top of page

Cybersecurity M&A

By Nihat Anwar (SSE), Mustafa Bayramli (Wharton), Gurneek Gill (UCL)

Photo: Dan Nelson (Unsplash)


I. Industry Background

Today, cyberspace has become increasingly crucial for our everyday activities. Although our lives have become easier thanks to major advancements in digital technology, our reliance on digital infrastructure has also made us more vulnerable to cyber breaches. The impact of these digital attacks can be destructive for firms as they could lose their intellectual properties, as well as detrimental for regular individuals since it is equally important to ensure the protection of our personal data. To defend us from these threats, cybersecurity companies aim to facilitate our everyday lives by curbing attacks on networks, systems, and programs.

The cybersecurity industry was valued at $153.16 billion in 2020 and exhibited a substantial growth of 7.6% during the year. Over the last few years, the aerospace and defense vertical had the largest share in the market. However, moving forward, BFSI and IT, government, and telecom verticals are expected to gain increased traction. More generally, the market could also be divided into two segments, namely, solutions and services. Out of these two, the service segment is expected to grow at the highest CAGR during 2021-2026 due to the rising demand for consultancy and maintenance services by medium and large enterprises. North America has dominated both segments of the global cybersecurity market in the past years, however, this trend is also expected to change as APAC is estimated to grow at the fastest pace. The market is highly fragmented and competitive, and some of the major players within the industry are IBM Corporation, AVG Technologies, and Cisco Systems Inc. These key players are continuing to implement core technologies into their business units, including machine learning, IoT, big data and cloud – all of which are expected to significantly drive growth moving forward.

As the number of online security threats continues to rise, the standards and requirements for more advanced security solutions are growing exponentially. During the pandemic crisis, the demand within healthcare, government, and manufacturing has grown tremendously and challenged the key industry players to differentiate and continue to advance their products and services. In addition, it is expected that cybercrime will evolve and become more sophisticated with the increased use of complex techniques and heightened computing power. All in all, cybersecurity companies face several opportunities and challenges, and the need for continuous innovations will likely increase the M&A activity in the industry.

II. Paypal - Curv

On March 8th, 2021, PayPal announced the planned acquisition of Curv. The deal is expected to close in the first half of 2021, and although the financial terms of the transaction were not disclosed to the public, experts believe that the acquisition is worth between $200 million and $300 million.

Curv was founded in 2018 and mainly focuses on providing companies with digital asset security technology. The Israel-based company is a leading provider of cloud-based services that let their customers securely access crypto wallets without any hardware device. In October 2020, PayPal created a business unit fully focusing on blockchain, digital, and cryptocurrencies. With this deal, PayPal wishes to continue on their recent commitment by integrating Curv into their newly formed venture. Jose Fernandez da Ponte, PayPal’s vice president and general manager of the business unit stated: “The acquisition of Curv is part of our effort to invest in the talent and technology to realize our vision for a more inclusive financial system.” By utilizing Curv’s unique capabilities, PayPal hopes to boost and augment its competitiveness and journey of innovation in a time where the adoption of digital assets is at a remarkably high pace.

This deal is an example of the increased cybersecurity M&A activity as players such as PayPal, and more generally, large institutions, continue to adopt digital asset and blockchain technology. Moving forward, experts believe that more deals will take place within the crypto segment since digital currencies will undoubtedly play an increasingly important role in financial services and commerce.

III. Okta - Auth0

On March 3, 2021, Okta, Inc. (NASDAQ: OKTA) announced that it would acquire Auth0 in a stock transaction valued at $6.5 billion. According to the deal, both sides have agreed on Okta purchasing the target with the acquirer Class A common stock. Morgan Stanley and Qatalyst Partners are acting as financial advisors for the acquirer and target respectively.

Okta, Inc. provides an identity and access management (IAM) platform for enterprises, small and medium-sized businesses, universities, non-profits, and government agencies in the United States and internationally. The company’s flagship offering is Okta Identity Cloud, a platform that offers a suite of products to manage and secure identities, such as Universal Directory, a cloud-based system of record to store and secure user, application, and device profiles for an organization. Okta, Inc. sells its products directly to customers through sales force, as well as through channel partners. Meanwhile, Bellevue, Washington-based Auth0 manages customers' identities across applications and expects over $200 million in revenue this year. It facilitates easy API access to single-sign-on functionality for developers. Under the terms of the deal, Auth0 will operate as an independent business unit inside Okta, but both platforms will be integrated over time.

Acquiring Auth0 enables Okta to construct a comprehensive approach to IAM covering both front and back end. From an identity market perspective, the target, being a small vendor compared to industry giants such as Microsoft, will be strategically positioned to leverage the Okta brand and its marketing network. Okta will likewise benefit from the complementary nature of the two company’s operational focus in the identity market.

