“A profound shortage of strategic acquisition targets and rapid technological evolution has one clear side-effect: a fertile, and increasingly expensive, M&A market”
The cybersecurity market is a hot sector for investment right now. Just last year, Gartner estimated the global industry would be worth over $96 billion in 2018, as global spending on cyber protection grows at a projected rate of 8 percent year-on-year.
Sadly, the scale of growth in the sector has largely been driven by a rapid increase in cyber crime, with the monetary and reputational threat steadily pushing the issue up the board agenda. Beaming reports that on average British firms each suffered 231,028 cyber attacks during 2017, which works out at 633 attempts to breach their firewalls every single day.
Eye-wateringly high as those figures already are, cyber attacks are only increasing in frequency and sophistication. Attacks are increasingly carried out by state-sponsored actors and highly advanced organised criminals focused on high-value targets. On top of that, significant increases in available network attack surfaces and connected devices have resulted in greater exposure to threats.
It’s not just hackers that firms need worry about. The growing cyber threat has resulted in greater attention from regulators, who are now driving the cyber security agenda and adopting a tough stance towards both cyber breaches and failure to protect client data.
The EU-wide General Data Protection Regulation, requires companies to report any breach of personal data to the authorities within just 72 hours, with fines of up to €20m or 4% of global turnover, whichever is greater, for failure to comply.
“The Focus of New regulation is Bridging Information Gaps and Ensuring Higher Minimum Standards for Compliance.”
This is being achieved through specialist programmes, such as those run by CREST and the Bank of England’s CBEST programme for systemically important financial institutions, which is now being rolled-out across other critical sectors via TBEST (Telecoms), GBEST (Government) and NBEST (Nuclear) and in the EU as TIBER-EU.
This new cyber landscape, characterised by high-risk and intense scrutiny, means that cyber security is widely accepted as a ‘board-level’ issue. It’s perhaps unsurprising then that businesses are investing heavily to protect themselves.
Typically, the high levels of spending in this sector have been split between services and software. Services cover everything from penetrating testing and information security consulting to regulatory compliance, incident response and managed services. At the other end of the spectrum, software covers all sorts of aspects such as endpoint protection, access control, firewalls, anti-malware and intrusion protection & detection. Both of these divergent markets are becoming increasingly sophisticated on the back of a number of interesting developments, piquing investor interest.
Move to Intelligence-Led Testing has Opened Up New Channels of Investment
In the services space, a move towards intelligence-led testing and the growth of managed security service provisions (MSSP) has helped revolutionise the market and open up new channels of investment. Intelligence-led testing has provided more effective, tailored protection where the premise is to leverage research (such as ‘honeypots’ and open source intelligence) to identify vulnerabilities and attack formats which are specific to certain industries and clients. The result is a focusing of energies on protecting against these most likely attack types for a specific client rather than simply standardised or undefined methods.
Meanwhile, managed services are another fast-growing area as businesses steadily realise that they require a persistent, live cyber security solution – rather than simply conducting point-in-time testing or purchasing ‘bolt-on’ software products.
On the software side, artificial intelligence and machine learning are both taking centre stage. Much has already been written on the practicality and potential of these latest developments, and whilst the success of these platforms is currently still varied, these better technologies are very much at the forefront of quick and accurate identification when it comes to potential cyber attacks.
Delving deeper into the purely financial side of the industry, a combination of high cyber security spending, a profound shortage of strategic acquisition targets and rapid technological evolution has one clear side-effect: a fertile, and increasingly expensive, M&A market.
Cybersecurity Market: 200 Transactions Globally Last Year
In 2017, there were over 200 transactions around the globe, as businesses fought to acquire prized cyber security capabilities. Highlights included Barracuda Networks being taken private by PE investor, Thomas Bravo, for a colossal $1.6bn and DigiCert’s $950m acquisition of Symantec’s website security offering. Closer to home and away from the global mega-deals, the UK has seen sustained M&A activity of its own, with examples including Lloyd’s Register acquiring Nettitude, Information Risk Management being acquired by Altran and Cygnia being acquired by SecureData.
Transaction prices are high, with cyber security businesses in general attracting a high premium. These toppy valuations are ultimately being driven by the market forces of supply and demand: the demand for cyber security assets is at an all-time high, yet the supply of high-quality assets of scale and with proven capabilities is still scarce, particularly as a result of a severe shortage of highly skilled labour entering the market.
Ultimately, the cyber arms race is driving increased spending which is in turn fuelling faster and more impressive innovation. All of this points to exciting times ahead in the market as businesses strive to acquire capabilities that they cannot develop in-house. For companies with highly skilled and stable staff and sophisticated capabilities, supported by suitable scale and capital, this is boom time.