PE Firms 'on Prowl' for Take-Private Cybersecurity DealsFinancial Buyers Cash in on Modest Valuations to Expand Their Security Stack
The recent drop in stock prices has presented private equity firms with a golden opportunity to acquire fast-growing public cybersecurity companies without breaking the bank.
Since the summer, financial buyers have taken advantage of more modest public company valuations to grow their cybersecurity portfolio, scooping up five of the less than 30 public pure-play security vendors. These private equity firms want to shed legacy costs, grow the total addressable market through tuck-in acquisitions, and return the company to the public markets or find a new buyer within a half-decade.
"They are very much on the prowl," Momentum Cyber founder and managing partner Eric McAlpine tells Information Security Media Group. "They've got their radars out, and they're looking. I don't think you will see a slowdown in that activity."
The deal-making began in August, when Thoma Bravo snagged email security vendor Proofpoint for $12.3 billion in what was then the largest security acquisition of all time. Four months later, Permira agreed to take top Proofpoint rival Mimecast private for $5.8 billion. Advent and Permira topped the Proofpoint deal in March when they purchased consumer cybersecurity giant McAfee for $14 billion.
Then in April, Turn/River Capital agreed to buy network security vendor Tufin for $570 million, and Thoma Bravo signed a $6.9 billion purchase agreement with identity security powerhouse SailPoint. Strategic buyers have also gotten in on the bonanza, with OpenText acquiring email security vendor Zix in December for $860 million and Google agreeing in March to purchase Mandiant for $5.4 billion (see: Identity Firm SailPoint to Be Bought by Thoma Bravo: $6.9B).
"It's very much valuation-dependent," angel investor and SentinelOne and CyCognito board member Dan Scheinman tells ISMG. "Private equity firms have more confidence that they can create value in security companies at a certain point in their life cycle."
Multiples for public cybersecurity companies have flatlined over the past year, and the valuation-to-revenue multiples for 11 companies have increased between March 31, 2021, and March 31, 2022, while 11 others decreased during that same time period, according to Momentum Cyber. That's in stark contrast to a year earlier, when 24 of 25 security vendors saw their valuation-to-revenue multiples grow.
"Some of the companies got to a price point where private equity funds saw value," Scheinman says. "They felt that they could add value while the companies were in private hands and deliver value to their shareholders."
New Lenders Mean Less Debt
Private equity firms traditionally had to borrow money from financial institutions such as Bank of America, Citi, Deutsche Bank or UBS when they were looking to carry out acquisitions, McAlpine says. But lately, financial buyers have been able to take advantage of non-traditional pools of debt set aside by buyout firms like Blackstone for large and mega software acquisitions and take-private deals, McAlpine says.
The larger availability of debt gives private equity firms more financing options, especially if they're able to obtain a better price for the debt they're assuming, he says. Specifically, if private equity firms are able to borrow debt at a lower rate, then they can still make money off deals in which the expected exit valuation of a potential acquisition target is lower, according to McAlpine.
"There are enormous pools of capital on the sidelines in private equity and the strategic buyers," he says. "There is a lot of money to be put to work."
Publicly traded security companies that are consolidating the market and growing in excess of 35% annually - such as Cloudflare, CrowdStrike, Okta, SentinelOne and Zscaler - are rarely targeted by private equity investors. These companies have responded to pressure to increase their total addressable market by acquiring fast-growing, venture-backed companies with lots of intellectual property.
Financial buyers instead like to go after vendors with more modest growth rates where there's an opportunity to unlock value that hasn't been realized while the company is publicly traded.
"Many of the public companies are becoming legacy companies," ForgePoint Capital Managing Director Alberto Yépez tells ISMG. "Because there's a lot of innovation, they may not be addressing the most pressing issues that CISOs have today."
Email Security Market Under Pressure
Nowhere is the pressure more apparent than email security, where the industry will go from three public pure-play vendors as recently as August to zero once Permira closes its acquisition of Mimecast this quarter. Yépez says the traditional email security companies face pressure from both Microsoft and Google adding protection capabilities as well as born-in-the-cloud startups such as Abnormal and Area 1.
