Transaction Analysis - Cyber-Security M&A

With a handful of recent transactions (eg NTT acquiring Solutionary; and Malwarebytes acquiring ZeroVulnerabilityLabs), we have just gone over the 650 transaction level in our database of cyber-security industry M&A.  Given that, I thought it was about time for another post teasing out some of the trends and intelligence that this data set has to offer.

Geographic - Transaction Size

The average transaction size, 2004-2013, for cyber-security companies with the following US / non-US transaction profile is as follows:

  • Non-US Buyer / Non-US Seller         $ 93 Million
  • Non-US Buyer / US Seller               $ 198 Million
  • US Buyer / Non-US Seller               $ 295 Million
  • US Buyer / US Seller                      $ 420 Million

So the more 'US' you can get into your transaction, the bigger the number tends to get.  If you have a cyber-security product and want to maximise the return, heading to the US and getting venture capital funding is probably still your best option.

Buyer Industry Sector & Influence on Multiples

We have worked through the transaction data and categorised the buyers into one of a few groups: 

  • Defence industry
  • IT industry
  • Cyber-security industry
  • Professional services
  • Private equity / venture capital
  • Other

A couple of interesting observations from the transaction data, when analysed in this context:

  • Defence industry buyers pay the lowest revenue multiples, slightly below the private equity / venture capital community.  Realistically, this is likely to be more of a reflection of the difference in acquisition targets between the buyer groups, with the defence industry focused on services-intensive companies, and many of the other groups (eg the IT industry, and the cyber-security industry) are completing lots of acquisitions of product-led companies.
  • Cyber-security companies pay the largest multiples, by a significant margin.  The average profit multiple paid by the IT industry, the defence industry, and the private equity / venture capital community, varies by less than 10%.  The average cyber-security company-led acquisition multiple is over 6 times higher.  As per the above, this is primarily a function of the types of companies being acquired, with many cyber-security company-led transactions being of relatively early stage product companies, with significant R&D and sales and marketing expenses, but a relatively low base of revenue and profit, resulting in extremely high multiples.

This again demonstrates the importance of understanding the market, and particularly of the market as it pertains to your company.  The types of companies being acquired, and the level of maturity of those companies, varies significantly between buyer groups, and the prices paid vary accordingly.  

Outlying Transaction Valuations & Effect

While this blog isn't intended to be a tutorial on maths terminology, I'll just briefly revisit the distinction between the 'mean' (commonly called the 'average') and the 'median'.  The mean is calculated by simply summing all of a set of numbers together and dividing by the number of numbers.  

eg:  1, 1, 2, 2, 9

Gives a total of 15, and 5 numbers, so a mean of 3.

The flaw with using a 'mean' is that while it may be true to say the 'average' of that set of numbers is 3, the fact is also that 80% of the numbers are below the average, since it is skewed upwards by the larger number at the end.  Means are susceptible to being skewed by outliers.

The 'median' is basically just the value of the middle number when the numbers are arranged in order.  In this case, the median is 2.  What that number says is that 50% of the data is equal to or less than that number; and 50% of the data is equal to or greater than that number.  Generally speaking, that's going to be a more useful number.

How big a difference can this really make?  Let's take the example of transactions with a Cyber Security company as the acquirer.  The multiples data looks like this:

security company data.png

Obviously a profit multiple of 38.49 is nothing to be sneezed at, but 117.08 as an average profit multiple is pretty crazy.  How is it possible that the averages could be that high?  Transactions like this:

These transactions skew the averages up rapidly, particularly in an environment where not every transaction has data available.  (ie, if price data was available for all 650 transactions, it would have much less of an impact; but with price data only available for maybe 10% of transactions, and the rest being 'not disclosed', it can have a big influence).

Multiples by Year - There's Really No Bubble

The average revenue multiple from 2004 until 2006, was a shade over 14.

The average revenue multiple from 2007 until 2009, was a shade under 3.

