Cybersecurity M&A maintains pace, but valuations and PE activity trend lower

2021 was a record-smashing year for overall cybersecurity M&A, and the first quarter of 2022 started off on a similar – albeit slightly less eye-popping – trajectory. A total of 113 deals were printed in the first half, up 10% from 103 transactions during the same period in 2021. However, total deal values dropped notably, from $34.3 billion to $21.3 billion, while the median deal value shrank from $155 million to $124 million.

Q2 acquisition activity picking up the pace

M&A decelerated in March, particularly with respect to PE participation. However, Q2 rebounded strongly, posting an impressive 66% year-over-year (YoY) increase from 2021, with a total of 53 deals compared with just 32 in Q2 2021. Additionally, the median deal value increased to $125 million from $118 million, with a slight uptick in median multiples (6.4x in Q2 2022 versus 5.5x in Q2 2021).

Information Security M&A Since 2010

Private equity activity falling off

Private equity (PE) involvement in overall cybersecurity M&A has dipped considerably in 2022, with three straight quarters of YoY declines prompting a 25% drop-off from the 38 transactions at the midway point of 2021 to just 29 PE purchases in the first half of 2022. As a percentage of total cybersecurity deals, PE activity has fallen to 26%, down from 37% in 2020 and 38% in 2021, and a high-water mark of 46% in Q4 2020.

Fewer big-ticket transactions in 2022

While 2021 was the year of the mega-deal in security, 2021 has also seen a decline in large deals year to date. The dip can be traced again to less robust PE activity, following blockbuster transactions in 2021 such as Thoma Bravo’s $12.3 billion pickup of Proofpoint Inc. and McAfee Corp.’s $12 billion takeout by a consortium led by Crosspoint Capital. All in, there were 10 cybersecurity exits last year that topped the billion-dollar mark, more than half of which were PE-sponsored.

Thus far in 2022, however, only four acquisitions have reached that milestone, including Thoma Bravo’s $6.2 billion reach for identity governance pioneer SailPoint Technologies Holdings Inc., Google’s $5.4 billion purchase of Mandiant Inc., KKR’s $4 billion (451 Research estimate) acquisition of network and web security specialist Barracuda Networks, and Vector Capital’s $1.5 billion (451 estimate) pickup of network security veteran WatchGuard Technologies.

Existing drivers remain in place to spur future dealmaking

Looking ahead, many of the drivers of recent consolidation activity remain in place, including the ongoing migration to the cloud, the transition to zero-trust security frameworks, and the continued proliferation of ransomware, malware and other threats – all of which could collectively help offset any financial or geopolitical headwinds.

As such, we expect a few subsegments of security to remain fertile ground for smart shoppers, including application security, identity and access management, cloud security, threat protection, and managed security services.

Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.