While cybersecurity has long been a hot sector for M&A activity, 2021 is seeing more deals at higher valuations than ever before.
In the U.S., the volume of cybersecurity M&A deals hit 151 in the first three quarters of 2021, compared to 80, 88 and 94 in 2018, 2019 and 2020, respectively, according to data from 451 Research.
Other technology sectors saw a boom in deal volumes in 2021, but few on the scale of cybersecurity. Across the technology and telecommunications industry tracked by 451, deal volumes jumped by 11.1% year over year in 2021. Deal volumes increased by 19.3% in the application software sector. Meanwhile, the number of acquisitions in the cybersecurity subsector catapulted 60.6% in 2021.
Industry observers see multiple factors driving this activity — including the digital transformation induced by the pandemic, as well as increasing cyberattacks — and they do not expect the deal volumes or valuations to slow down any time soon.
"If you think about the fact that cybersecurity really sits at the intersection of so many growing technologies, I think we can come to the realization that we're just getting started," said Pedro Palandrani, a tech analyst at research company Global X ETFs. "If you think about the rise of Internet of Things and how many connected devices you're seeing around the world, we're going to need cybersecurity solutions to protect those new entry points. If you think about the rise of autonomous vehicles, you also need better cybersecurity solutions."
The pandemic period not only accelerated consumer adoption of digital solutions; it also accelerated enterprise digitization strategies. Companies once only needed to protect their centralized information assets when all their employees worked in protected office networks. Now those networks extend between a geographic scattershot of dispersed endpoints as employees continue to work from home.
But that was not the only dynamic adding to the demand for new cybersecurity solutions.
In recent months, enterprise information technology professionals were faced with adapting to new types and scales of attacks — from SolarWinds Corp. and Colonial Pipeline Co. to Microsoft Corp. and T-Mobile US Inc. These attacks were not only targeting some of the most sophisticated technology vendors in the country but also compromising cybersecurity solutions on a broad scale, 451 analyst Scott Crawford explained. For example, the SolarWinds hack did not begin as an attack on its own data and operations, but with an attack on the U.S. government that extended to SolarWinds, Microsoft and cybersecurity company FireEye Inc., now Mandiant Inc.
These kinds of attacks compromised the supply chains of operating companies that serve consumers, enterprises and governments, as well as the products and services provided by cybersecurity companies themselves, Crawford said. Between the pandemic and these high-profile data breaches, bad news is good news for the cybersecurity business.
"As negative indicators affect different aspects of economies, cyber tends to move in the opposite direction. So the more negative the news, the more positive that is for the value of a cyber investment," Crawford said. "Instability tends to drive investment in improving stability."
Cybersecurity valuations are indeed high, compared to both recent years and the technology sector in general. In a historically expensive year for M&A, technology and telecommunications companies cost 7.0x their trailing-12-month sales in the first three quarters of 2021, on average, according to 451. That bumps up to 7.7x for the information technology sector. Cybersecurity acquirers paid an average of 11.3x trailing sales.
Unlike some other sectors, the high prices paid in 2021 may prove to be fair given the potential demand curve for cybersecurity, analysts told S&P Global Market Intelligence.
"There's always always a sense that the cyber market is really overvalued, but it's something of a chronic thing because there always seems to be upside in cybersecurity," Crawford said.
But the expense may be worth the cost, Crawford and other analysts said.
Historically, since cybersecurity is a cost center, enterprises are inclined to pay as little as possible for the service. The pandemic and new types and scales of attacks forced companies to invest more in protection. However, several cybersecurity market experts told S&P Global Market Intelligence that on average, the cybersecurity sector will only grow in the coming years, demanding both more innovation and more consolidation.
"We're past the point of people not understanding that cybersecurity is critical and it's a growth area," said William Blair Securities equity analyst Jonathan Ho, explaining why cybersecurity valuations have been so elevated for so long. "But what we're coming to understand is that even with the increased investment in cybersecurity on the part of organizations, it's still not enough."
451 Research is part of S&P Global Market Intelligence.