The average revenue multiple from 2010 until mid-2013, was almost exactly 3.

Profit multiple data similarly hasn't changed markedly over the period 2007 to mid-2013. 

In other words, back in the early days of cyber security, there were fewer transactions being completed, but the ones that did complete tended to be for high valuations - for example, Juniper's acquisition of NetScreen (https://www.networkworld.com/edge/news/2004/0209juniscreen.html) and Symantec's acquisition of Brightmail (see above).  

 

transactions-by-year.png

There are now many more transactions, but the valuations have remained steady.   That's not a bubble - that's just a healthy market with strong demand for valuable companies.

 

Extrapolating the US penetration testing market size

One of the questions I have had a bit following on from my analysis of the Australian penetration testing market, is the implied size of the global penetration testing market.  Or at least, the size of the US penetration testing market, on the assumption that it is going to be the largest.  With a few minutes to spare, I thought I would try to kludge together a number that at least seems plausible given the (admittedly very few) external reference points available.

IBIS World released a research report in August 2012 (the "IT Security Consulting in the US Market Research Report") which provides a couple of free snippets of data - a revenue figure of $5 Billion, and, interestingly, the statement that "there are no companies with a dominant market share in this industry" - which is exactly the conclusion I came to when looking at the Australian penetration testing market.

So there's our first data point:  The US IT Security Consulting Market (2012) is estimated at $5 Billion.  

5bil.png

Global Industry Analysts, Inc have estimated the 2013 global information security products & services market at $104 Billion, and RNCOS has estimated the global IT security market at $96 Billion (both figures from this interesting analysis of the Turkish IT security market).  Not wildly dissimilar numbers which is always a nice start.  A PricewaterhouseCoopers report in 2011 apparently put the estimated market size at $60 Billion, so a bit smaller, but with forecast growth, probably closer to a $75 Billion estimate by 2013.  Gartner has put the global market at $55 Billion in 2011 with a forecast growth path that would imply something like $67 Billion for 2013. 

The US is estimated to make up close to half of all cyber-security spending globally.  Which seems quite plausible when one considers the size of both defence-led Government cyber-security expenditure, and also the size of the economy.  That would put the US cyber-security market into the vicinity of $35-45 Billion for 2013.

35bil.png

One potentially useful stat we can gather from the above, is that IT security consulting, is ~10-15% of the overall IT security market size.

So how do Australia's numbers compare?

This fairly old data set from 2009 has Gartner estimating the Australian IT security market size being about $250 Million.  Let's add on 20%-year-on-year growth since then, and we're at $500 Million-ish today.  Given my previous analysis of the Australian penetration testing market put it at $200-300 Million on its own, I think this is a pretty low estimate.  A 2008 estimate by IDC forecast the market would hit $1.5 Billion by 2011, which actually sounds a bit more workable.

1point5.png

If this is correct, and if my previous penetration testing market estimates are plausible, then at a macro level, organisations are spending 10-20% of their security budget on penetration testing and vulnerability assessment.  This feels a bit high (probably reflecting the fact that less is being spent than the bottom-up estimate of penetration testing expenditure would suggest), and also seems not to match with the US estimate of 10-15% of IT security spend going to consulting.  Given this would contain a great deal of 'non-penetration testing' consulting services, for penetration testing alone, let's go with something closer to 5% to be a bit more conservative.

1to3.png

So as rubbery as these data sets may be, they would suggest that the US penetration testing market is in the $1.5 - 3 Billion range... Which makes it 8-10 times the size of the Australian market, which given the size of the US economy (GDP $15.094 Trillion) is a larger order of magnitude than that, larger than the Australian economy (GDP $1.37 Trillion), would seem to make sense.

And just to recap my favourite point once again... "there are no companies with a dominant market share in the [IT security consulting] industry".  As I said at the end of the Australian analysis, this is a great market to be a part of; and on a global scale that is no different.