Customers are increasingly adopting cloud-native and cloud-consumed email security offerings as directories migrate to the cloud and on-site SharePoint servers become increasingly rare, Yépez says. As a result, he says, vendors with broader security platforms, such as Cloudflare, are paying a premium to get into the email security market with modern capabilities. ForgePoint was a significant investor in Area 1.
"CISOs are already looking for new solutions," Yépez says. "They're realizing that whatever they have is not working, and they're migrating to new solutions. The big question for CISOs is: Are the small companies going to survive, or is Microsoft and/or Google going to do more about email so I don't need to worry about it?"
Companies such as Proofpoint have therefore sought to expand their total addressable market by acquiring their way into adjacent technologies, such as insider threat and data protection, and Yépez expects that process to continue under Thoma Bravo's ownership. New Proofpoint CEO Ashan Willy said last month that the company is now the world's second-largest data loss prevention vendor, behind only Forcepoint.
Going private takes public reporting costs out of the equation for maturing companies and gives them a window to restructure, refocus and do mergers and acquisitions with sponsor capital, Yépez says. Barracuda and Sophos have followed this playbook under Thoma Bravo's ownership. Sophos has made four acquisitions in two years, and Barracuda has carried out three acquisitions in four years.
If things go according to plan, Yépez says, the company will typically be sold to another private equity firm in three years. If not, the private equity firm will take the portfolio company public or find a strategic or technology buyer to purchase the asset within five years, according to Yépez.
Most of the security companies being taken private in nine- or 10-figure deals are well run, meaning that the private equity buyers aren't looking to trim fit, McAlpine says. Instead, financial buyers are looking to acquire more products and services, expand the security vendor's customer base and sell more technology into the company's existing buyers.
Adding Value One Acquisition at a Time
Under private equity ownership, security companies will typically spend between $50 million and $300 million for each tuck-in acquisition, buying startups with $10 million to $30 million of annual sales at a price of between 10 times and 20 times revenue, McAlpine says. Vendors such as Barracuda and Sophos can often quintuple sales within two or three years by pushing the product through their massive channel.
Carrying out a series of tuck-in acquisitions in which the product of the acquired company is sold into the buyer's customer base is an effective way for security vendors to create between $500 million and $1 billion of value in a relatively short time frame. And as the privately held security company increases in value, private equity firms can take the company public or find a new buyer at an impressive return.
Thoma Bravo has perfected the art, agreeing in April to sell Barracuda to KKR for a reported $4 billion after taking the company private in February 2018 for only $1.6 billion. Thoma Bravo similarly agreed in March to sell a majority stake in Veracode to TA Associates at a valuation of $2.5 billion after buying the application security testing firm from Broadcom in January 2019 for just $950 million.
Private equity firms will typically agree to acquisitions only if they can expect to generate an internal rate of return of at least 20%, McAlpine says. Financial buyers will project upfront what the exit valuation of a potential asset will be three to five years down the road and then determine at what price the deal would be worth doing, according to McAlpine.
"There has been some price rationalization," he says. "We've seen stock prices come down since the end of last year and into the beginning of this year after a pretty extraordinary run-up over the course of 2021. As a result, private equity firms were just able to make the numbers work."
Three Cheers for Consolidation
Scheinman says private equity firms like to see annual sales growth of at least 20% before returning a security company to the public market. Even more important for financial buyers, however, is that the company turn a consistent and growing profit, he says. In reality, some firms will get gobbled up by larger security or technology companies rather than reenter the public market.
"There are a whole lot of public and private security companies out there at a certain size, and at some point, there probably needs to be a smaller number of stronger companies," Scheinman says. "And I think that's part of what we're going through right now."
McAlpine also sees private equity investment and the ensuing potential for consolidation as a net positive for CISOs given the vendor fatigue most security leaders are experiencing. With some 4,000 vendors in the cybersecurity market today, he says CISOs dread getting their arms twisted into receiving yet another demo or proof of concept.
"For most CISOs that I talk to, they would rather have best of suite versus best of breed," McAlpine says. "From a best of breed standpoint, there just isn't enough manpower to go out and manage each one of these tools. It's not just about how much they cost, but the implementation and the management of the tools. And then ongoing cost to do that is a big burden for most chief security officers."