Transaction Analysis - Cyber-Security M&A

With a handful of recent transactions (eg NTT acquiring Solutionary; and Malwarebytes acquiring ZeroVulnerabilityLabs), we have just gone over the 650 transaction level in our database of cyber-security industry M&A.  Given that, I thought it was about time for another post teasing out some of the trends and intelligence that this data set has to offer.

Geographic - Transaction Size

The average transaction size, 2004-2013, for cyber-security companies with the following US / non-US transaction profile is as follows:

  • Non-US Buyer / Non-US Seller         $ 93 Million
  • Non-US Buyer / US Seller               $ 198 Million
  • US Buyer / Non-US Seller               $ 295 Million
  • US Buyer / US Seller                      $ 420 Million

So the more 'US' you can get into your transaction, the bigger the number tends to get.  If you have a cyber-security product and want to maximise the return, heading to the US and getting venture capital funding is probably still your best option.

Buyer Industry Sector & Influence on Multiples

We have worked through the transaction data and categorised the buyers into one of a few groups: 

  • Defence industry
  • IT industry
  • Cyber-security industry
  • Professional services
  • Private equity / venture capital
  • Other

A couple of interesting observations from the transaction data, when analysed in this context:

  • Defence industry buyers pay the lowest revenue multiples, slightly below the private equity / venture capital community.  Realistically, this is likely to be more of a reflection of the difference in acquisition targets between the buyer groups, with the defence industry focused on services-intensive companies, and many of the other groups (eg the IT industry, and the cyber-security industry) are completing lots of acquisitions of product-led companies.
  • Cyber-security companies pay the largest multiples, by a significant margin.  The average profit multiple paid by the IT industry, the defence industry, and the private equity / venture capital community, varies by less than 10%.  The average cyber-security company-led acquisition multiple is over 6 times higher.  As per the above, this is primarily a function of the types of companies being acquired, with many cyber-security company-led transactions being of relatively early stage product companies, with significant R&D and sales and marketing expenses, but a relatively low base of revenue and profit, resulting in extremely high multiples.

This again demonstrates the importance of understanding the market, and particularly of the market as it pertains to your company.  The types of companies being acquired, and the level of maturity of those companies, varies significantly between buyer groups, and the prices paid vary accordingly.  

Outlying Transaction Valuations & Effect

While this blog isn't intended to be a tutorial on maths terminology, I'll just briefly revisit the distinction between the 'mean' (commonly called the 'average') and the 'median'.  The mean is calculated by simply summing all of a set of numbers together and dividing by the number of numbers.  

eg:  1, 1, 2, 2, 9

Gives a total of 15, and 5 numbers, so a mean of 3.

The flaw with using a 'mean' is that while it may be true to say the 'average' of that set of numbers is 3, the fact is also that 80% of the numbers are below the average, since it is skewed upwards by the larger number at the end.  Means are susceptible to being skewed by outliers.

The 'median' is basically just the value of the middle number when the numbers are arranged in order.  In this case, the median is 2.  What that number says is that 50% of the data is equal to or less than that number; and 50% of the data is equal to or greater than that number.  Generally speaking, that's going to be a more useful number.

How big a difference can this really make?  Let's take the example of transactions with a Cyber Security company as the acquirer.  The multiples data looks like this:

security company data.png

Obviously a profit multiple of 38.49 is nothing to be sneezed at, but 117.08 as an average profit multiple is pretty crazy.  How is it possible that the averages could be that high?  Transactions like this:

These transactions skew the averages up rapidly, particularly in an environment where not every transaction has data available.  (ie, if price data was available for all 650 transactions, it would have much less of an impact; but with price data only available for maybe 10% of transactions, and the rest being 'not disclosed', it can have a big influence).

Multiples by Year - There's Really No Bubble

The average revenue multiple from 2004 until 2006, was a shade over 14.

The average revenue multiple from 2007 until 2009, was a shade under 3.

The average revenue multiple from 2010 until mid-2013, was almost exactly 3.

Profit multiple data similarly hasn't changed markedly over the period 2007 to mid-2013. 

In other words, back in the early days of cyber security, there were fewer transactions being completed, but the ones that did complete tended to be for high valuations - for example, Juniper's acquisition of NetScreen (https://www.networkworld.com/edge/news/2004/0209juniscreen.html) and Symantec's acquisition of Brightmail (see above).  

 

transactions-by-year.png

There are now many more transactions, but the valuations have remained steady.   That's not a bubble - that's just a healthy market with strong demand for valuable companies.

 

Cyber-Security Transactions - Buyer Analysis (or "who is buying all these cyber-security companies?")

At Delling Advisory, we believe that we can provide the best advisory services to our IT security industry clients, through having an unsurpassed understanding of the market, both from first-hand experience having started, built and run IT security companies, as well as from access to unique data and analytics.  

This year, we have collated the data on about 650 cyber-security related transactions around the world, dating back to 2004.  A significant amount of work has been completed to categorise each transaction based on the 'company type' of the acquiring firm, as well as the security-related services that the acquiring firm previously provided and that the target firm provided (professional services / hardware / software / managed services), the country of origin of the acquirer and target, as well as the financial details of the transaction where that information is available (either publicly or via our industry contacts).  An early version of this data set is graphically represented in the map at the start of this post - blue being the acquirer and yellow being the target of the acquisition.

Over the next few weeks, we will start presenting snapshots of this information, to provide a high-level picture of the trends and directions that have taken shape over the last decade, with respect to the cyber-security market.  Obviously there is a significant amount of proprietary data that we have compiled through this process, and we use this information in our advisory roles to better understand and communicate the state of the market, as well as valuation trends and trends in the 'buyer universe'.

To get started, a couple of initial data sets.

Q. Who is buying all these cyber-security companies?

In short, many different companies (and 'company types') are acquiring cyber-security companies.  The defence industry has been in the media for the last few years as one of the most significant buying groups, but back to 2004 they only account for about 12% of all transactions.  Just taking the years 2010 to 2012, when transaction volume was highest in the defence sector, those firms still only accounted for about 18% of transactions (since although their transaction volume went up significantly, so did everyone else's).

The most prevalent acquirers of cyber-security companies are now (and have been every year since 2004), other cyber-security companies, and other IT companies seeking to expand their security-related offerings.

(As an aside, I'm sure people will wonder what 'other' contains.  'Other' contains a mix of companies buying capability to build into their own products, or for diversification.  Some example transactions in the 'other' bucket:

The heavy acquirers - as can be seen from the transaction map at the start of this post, have tended to be companies such as Cisco, McAfee, Oracle, CA Technologies, Symantec, IBM, Microsoft, EMC Corporation and Dell - although the defence primes Raytheon and BAE Systems have also made a dent.

Q. Are transaction volumes sky-rocketing?

Not really.  There are certainly many more cyber-security related transactions now than there were in 2004... but there are many more cyber-security businesses now than there were in 2004.  In broad terms, from 2009 onwards, transaction volume has been about 50% higher than in the period 2006 to 2008.

Cyber-security has become very important to a lot of companies, very quickly.  As a result, and given the difficulties in recruiting cyber-security professionals, adding this capability by acquisition continues to be very attractive.