IV. Palo Alto Networks - Bridgecrew

On February 16, 2021, Palo Alto Networks (NYSE: PANW) expressed its intent to acquire Bridgecrew, a developer-first cloud company, in an all-cash transaction valued at $156 million. The rationale for the deal is that the acquisition will allow Palo Alto Networks to expand the use cases for its Prisma Cloud security platform into the DevOps process. Prisma Cloud helps thousands of organizations securely connect office branches and mobile users to the cloud, allowing for SaaS adoption with a cloud access security broker, and improves security across multi-cloud deployments. With the addition of Bridgecrew, Palo Alto Networks said it will be able to offer security across the full application lifecycle via a single platform.

Palo Alto Networks, Inc. provides cybersecurity platform solutions worldwide. The company provides firewall appliances and software; Panorama, a security management solution for the control of appliances and software deployed on an end-customer's network as a virtual or a physical appliance; and virtual system upgrades, which are available as extensions to the virtual system capacity that ships with physical appliances. It also offers subscription services covering the areas of threat prevention, uniform resource locator filtering, malware and persistent threat, laptop and mobile device protection, and firewall, as well as cyberattacks, threat intelligence, and data loss prevention. In addition, the company provides professional services, including architecture design and planning, configuration, and firewall migration, as well as online and in-classroom education training services, as well as support services. Palo Alto Networks is especially interested in accelerating investments in Bridgecrew’s infrastructure as a code Scanner, Checkov, which has recently gained traction among developers and exceeded 1 million downloads in 2020.

V. Datadog - Sqreen

On the 11th February 2021, Datadog announced that they had definitively agreed to acquire Sqreen for an undisclosed fee and the deal is expected to close in Q2 2021. Datadog is a systems monitoring service for cloud-level applications, offering the safeguarding of servers, databases, tools, and services. Headquartered in New York City, US, the company has been searching for ways to strengthen the most vulnerable and exploitable attack surfaces that exist in certain applications. Thus, acquiring Sqreen seems like a natural step to take as the San Francisco-based firm is a SaaS-based security platform that allows enterprises to detect, block, and respond to application-level attacks. Sqreen’s high-level application security facilities will close the gap that currently exists between application developers and security teams meaning that security and resilience can be assured with a greater level of clarity for applications. Moreover, this acquisition is likely to bring great cost synergies as Oliver Pomel, the CEO of Datadog, lamented about “high implementation costs” that exist when having to solve complex issues that occur in modern application security vulnerabilities. Correspondingly, Sqreen is equally as excited for this acquisition as it will allow for them to accelerate developments towards their automated application security tools and alongside Datadogs monitoring, their joint threat detection service will be of great value to consumers.

As previously mentioned, this acquisition was a natural integration of two firms that had a lot to offer to one another. This purchasing rationale was prominently seen pre-COVID-19; as cybersecurity companies pursued acquisitions to enhance existing capabilities and help provide better support for buyers as cyber-attacks become more sophisticated. However, it makes up one of the few strategic purchases that have occurred recently and perhaps mark the turning of the tide in cybersecurity M&A activity that has been heavily dominated by low price PE financial acquisitions.

VI. Future Outlook

The future outlook for Cybersecurity looks very promising in terms of M&A activity volume, which showed relatively strong resistance to COVID-19; now that uncertainty is clearing up, the deal volume will further increase. This is largely down to the industry itself, which has been growing steadily and now expects to register a CAGR of 14.5% during 2021-2026. The Cybersecurity industry saw a boom from the pandemic due to large digital shifts in leisure and professional environments and though we are nearing its closure, many companies from tech-related industries will look to implement some “work from home” days; embodied by Facebook who say they will allow up to 50% of their employees to work remotely in the future. Thus, when compounded with increasing numbers of cybercriminals due to COVID-induced unemployment, security risk from remote working is likely to increase. Further to this, experts forecast that there will be a ransomware-type attack on businesses every 11 seconds by 2021, up from every 40 seconds in 2016. This will lead to cybersecurity companies seeking to expand via M&A to capitalise upon this so that they can continue adapting and creating innovative technologies, revolving around key features such as AI and machine learning, to deal with hundreds of millions of new cyber threats that emerge yearly. Cybersecurity companies will thus carry on growing and becoming attractive M&A targets for a multitude of investors.

However, 2020 saw the average valuation per deal decrease by 51% from 2019, see Fig. 1, and this looks set to continue. This was due to the large number of PE firms involved in transactions, clearly noticeable in Fig. 1, who sought cybersecurity company purchases due to their market solidification during the thick of the pandemic. PE firms were buying for financial purposes and made up 36% of buyers in 2020 so it is no surprise that lower valuations surfaced since they do not have the same incentive as strategic buyers. This is only likely to continue and whilst the volume of deals will remain steady as it has done for the past few years, cybersecurity M&A valuations will likely decrease in the near future till strategic buyers put aside the perceived risk of buying at times near the pandemic and involve themselves in more transactions. Up until this point, PE firms will continue to invest in attractive cybersecurity companies which continue to grow financially; potentially leading to huge market instability.

Figure 1: Cybersecurity M&A activity deal volume (left) and deal valuation (right) from Q4 2019- Q42020 [5]

VII. Sources


bottom of page