More Than A Decade of Supply for Infosec M&A Transactions

One of my favorite analysts at 451 Research is Brenon Daly. One of his remarks at the recent RSA 2018 Analyst Breakfast caught everyone’s attention:

We see about 120 to 140 infosec transactions every year in our Tech M&A Database. There are about 2,000 infosec vendors we are tracking, and venture capital is adding more new companies every year. That means we have about a decade of supply for M&A activities.

(Some more of his remarks can be found here, An Industry that Runs On Fear and Greed, April 20, 2018).

Upon running the numbers, we actually have about 12.5 years of inventory.

Brenon’s statement sounded bleak. There definitely was some nervous laughter in the audience. I don’t have access to their very unique Tech M&A Transaction Knowledgebase, but Pitchbook has some rough data (think of it as a general direction, with some inaccuracies around the edges). It pans out we have about 12.5 years of inventory at current pace.

The vast majority of infosec M&A transaction volume comes from the U.S. (D’oh!).

2018-04-18_Infosec M&A Deal Volume by Region
Distribution of infosec M&A transaction volume by acquirers’ headquarter location from 2000 to 2018; total amount ~$95.4B, with U.S. ~81.8B; Pitchbook result as of 04/18/2018

In the past four years, we saw about 160 transactions every year. 2018 is on track to hit that number again.

2018-04-18_Infosec M&A Deal Volume
Infosec M&A transaction globally, 2007 to 2018; Pitchbook data as of 04/18/2018

About 8% of the currently about 2,000 infosec vendors could find liquidity this year if the M&A transaction trend continues.

Most of the transactions since 2009 are sub-$100M.

2018-04-18_Infosec M&A Deals and Volume by Year and Size
Global infosec M&A transactions with available transaction values, 2009 to 2018, by transaction sizes; PitchBook data as of 04/18/2018

Pitchbook only has actual transaction values for about 50 to 60 transactions per year (of the total of about 160 transaction per year!). Most of the “startup X sold of an undisclosed value” transactions are acquihires or sold below last round’s valuation, or at an otherwise not great outcome (VCs and founders usually love to talk about great outcomes!). At the same time, Pitchbook shows about 1,000+ venture-backed startups as “privately held (with backing)” in the vertical “Cybersecurity”. Some of these might not be operational anymore, but let’s say Pitchbook is 80% accurate. That leaves us with about 800 startups, of which about 250 raised later-stage capital.  You can run probabilities on that one.

Venture Capital adds about 120 new companies a year.

2018-04-21_Infosec Total Volume, 1st Round Volume, 1st Round Companies
Global venture capital investments in infosec startups, as classified by PitchBook (vertical “cybersecurity”), from 2004 to 2018; line graph shows the number of first rounds of startups only; bar graph shows the total volume of all venture capital investment across all rounds; Pitchbook data as of 04/21/2018

The odds seem to be stacked against infosec investments. So why do VCs add money?!

As written in previous posts, successful Infosec investing is incredibly hard. On the other hand, if you can create a brand as a successful investor in infosec or “cybersecurity”, seeing almost every early-stage deal of the 160 or so annual deals seems possible. Three to five so-called “meaningful” M&A transactions every year (and not including successful IPOs) seems enough if you can pick winners. And spending on cybersecurity at enterprises is increasing at a rapid pace, which makes it an interesting business for more incumbent adjacent technology players and thus more potential acquisitions.

Second, as our disclaimers often say, past performance is no indication of future events. As cybersecurity companies mature, there will be IPOs. And these companies become new acquirers. Cybersecurity also touches all part of the digital enterprise, and I expect to see many new entrants who are looking into expanding their existing business operations into security services. Almost all traditional tech companies could become potential acquirers of cybersecurity startups. There is a lot of “dry powder”.

Third, as a comparison, PitchBook is tracking about 5,000 startups in the “SaaS” vertical. The number of M&A transactions in the past four years were between 700 to 1,200 — about 8 to 10 times the number of M&A transactions in the “Cybersecurity” vertical — but at only 4 to 8 times the M&A transaction volume.

Thoughts? Opinions? Comments? Corrections?