E-Sign on the Dotted Line: OneSpan Emerging as an M&A TargetDespite Foes Like DocuSign, Latest Financials Are Up But Potential Buyers Are Near
Financial and strategic buyers continue to capitalize on sharply reduced valuations for publicly traded security vendors as the economic downturn drags on.
Five cyber companies that began 2022 on the Nasdaq or New York Stock Exchange now find themselves owned or under agreement to be purchased by a private equity firm. Thoma Bravo agreed last year to spend $12 billion to buy identity protection goliaths SailPoint, Ping Identity and ForgeRock. The private equity titan attempted to take Darktrace private as well but couldn't reach an agreement on terms.
Then in the first two months of 2023, Vista Equity Partners completed its $4.6 billion acquisition of security awareness training vendor KnowBe4 and Francisco Partners agreed to take data analytics software vendor Sumo Logic private for $1.7 billion.
Now, a sixth cybersecurity firm is caught in the M&A crosshairs.
Identity verification and e-signature provider OneSpan is working with investment bank Evercore on a sale process that could attract interest from other businesses and private equity firms, Reuters reported last week. OneSpan declined comment, while Evercore didn't immediately respond to an Information Security Media Group request for comment.
Activist Investor Spurs Board, CEO Changes
Investors are pleased at the prospect of OneSpan exiting the public market after more than 23 years on the Nasdaq Stock Exchange, dating back to the company's time as Vasco Data Security. The company's stock was up $0.93, or 5.65%, to $17.48 per share late Wednesday in the wake of the Reuters report. OneSpan's valuation has jumped to nearly $700 million following publication of the Reuters story.
OneSpan's 2022 stock performance was better than the majority of security-focused vendors, and the firm's stock price fell 34.1% from $16.99 per share at the start of 2022 to $11.19 per share at the end of the year. The company's stock was around $25 per share for the first seven months of 2021, but it has traded considerably lower for the past 18 months.
2021 was a year of considerable upheaval for OneSpan. Activist investor Legion Partners in May 2021 called on OneSpan to replace four existing board members with its own nominees and seek alternate ways to monetize assets. Two days later, OneSpan and Legion struck a deal in which two of Legion's picks would join the board and three of the members Legion wanted to oust would leave over the next year.
Then in August 2021, OneSpan revealed that CEO Scott Clements - who had led the company since July 2017 - had left to pursue other interests and also resigned from the board of directors. Three months later, OneSpan chose Matt Moynahan as Clements' permanent successor. Moynahan had led Forcepoint for five years, culminating in the sale of the Raytheon subsidiary to Francisco Partners for $1.1 billion.
Today, Legion Partners is OneSpan's second-largest shareholder, with an 8.8% ownership stake, behind only passive investor BlackRock, which holds a 16.3% position. OneSpan's fifth-largest shareholder is also an activist hedge fund - Altai Capital Management, which holds a 5.8% stake in the company, according to regulatory filings. Moynahan became a member of OneSpan's board of directors in June 2022.
A Look at OneSpan's Recent Performance and Moves
OneSpan's sales inched ahead to $219 million in 2022, up just 2.1% from $214.5 million a year earlier. On a more positive note, the company's net loss improved to $14.4 million, or $0.36 per share, 52.8% better than a net loss of $30.6 million, or $0.77 per share, the year prior. The stronger financials were driven by a 10.1% reduction in overall headcount and 17.2% cut in R&D headcount over the course of 2022.
The company in January bought Australian startup ProvenDB for $2 million to securely store and vault documents based on blockchain technology. That was OneSpan's first acquisition since May 2018, when it purchased identity verification vendor Dealflo for $54.5 million to automate the customer onboarding life cycle. At the time of the Dealflo buy, the firm changed its name from Vasco Data Security to OneSpan (see: OneSpan to Buy ProvenDB to Securely Store, Vault Documents).
OneSpan in May 2020 was named by Forrester as a contender in the risk-based authentication market behind market leaders IBM and LexisNexis Risk Solutions. Forrester said OneSpan has a comprehensive, productized and bundled set of canned templates for rule scoping but lacks threat intelligence integration, user self-service and out-of-the-box productized support for third-party MFA authenticators.
What Makes OneSpan's Approach Different From Rivals?
Moynahan told ISMG in December 2022 that he wishes to bring OneSpan's identity verification and e-signature businesses together in the cloud to better secure the entire customer transaction life cycle. He said organizations onboarding a new user or device face many threats from hackers and infrastructure compromise to know-your-customer regulations (see: OneSpan CEO on Joining Identity Verification and e-Signature).
"All companies want to onboard customers," Moynahan told ISMG in December. "In order for them to grow, they're going online with more complex digital products. Those products are increasingly expected to be used by consumers. But there are a lot of regulatory and security threats when you're onboarding an unknown entity to a company."
The fastest-growing area of OneSpan's business has been around e-signature, where Moynahan says the company is the only enterprise-class alternative to DocuSign. Moynahan says OneSpan's e-signature is more secure and offers better value than DocuSign but isn't as well known since the product is private labelled in virtually all transactions.
On the identity verification side of the business, Moynahan says OneSpan most often competes against Gemalto - which is now Thales Digital Identity and Security - since it has similar capabilities on the token. OneSpan also encounters RSA, Transmit Security and Yubico from time to time for customers that are looking to more broadly implement passwordless identity and access management technology.
"If you want a product that works, is resilient and highly available, use our stuff," Moynahan told ISMG in December. "I think that sets us apart from a lot of the startups. It's just the 30 years of history and trust that we built up in high-volume, high-transaction environments like banks."