, Palo Alto Networks (market value: $112 billion), specializing in ferreting out potential threats, late last year laid out $600 million for Talon Cyber Security, which makes browsers designed to withstand such attacks.

In a more recent deal, cybersecurity company Fortinet ($59 billion), which offers a panoply of services, in August bought Next DLP to bolster its data loss prevention capabilities for an undisclosed sum. Fortinet’s stock has quintupled over the past five years, as its revenue and earnings have surged.

Ever-larger cybsersecurity companies make sense, by Susanto’s reckoning, because digital defense “requires major investments,” especially for M&A. “This demands a high barrier to entry,” he observes.

Although accounting for just 12.4% of total cybersecurity deals this year, private equity firms account for half of all such buyouts greater than $1 billion, Capstone reported. Many of them have been all-cash due to the high level of so-called “dry powder” that PE outfits carry on their books. Two large, all-cash Thoma Bravo acquisitions stand out: the $1.5 billion it paid for Everbridge and the $5.2 billion for British cybersecurity company Darktrace, which uses artificial intelligence for enterprise-wide data protection.

Over the past 10 years, Check Point Software Technologies, an Israel-based IT security company, has gobbled up 20 smaller businesses for an average $154 million per deal. Its most recent buyout was in August, when it purchased (for an undisclosed price) Cyberint Technologies, which focuses on monitoring and mitigating external threats such as social media impersonations, fake websites and stolen employee credentials. Check Point (market cap: $22 billion) has enjoyed a 28% share increase this year.

Seeking to enhance its data crunching abilities, networking giant Cisco Systems announced in August it had paid $28 billion in cash for Splunk, a cybersecurity firm that uses artificial intelligence to assess data. The addition will allow customers to better arm their IT systems to ward off intruders, Cisco CEO Chuck Robbins has said.

Ironically, the growing importance of cybersecurity also carries the risk that it could cause harm as well as good. In July, cybersecurity vendor CrowdStrike was responsible for a glitch in a software update, triggering a massive outage that will cost insurers for U.S. companies an estimated $5.4 billion.

As Chris Krebs, chief intelligence and public policy officer at SentinelOne, a Crowdstrike competitor, told the Wall Street Journal, after the incident, “My concern is that we’re on the cusp of a crisis of confidence in this digital infrastructure that we’re all so reliant upon.”

Perhaps so. But the mounting threat of digital sabotage stands to increase the consolidation trend among cybersecurity companies, and with them valuations, market observers believe. Susanto predicted that “cybersecurity prices will go only go up.”

Related Stories:

Keeping Endowments Safe From Hackers

How Investors, Public Companies View SEC’s Cybersecurity Disclosure Requirements

Tags: AT&T, Capstone, CrowdStrike, Cybersecurity, Everbridge, Fortinet, Jason Klein, M&A, Thoma Bravo, Ticketmaster, Wannacry

The $346.5 billion California teachers’ pension fund addressed leverage in its private equity policy with an eye toward expanding its co-investments and collaborative strategies portfolio.

The California State Teachers’ Retirement System made multiple changes to streamline its private equity investment practices at its September 25 investment committee meeting. The changes included amending its private equity policy, adding language on how it uses leverage and no longer requiring an independent fiduciary to verify transaction prices on co-investment deals worth less than $250 million.

In January, the CalSTRS board approved the use of leverage of up to 10% of the fund’s portfolio for portfolio and liquidity management at the total fund level. The policy changes added wording to address the use of leverage in the private equity portfolio, which was previously not included in the policy statement.

The fund’s investment consultant, Meketa, noted in its policy review that there would be no explicit leverage limit within the private equity portfolio, but that leverage would be determined by guidelines set in the investment policy statement.

The changes are designed to streamline CalSTRS’ collaborative model, overseen by CIO Scott Chan, who joined CalSTRS as deputy CIO in August 2018 and was promoted to CIO in July 2024. The model aims to reduce investment fees by internally managing assets and engaging in co-investments across private markets.

For more stories like this, sign up for the CIO Alert newsletter. 

Since 2017, the model has saved the fund at least $1.6 billion, savings expected to compound over time and aid growth, according to the fund. In 2022, the fund’s co-investments across private markets saved the fund $245 million, according to CalSTRS.

In 2024, CalSTRS expects co-investments to make up 30% of its commitments to private equity.

Independent Fiduciary Requirement Review

CalSTRS also adjusted its independent fiduciary verification requirement, in which a third party verifies the entry valuation of every proposed co-investment opportunity.

The fund noted in a policy review that when the co-investment program was in its infancy, the use of an independent fiduciary was helpful when the program had fewer resources, experience and sophistication, but requiring it for all co-investment deals is now an impediment.

“This blanket requirement for all co-investments is now less necessary since the program is out of its infancy given the growth of the program,” stated CalSTRS board materials for its September 25 meeting. “Further it is likely one of the last holdbacks that prevents CalSTRS PE to be accepted into the ‘elite’ echelon of co-investors by GPs, which include the likes of” global institutional investors GIC Private Ltd., the Singaporean sovereign wealth fund; the Canada Pension Plan Investment Board; the Ontario Teachers’ Pension Plan; and the Abu Dhabi Investment Authority.

CalSTRS staff wrote that the requirement does not allow its decisionmakers to move quickly enough to keep up with other institutional investors.

“It is important for limited partners with co-invest programs to move quickly in a professional, efficient manner to continue to secure invitations to these processes among other world-class institutional investors,” the policy revision stated. “Within this peer group of leading national pension funds, sovereign wealth funds, and notable endowments, CalSTRS’ independent fiduciary requirement is unusual, if not unique, and has become a programmatic disadvantage to the Collaborative Model.”

Third-party verification now only applies to co-investment deals worth more than $250 million and deals on which the general partner of a co-investment has not been vetted by a PE program adviser.

When an independent fiduciary verification is necessary, the role of the verifier will now be to review a co-investing partner and how their co-investment fits within their investment strategy, as well as reviewing the entry valuation of the deal.