The market for cybersecurity startups is bubbling, but more of these new firms are choosing to sell out to larger companies than to grow into major independent players.
Between the lines: As a result, the big winners in cybersecurity investing right now tend to be founders and early-stage investors rather than larger venture capital and private equity (PE) firms.
- This means that some of the top cybersecurity firms are long-established companies like Cisco, IBM, and Microsoft that have simply been acquiring cybersecurity startups, per Investing News.
There's strong interest from private equity firms: "Every color of private equity — VC, growth, and buyout — is chasing cybersecurity," says Kristjan Kornmayer, director of M&A Advisory Services with the Chertoff Group, a global security advisory firm. "But it’s especially tough for the big buyout shops. There are not enough mature, scaled opportunities to put real money to work."
- Private equity firms often have large minimum investment amounts, but companies "get snapped up before reaching any significant size to be of interest to private equity," Kornmayer said.
- Some PE firms are so interested in investing in cybersecurity firms, they're lowering their minimum investment expectations to get in the game before companies get acquired. "We are seeing some funds revisit their minimum equity checks to accommodate the realities of this market’s structure," Kornmayer tells Axios.
By the numbers: In the general market, PE firms normally invest a minimum of $100 million in a company. But in the cybersecurity market, PE firms' average investment, not their minimum, is approximately $80 million, per data PitchBook shared with Axios.
Driving the market: Cybersecurity firms are often formed to quickly meet and beat new threats as they emerge, and bigger firms are prone to snatching them up to show they are prepared to meet threats better than their competitors. "On the early stage side, corporate buyers are looking to add new technology capabilities as soon as the company proves itself," Kornmayer said.
The other side: The fast pace of acquisition is also rooted in how hard it is to make a cybersecurity solution that's relevant. RSA Security CTO Dr. Zulfikar Ramzan tells Axios that cybersecurity startups often end up "stumbling":
They haven’t been able to prove out they can do a proper go-to-market...By then their investors have sort of run out of patience and steam and they say 'Okay, we’re done, let's wind it down and sell the company for whatever we can get.'— Dr. Zulfikar Ramzan, RSA Security's CTO
The bottom line: The pace of the market doesn't appear to be slowing anytime soon.
- The cybersecurity M&A market is active and getting more active. Already in the first half of 2018 there were 101 M&As in the cybersecurity market, which is well on track to surpass the number of M&As that took place in all of last year, 178, per Momentum Cyber, a cybersecurity advisory firm.
- Just this year, for example, cybersecurity firm Splunk has already acquired Phantom at $350 million and VictorOps at $120 million, and Palo Alto Networks has acquired Evident.io at $300 million and Secdo at $90 million.
What's next: PE firms are still hungry to invest in cybersecurity businesses — despite having to shift their expectations. "The industry’s size and growth justify the enthusiasm. We are talking about an $87 billion market growing 12% per year — that’s not easy to find," Kornmayer said.