latest-news-headlines Market Intelligence /marketintelligence/en/news-insights/latest-news-headlines/heavy-cybersecurity-m-a-spending-may-be-here-to-stay-70511226 content esgSubNav
Discover more about S&P Global’s offerings
In This List

Heavy cybersecurity M&A spending may be here to stay
Blog

Banking Essentials Newsletter: September 18th Edition

Loan Platforms: Securing settlement instructions and prioritising the user experience

Blog

Navigating the New Canadian Derivatives Landscape: Key Changes and Compliance Steps for 2025

Podcast

MediaTalk | Season 2 | Ep. 29 - Streaming Services, Linear Networks Kick Off 2024/25 NFL Showdown


Heavy cybersecurity M&A spending may be here to stay

Cybersecurity M&A will likely remain hot, even as investor interest in tech more broadly continues to cool.

Investors in recent years have piled into cybersecurity, paying high valuations for equity stakes in a range of companies that have yet to produce a profit. That thesis expanded into M&A, where both strategic and financial investors struck deals at record paces and prices throughout the pandemic and into 2022.

The fundamentals that underpin cybersecurity's market-beating transaction valuations are still very much in place, largely unaffected by the macroeconomic concerns weighing on other sectors. M&A in the sector should continue at a steady and expensive clip, even as the stock market shifts, analysts said.

"Cybersecurity is part of tech and has been no exception to [the] sell-off," said Alex Gordon, director of sales at ETFMG. "Some companies caught up in the sell-off have definitely caught the eye of strategic buyers, and that's why we've seen some private equity firms and larger tech companies being opportunistic during this period, which has kept the M&A market hot."

Gordon's firm launched the first cybersecurity-focused exchange-traded fund in 2014, the ETFMG Prime Cyber Security ETF, which trades under the ticker HACK. Year-to-date as of May 23, that ETF was down 24.0%, compared to a 16.6% drop for the S&P 500 and a 26.3% drop for the NASDAQ.

SNL Image

Many technology stocks have been affected by the Federal Reserve's decision to begin raising interest rates, Gordon said, which could have an outsized impact on pre-profit growth companies that depend heavily on debt funding.

Meanwhile, cybersecurity M&A volumes and valuations have held strong. Acquirers signed 48 deals in the first quarter. At that rate, full-year volumes will edge above 2021, a record year for sector deals.

SNL Image

There is not much in the long-term demand outlook that signals a retreat in deal values and volumes, Gordon said, but the pace and strength of cybersecurity M&A could begin to decelerate given the quantity of money lost from equity markets this year.

"I wouldn't be surprised if it cools off a little bit this year," the executive said. "We're probably still in the second or third inning of the maturity in the industry, but those innings may keep going out. … Maybe the market doesn't change but our viewpoint on these stocks and how we value them changes."

Almost every new technological innovation that includes sensitive data or communications requires a corresponding cybersecurity innovation to protect that data and innovation, and the scale of corporate and geopolitical threats against critical infrastructure may mean cybersecurity stocks should be valued more like defense stocks than like technology stocks, Gordon said.

To meet this growing demand, the market is swelling with small companies that provide highly targeted and technical products to address specific cybersecurity needs, which is driving an active M&A environment. New companies are formed at a rate that is hard to match by consolidation.

"Security is a market of missing features," said 451 analyst Garrett Bekker. "A lot of these companies are providing that missing feature."

There are about 4,000 cybersecurity vendors in the marketplace, and hundreds are being created every year, the analyst said.

Not only are cybersecurity targets proliferating, but the types of buyers acquiring cybersecurity companies are also growing. Certain cybersecurity companies have acted as consolidators, buying smaller companies to build more comprehensive product portfolios. For example, Palo Alto Networks Inc. has been the most active acquirer across all buyer types since 2017, printing 12 transactions in that time period, according to 451.

But both financial buyers and nonsecurity companies are also driving up demand for M&A in the sector. Of the top 10 most-active acquirers since 2017, both private equity firm Thoma Bravo LP and consumer credit company Mastercard Inc. feature prominently. Since the outset of 2021, auditor and professional consulting company Deloitte Touche Tohmatsu Ltd. has penned three cybersecurity transactions. Commercial cloud vendors like Microsoft Corp. and Alphabet Inc. have also taken strong positions in the M&A market.

The motivation for nonsecurity strategic buyers ranges widely, Bekker explained. Some companies are adding internal security to certain product categories, which is often the case for cloud providers such as Microsoft. In the case of companies like Mastercard or Deloitte, their competitive position depends on the trust of their clients, and adding cybersecurity supports that trust. Private equity firms are investing against the sector growth thesis, but in the case of Thoma Bravo and other firms that have been very active in the sector, they are also acting as consolidators, combining cybersecurity companies into revenue-generating product stacks that they can later spin out as larger stand-alone companies.

"Nonsecurity strategic buyers have outnumbered security strategic buyers by a pretty big margin," Bekker said.

This range of well-capitalized buyers not only keeps the market extremely active, but also very competitive and expensive.

"Security has gone from this niche issue to a board-level concern," Bekker said. "For M&A, I think there is some sustainability."

451 Research is part of S&P Global Market Intelligence.