Cybersecurity is a rapidly growing market, and it is projected to surge in value globally from $153.6bn in 2022 to $424.9bn by 2030, according to Fortune Business Insights.
Yet this sector has not been immune from the global economic downturn, resulting in budget cuts for security teams and layoffs of cybersecurity staff in the past year.
This economic environment has impacted mergers & acquisitions (M&A) deals in the industry. Stuart Pilgrim, Head of Cybersecurity M&A at KPMG UK told Infosecurity that technology acquisitions, including in cybersecurity, were down in both volume and value in 2023 compared to recent years.
“Currently, deal activity is limited as the market is very risk-averse, and with cybersecurity assets trading highly, combined with the growing cost of capital, concerns around value are making investors cautious,” he said.
This ‘safety-first’ approach has also been observed by Susan Sharawi, Cyber Security Partner at Deloitte, who noted that M&A deals this year have been dominated by established cybersecurity companies, rather than start-ups.
Potential for an M&A Boom?
Cybersecurity is still a relatively young sector, and as it continues to mature, there is set to be significant M&A activity on the horizon.
Pilgrim noted that relatively few cybersecurity companies currently offer international support. Additionally, the UK market is in particular has become very fragmented, with hundreds of providers offering similar services. While many potential targets may not be ready for M&A today, he believes this means the cyber market is on course for more market consolidation.
“The combination of these factors will encourage cybersecurity firms to merge so they can meet market demands,” outlined Pilgrim.
He added that cybersecurity company valuations are starting to plateau, further ripening the market for investment.
Sharawi agreed that the cybersecurity industry has been saturated, and that M&A activity will be needed to consolidate such a busy market.
“For cybersecurity companies the focus is on consolidation that provides a more streamlined and comprehensive offering to their customers,” she explained.
Top 5 M&A Deals in 2023
While there has been a relative slowdown in M&A activity in cybersecurity this year, several eye-watering deals were announced involving big-name players in the field. Here are Infosecurity Magazine’s top five M&A deals for 2023:
1. Cisco Agrees Record Deal to Acquire Splunk
Digital communications giant Cisco announced a deal to buy cybersecurity and observability firm Splunk for a $28bn fee on September 21. The transaction, which will be the biggest in Cisco’s history, is expected to close by the end of the third quarter of calendar year 2024. It represents the latest in a line of recent cybersecurity acquisition deals by Cisco, with the company also in the process of taking over Armorblox, Oort and Lightspin.
2. Thales Agrees $3.6bn Deal for Imperva
In a major transaction announced on July 25, French aerospace and defense firm Thales agreed to purchase US cybersecurity company Imperva from investment giant Thoma Bravo for $3.6bn. The move highlights how cybersecurity has become a priority market for Thales. The deal is expected to complete at the beginning of 2024, upon completion of anti-trust and regulatory approvals.
3. Thoma Bravo Completes Acquisition of ForgeRock
Private equity giant Thoma Bravo announced the completion of its $2.3bn deal for identity and access management company ForgeRock on August 23. Thoma Bravo also revealed that it has combined ForgeRock into its portfolio company Ping Identity, which it acquired in October 2022.
4. Proofpoint Completes Acquisition of Tessian
Proofpoint, a Thoma Bravo subsidiary and enterprise security provider, announced on October 30 that it had acquired Tessian for an undisclosed fee. Tessian, a UK-based cloud email security provider, has raised approximately $128m since launching in 2013 and was last valued at $500m after its Series C funding round.
5. CrowdStrike Agrees Deal to Acquire Bionic
On September 19, CrowdStrike announced it will be extending its Cloud Native Application Protection Platform (CNAPP) Application Security Posture Management (ASPM) through the purchase of Bionic. The proposed deal, thought to be worth around $350m, is expected to close during CrowdStrike’s fiscal third quarter, subject to customary closing conditions. Israel-based Bionic was founded 2019 and has raised $83m in funding to date.