Private equity and cyber

The quest continues

Matthias Kind
Senior Manager, Deals Technology, Media & Telecommunications, PwC Switzerland

Over the last two to three years, cybersecurity has been a topic of consistent interest to investors. Those who have invested in the sector have benefited from positive market tailwinds and stable business models, while recently also dealing with shrinking valuations. However, the market stays active. Read on for a view on ‘what’s next’ in cybersecurity and the role of private equity.

Corporates have increasingly invested into their cybersecurity environment over the last years. However, this is not the end of the story. There is still plenty to do which gets highlighted by the continuous increase of successful cyberattacks with massive business disruption. A recent study by Comparitech on Nasdaq companies shows that share prices of breached companies have dropped on average by 3.5%, just 14 markets days after the breach became public. As this is obviously not in the interest of investors, investments in cybersecurity will continue.

Our recent study 2023 Global Digital Trust Insights Survey shows that cybersecurity has progressed on many fronts. Roughly 70% of 3,522 surveyed business and tech executives worldwide saw improvements in their enterprises’ security environment in the past 12 months. At the same time, almost no one believes that they are fully covered across all potential threat vectors. As a matter of fact, a catastrophic cyberattack is the nearly unanimous number one concern for executives, even before global recessions or a resurgence of COVID-19. Still, many cybersecurity firms do not consider the CEO, CFO or COO in their go-to-market activities.

M&A activity remains high, even in uncertain times

Company valuations recently adjusted across industries (including cybersecurity), reflecting today’s volatile market environment. However, rapid change continues to also create opportunities. To understand recent developments better, we have analysed the valuation developments of 100 public cybersecurity leaders. The analysis confirms that valuations recently adjusted for both cybersecurity services as well as solution providers.

The segment «high growth» includes companies with a revenue CAGR 2018-21 of greater than 30%. «Mid growth» shows rates between 10% and 30%. «Low growth» shows rates between 0% and 10%. «Negative growth» shows rates below 0%

The basket of cybersecurity services providers that we tracked decreased from a median revenue multiple of 2.2x in FY21 to 1.6x in LTM September 2022. Solution providers showed an even stronger adjustment, moving from 5.6x in FY21 to 3.9x in LTM September 2022. Thereby, it becomes clear that investors have become increasingly cautious in regard to ‘high growth’ solution providers. Nowadays, investors value not only revenue growth but also profitability and stability. However, deal activity stays high.

“Despite adjusted valuations, established cybersecurity deals will continue as private equity funds (and corporates) can benefit from the valuation momentum in combination with stable business models and ongoing customer demand.”

Matthias KindSenior Manager, Deals Technology, Media & Telecommunications, PwC Switzerland

As a matter of fact, recent information from PitchBook highlights that the pace of dealmaking remains strong in 2022, counting 162 transactions as of August 2022. If private equity firms keep up this pace, they could even exceed last year’s number of 308 transactions.

Funding rounds become fiercer for start-ups

While M&A activity of later-stage and established cybersecurity providers remains high, it appears that start-ups are facing more difficulties with funding activities. Recent information from Crunchbase highlights that Q3 2022 saw investments of USD 2.6bn to cyber start-ups, which is the lowest quarterly amount since Q3 in 2020. It highlights that even the resilient cybersecurity market is affected by investors’ concern about future market developments, at least in the venture space. Still, many companies managed to successfully close also larger funding rounds. For example, the Swiss firm Acronis just raised USD 250m at a valuation above USD 3.5bn in July 2022.

Big picture investment strategies drive success

Now to the big question, where to invest? The cybersecurity landscape is huge with many different niches and sub-segments, as illustrated by some examples in the picture below. While certain sub-markets such as cloud security, security automation, application security or data privacy promise high growth rates going forward, there might be many different growth paths to evaluate.

If you are thinking about standalone investments, the above-mentioned segments should at least be on your plate. However, if you are thinking broader, many segments and combinations thereof become interesting. While there might be certain ‘commodity-type’ cybersecurity services or solutions with lower market growth expectations, they still provide a value-add to the end customer, and as result, to you as an investor. For example, end users of cybersecurity services and products increasingly prefer offerings from one provider versus having a fragmented supplier landscape. As a matter of fact, this is one of the reasons which led to the current consolidation efforts of corporates and private equity firms in the cybersecurity space.

Consolidation is happening, with no end in sight

We have seen a lot of deals both in the cybersecurity solution and services segments, including some sizable acquisitions. Following big investments of Microsoft in security, Google is following and just recently completed the USD 5.4bn acquisition of Mandiant, a leading provider of cyber threat intelligence.

Within the more local services segments, M&A has been strongly dominated by ‘one-stop-shop’ considerations. For example, Allurity, backed by Trill Impact, made already four acquisitions in 2021/22. Another European example is Orange Cyberdefense who just recently acquired Swiss companies SCRT and Telsys to pursue its European growth strategy. Despite all these developments, the local services markets remain fragmented with many small (often founder-led) companies still being active and more deals yet to come.

There is still unfulfilled value creation potential

Many cybersecurity firms have benefited from ongoing growth in the last years. And for many of them, there was only limited market pressure to deal with internal operations as the business was and is (at least in many cases) still running well.

Translated to the private equity world, this might hint towards untapped potential through strategic and operational improvement programmes. Structured go-to-market efforts, productisation of services, recruiting efforts or internationalisation are just some of many potential value levers that you could think about. All in all, it highlights that there are still opportunities to catch.

Summary

Given the continued demand for cybersecurity, we believe that cyber as an investment case should be on the list of any private equity firm with tech aspirations. As many funds still have significant dry power at their disposal and cyber companies still have ample value creation opportunities, we believe in healthy dealmaking activity in the next years. When assessing such opportunities, keep in mind: big picture investment strategies drive success!

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more

#social#