While 2018 brought the largest security software deal in a decade, news that another big name may be on the sales block lends support to analysts' view that cybersecurity's M&A hot streak is set to continue in 2019.
NAB CEO not expecting passage of major broadcast legislation in 2019
NAB CEO expects Next Gen TV in stores before next Olympics
Analysts weigh Charter's next move in 2019 as M&A integration winds down
Previous wave of pay TV M&A sets stage for operators' 2019 initiatives
Virtual providers eye 2019 growth, despite slowdowns from top 2 players
2019 Outlook: Europe set to usher in tougher laws aimed at big tech
5G ball game in early innings as US operators launch mobile services in 2019
First 5G devices to debut in 2019 as next-gen US networks come online
This year saw the biggest cybersecurity announcement in at least a decade with International Business Machines Corp.'s pending $35.69 billion acquisition of Red Hat Inc., and recent reports indicate that security software giant McAfee, last valued at $4.2 billion in 2016, could be the next up for sale. With money pouring into the cybersecurity sector and a rash of startups aiming to offer solutions for ever-increasing cyberthreats, analysts say market consolidation is needed — and 2019 could be the leading edge of a cybersecurity M&A wave.
Security software deals are on the rise, with 79 announced year-to-date as of Dec. 19, up from 63 in 2014, according to S&P Global Market Intelligence data.
As investors prepare to ring in a new year, speculation abounds about the M&A intentions of private equity firm Thoma Bravo LLC, which has been on a cybersecurity buying run in 2018. The firm in October announced the $2.1 billion acquisition of Imperva Inc., then in November followed up with a $950 million transaction for Veracode Inc., both of which are still pending. Also in November, Reuters reported that Thoma Bravo was in talks to make an offer for Symantec Corp. However, a more recent report indicated Thoma Bravo was in discussions to buy security software giant McAfee, owned by Intel Corp. and TPG Advisors LLC, in a deal that unnamed sources told CNBC may fetch a significant premium over McAfee's 2016 valuation of $4.2 billion. Symantec, with a market cap of over $17 billion and about $5 billion in total debt, would represent another massive M&A target.
Thoma Bravo did not respond to requests for comment.
Buying McAfee could signal a shift in strategy for Thoma Bravo, Wedbush Securities cybersecurity analyst Daniel Ives said in a research note. While both Symantec and McAfee claim to effectively provide end-to-end securities solutions for business, government and consumers, a McAfee buy would be a more streamlined "safer play," while Symantec "would create a security stalwart in the field with massive synergies which remains the underlying goal of this combined PE play," the analyst said. He added that recent deal activity in cybersecurity represents "the tip of the iceberg," as players such as Thoma attempt to build end-to-end cybersecurity companies in a highly fragmented landscape.
Contributing to the deal activity is a market crowded with new players cropping up to address the growing threat of cyberattacks for companies increasingly moving operations to the cloud.
William Blair & Co. cybersecurity analyst Jonathan Ho in an interview estimated that between 1,300 and 1,400 cybersecurity startups have launched to address a range of problems in the past four to five years. As soon as a new cybersecurity issue arises, there can be 20 companies vying to address that problem, he said. The market fragmentation makes investment in the cybersecurity industry more difficult, despite strong interest, Ho added.
Another factor likely to drive more cybersecurity consolidation is compressed valuations. While cybersecurity exchange-traded funds like ETF Managers Trust - ETFMG Prime Cyber Security ETF and First Trust Exchange-Traded Fund II - First Trust Nasdaq Cybersecurity ETF and the broader tech-focused Vanguard World Fund - Vanguard Information Technology ETF have outperformed the broad markets over the past year, all three were hit by recent volatility in technology and the broader markets. For the three months ending Dec. 19, ETFMG Prime Cyber Security ETF was down about 14% while First Trust Nasdaq Cybersecurity ETF and Vanguard Information Technology ETF each lost about 16%, roughly in-line with the double-digit percentage drops seen at major indexes including the Nasdaq and the S&P 500 over the same period. While the recent declines are little comfort to individual cybersecurity investors, Ives said, the trend creates opportunities for consolidation against less expensive valuations.
Symantec, for example, saw its stock tumble in the first half of the year due to marketwide volatility, company-specific concerns related to an internal audit, and competitive and acquisition-integration issues. However, the stock saw a bump in November amid speculation that Thoma Bravo might buy the company, though the December report about how Thoma Bravo's sights may have changed erased some of those gains. As of Dec. 19, Symantec's stock had gained 2% since Nov. 5, the day before Reuters reported that Thoma Bravo was considering a bid for Symantec.
William Blair & Co.'s Ho said some of the most attractive M&A candidates remain private, but relatively high valuations and fewer incentives to sell create a more difficult M&A environment for private companies. Venture capital has been active in cybersecurity, providing startups with plenty of financial runway on large valuations, he said, leaving potential acquirers on the sidelines until companies are more interested in liquidity events and valuations become more attractive.
Recent threats, such as the Marriott International Inc. breach revealed at the close of November that impacted 500 million consumers, are pressuring companies to increase their spend on cybersecurity, while governments investigate their own options to safeguard data and regulate industry.
The move to cloud computing is creating a new paradigm for cybersecurity investment as companies across industries take sensitive data off their own closed internal servers and put them into shared cloud spaces. Currently, about 30% of workloads are in the cloud, and Wedbush's Ives expects that to expand to about 55% over the next four years. The analyst expects spending on cybersecurity to expand from 5% of corporate budgets to about 7% to 8%.
"These are trends for the next three to five years. I believe M&A is going to hit an inflection point in 2019 in this space," Ives said in an interview.