Cybersecurity M&A Balloons as Breach Danger Builds

Art by Irene Servillo

Mergers and acquisitions are up this year for firms providing cybersecurity tools and services, amid heightened attacks by criminals and increased use of artificial intelligence to counter the bad guys.

Through July, 226 cybersecurity deals globally were announced or completed, up 13.6% from 2023’s comparable period, according to investment banking firm Capstone Partners, which specializes in cybersecurity. In addition, there were 10 deals of more than $1 billion in enterprise value (market cap plus debt, minus cash) during that time, compared with three for the year-before span.

M&A premiums for investors—what they get above the company’s pre-deal-announcement value—have been lush. Example: This year, cybersecurity provider Everbridge’s stock rose 60% upon the March announcement that private equity firm Thoma Bravo was buying it in an all-cash transaction valued at approximately $1.8 billion. The deal closed in July.

For more stories like this, sign up for the CIO Alert daily newsletter. 

Responding to a Growing Threat

Digital defenses’ growing status as must-have protection for all organizations has driven the acquisition volume. “With an increasing amount of business, social, health and education taking place online, cybersecurity is an ever-more-critical part of our overall security profile,” says Jason Klein, the CIO at Memorial Sloan Kettering Cancer Center, in an interview. “As an investment opportunity, it seems well-positioned to grow exponentially.”

Almost 10% of Russell 3000 companies got hit with cyberattacks in 2022 and 2023, per a report by ISS STOXX, which also owns CIO.

Overall, the number of data breach incidents is growing, with 3,205 in the U.S. in 2023 (involving 353 million people), more than triple from five years before, according to data provider Statista.

A rash of prominent breaches have erupted recently, whether to sell stolen data elsewhere (names, addresses, other personal information), for ransom from the victims or just for mischief.

For instance, in June, Ticketmaster disclosed that it had an unconfirmed amount of customer information stolen in an incursion. Two California residents filed a class-action lawsuit against the ticket company, charging that 560 million customers were compromised and their data put up for sale on the dark web.

Hackers in April swiped millions of AT&T customers’ call and text message records from a six-month-period in 2022, although not their personal data. According to the telecom company, at least one person had been arrested for the crime. In March, Fidelity Investments Life Insurance Co. reported that records of 28,266 customers were filched.

Then there is the mischief factor. Some hackers have no monetary motive and are simply out to embarrass or otherwise harm a person or a group. “Most instances of this conduct arise between former romantic partners, friends or acquaintances,” wrote David Opderbeck, a professor at Seton Hall University Law School, in a 2023 study on data breaches published in the Maryland Law Review.

Revenge is typically the catalyst for mischief-oriented cyberattacks. In 2017, a Louisiana federal judge sentenced a former employee of Georgia-Pacific, a paper and pulp producer, to almost three years in prison and ordered him to pay more than $1.1 million in restitution to the company. The man, Brian P. Johnson, pleaded guilty. The offense: After Georgia-Pacific dismissed Johnson, an IT specialist, he disrupted the plant’s machinery by plugged malicious code into its computer system.

Heavy M&A Activity

Despite the growing need for more security from hacking, the cybersecurity industry has lagged behind many other more-established tech purveyors in the stock market. Consider iShares Cybersecurity and Tech exchange-traded fund ticker IHAK, which covers cybersecurity companies: As of Tuesday, the ETF’s stock is up just 7.4% this year, compared with 19% for the tech-stock bellwether Invesco QQQ Series 1.

Nonetheless, it is noteworthy that cybersecurity’s merger action is doing so well, powered by the sector’s prospects. Much of the M&A activity involves private companies, whose acquisitions fail to register in the stock market.

The urge to merge is driven by a widespread need for one-stop shopping in this vital and abstruse field, driven in part by fear. Horror stories are rife. In 2017, the Wannacry ransomware attack infected 300,000 computers across 150 nations; many hospitals were paralyzed. Also that year, a breach of credit agency Equifax resulted in 147 million people having their data exposed, ranging from Social Security numbers to credit card details.

Hence, the preference for bigger is better among cybersecurity providers. “Customers prefer consolidation,” says Hendi Susanto, a portfolio manager for GAMCO Asset Management, which invests in the area. (Famed asset manager Mario Gabelli is GAMCO’s chairman and chief executive.) The preference for consolidation seems much more efficient than going to different vendors for different aspects of security, such as threat analytics, detection, firewalls and countermoves.

The Big Get Bigger

This often results in large tech companies buying small, often private, cybersecurity providers to round out their offerings. One of the biggest cybersecurity firms, Palo Alto Networks (market value: $112 billion), specializing in ferreting out potential threats, late last year laid out $600 million for Talon Cyber Security, which makes browsers designed to withstand such attacks.

In a more recent deal, cybersecurity company Fortinet ($59 billion), which offers a panoply of services, in August bought Next DLP to bolster its data loss prevention capabilities for an undisclosed sum. Fortinet’s stock has quintupled over the past five years, as its revenue and earnings have surged.

Ever-larger cybsersecurity companies make sense, by Susanto’s reckoning, because digital defense “requires major investments,” especially for M&A. “This demands a high barrier to entry,” he observes.

Although accounting for just 12.4% of total cybersecurity deals this year, private equity firms account for half of all such buyouts greater than $1 billion, Capstone reported. Many of them have been all-cash due to the high level of so-called “dry powder” that PE outfits carry on their books. Two large, all-cash Thoma Bravo acquisitions stand out: the $1.5 billion it paid for Everbridge and the $5.2 billion for British cybersecurity company Darktrace, which uses artificial intelligence for enterprise-wide data protection.

Over the past 10 years, Check Point Software Technologies, an Israel-based IT security company, has gobbled up 20 smaller businesses for an average $154 million per deal. Its most recent buyout was in August, when it purchased (for an undisclosed price) Cyberint Technologies, which focuses on monitoring and mitigating external threats such as social media impersonations, fake websites and stolen employee credentials. Check Point (market cap: $22 billion) has enjoyed a 28% share increase this year.

Seeking to enhance its data crunching abilities, networking giant Cisco Systems announced in August it had paid $28 billion in cash for Splunk, a cybersecurity firm that uses artificial intelligence to assess data. The addition will allow customers to better arm their IT systems to ward off intruders, Cisco CEO Chuck Robbins has said.

Ironically, the growing importance of cybersecurity also carries the risk that it could cause harm as well as good. In July, cybersecurity vendor CrowdStrike was responsible for a glitch in a software update, triggering a massive outage that will cost insurers for U.S. companies an estimated $5.4 billion.

As Chris Krebs, chief intelligence and public policy officer at SentinelOne, a Crowdstrike competitor, told the Wall Street Journal, after the incident, “My concern is that we’re on the cusp of a crisis of confidence in this digital infrastructure that we’re all so reliant upon.”

Perhaps so. But the mounting threat of digital sabotage stands to increase the consolidation trend among cybersecurity companies, and with them valuations, market observers believe. Susanto predicted that “cybersecurity prices will go only go up.”