An analysis conducted by SecurityWeek shows that more than 400 cybersecurity-related mergers and acquisitions were announced in 2023, with a drop seen in both volume and disclosed deal value.
In 2023, SecurityWeek tracked a total of 413 M&A deals, which represents an 8% drop compared to 2022. In 2023, we started tracking deals involving pure-play cybersecurity companies separately and found that 243 transactions involved such firms.
A majority of the M&A deals seen in 2023 involved North American companies, followed by Europe and Asia. The number of deals involving companies located in North America has dropped significantly compared to last year, from 369 to 273.
On the other hand, there has been an increase in the number of deals involving companies located in Asia, from 29 to 50, and Oceania, from 18 to 26. This increase was mainly driven by Israel and Australia, which overtook Canada and Germany for the third and fourth places.
The United States continues to lead in terms of number of deals, but there was a drop of nearly 100 acquisitions in 2023 compared to 2022 — from 358 to 262. The UK continues to be second, with 48 acquisitions, fewer than the 61 tracked in 2022.
Ireland and Sweden stand out in this year’s report. Irish companies were involved in 18 M&A deals and Swedish firms in 15 deals — the numbers have doubled in both cases compared to 2022. The number of deals involving companies based in the United Arab Emirates have also doubled, from 4 to 8.
Financial details are known for 58 of the 413 deals announced in 2023, for a total disclosed value of roughly $50.4 billion. Financial information was made public for 41 deals involving pure-play cybersecurity companies, for a total disclosed value of $14.3 billion.
There were six deals valued at over $1 billion, four of which involved companies offering only cybersecurity solutions. These include Thales acquiring Imperva ($3.6 billion), TPG acquiring Forcepoint ($2.5 billion), Francisco Partners acquiring Sumo Logic ($1.7 billion), and Thoma Bravo acquiring Magnet Forensics ($1.3 billion).
Another noteworthy deal is Cisco’s acquisition of Splunk for $28 billion. While Cisco and Splunk are not pure-play cybersecurity firms, cybersecurity is the focus of the deal.
Of the 20 mergers and acquisitions in the range of $100 million – $1 billion, 15 involved pure cybersecurity companies.
In comparison, in 2022, financial details of the transaction were made public in 62 cases for a total of $63 billion in disclosed deal value. Ten deals exceeded the $1 billion mark, including six involving pure cybersecurity firms for a total disclosed value of $26 billion.
SecurityWeek’s data shows that 155 deals involved managed security solutions providers (MSSPs). This includes product distributors and companies that offer other products and services in addition to cybersecurity. Only 37 of the MSSPs are pure cybersecurity providers.
While it’s important to keep track of these transactions as they play a significant role in the cybersecurity industry, we are currently tracking them separately in an effort to get a better view of the other categories.
Last year saw 68 deals involving companies that offer governance, risk management and compliance (GRC) solutions and services, 10 deals more compared to 2022. This category also includes audit, assessment, vulnerability management, penetration testing, attack surface management, and cyber insurance firms.
Identity and network security have remained on the second and third positions, with 40 deals each, roughly the same number of deals as in 2022.
Private equity companies announced 37 acquisitions last year, including two dozen involving companies that only offer cybersecurity solutions. Financial details were disclosed for 13 transactions, with a total value of $17.1 billion. The number of deals involving investment firms doubled compared to the previous year.
Government contractors were also involved in 37 deals in 2023. One-third of these transactions targeted pure-play cybersecurity firms.
Data protection dropped from the fourth position in 2022 to the eighth position in 2023, and cloud and container firm deals dropped from sixth to tenth place. Application security also dropped, from the seventh to the eleventh position.
There has also been a significant decrease in the number of deals involving organizations that offer training.
Incident response, on the other hand, has been increasing, driven by companies wanting to expand their capabilities and private equity firms seeing this segment as a good investment opportunity. For the purpose of this analysis, incident response also includes SOAR, SIEM, SOC, and forensics.
Nine deals involved companies providing industrial cybersecurity solutions, and three deals involved special purpose acquisition companies (SPACs) in 2023.
The ‘specialized’ category, which in 2023 had 28 deals, is for companies that provide highly focused cybersecurity services. This can include blockchain, quantum, payment, PR, healthcare, hardware, certification, and automotive firms.
Monthly summaries of cybersecurity H1 2023 M&A deals: January, February, March, April, May, June, July, August, September, October, November, December.
Methodology: The data was collected through news distribution services, Google searches and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. All deals that had a cybersecurity component have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement may not be included. The data could also include some deals that may have not been completed after they were announced.
The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, attack surface management, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, and SASE. Identity includes IAM, PAM, secure access, authentication, and authorization. Incident response includes SOAR, SIEM, SOC, and forensics. ‘Other (specialized)’ includes hardware, blockchain, quantum, payment, healthcare, PR, education, certification, design, workforce, communications, and automotive. Data protection includes encryption/cryptography, VPN, privacy and backup. MSSP includes cybersecurity solution distributors and companies that do not develop their own products or solutions.
Related: Cybersecurity Funding Dropped 40% in 2023: Analysis
Related: SecurityWeek Study: Over 430 Cybersecurity Mergers & Acquisitions Announced in 2021
