SecurityWeek has cataloged 214 cybersecurity-related merger and acquisition (M&A) deals between January 1 and June 30, 2023.
For comparison, there were 455 transactions announced in 2022, including 234 in the first half of the year. The most significant difference between the first half of 2022 and the first half of 2023 was in June — last year there was a surge in deals and this year there was a significant decrease, with less than two dozen announcements made.
A majority of the deals announced in the first half of 2023 involved companies in the United States, which is not surprising considering that companies in the US are more likely to enter M&A deals as part of an expansion or exit strategy and are most likely to issue an English-language press release.
The US has been followed by the UK for the past three years, and countries such as Canada, Germany and Australia are typically also in the top five. However, in H1 2023, Sweden surpassed Canada and Germany, rising to the fourth position, with a dozen cybersecurity M&As involving Swedish firms.
In terms of regional figures, North America and Europe continue to lead, but the number of deals involving companies in Asia appears to be growing, with 26 transactions announced in the first half of 2023, compared to 29 deals announced throughout 2022. On the other hand, 42 acquisitions involved Asian companies in 2021, in large part due to Israeli firms, which are now again driving a surge in M&A deals in the region, alongside companies from India, UAE and Singapore.
In the first half of 2023, financial details were available for 30 deals, for a total of $5.1 billion, significantly less than the $51.5 billion in disclosed deal value for 39 deals in the same period of last year. It’s also worth noting that the total disclosed deal value reached $63 billion by the end of 2022.
The biggest deals involved private equity firms, including Thoma Bravo buying Magnet Forensics for $1.3 billion, Francisco Partners acquiring Sumo Logic for $1.7 billion, and Crosspoint Capital Partners acquiring Absolute Software for $870 million.
In fact, private equity firms were involved in 20 of the M&As from the first half of 2023, more than the yearly total for 2022 or 2021. In a quarter of cases, investment companies acquired managed security services providers (MSSPs).
Of all the deals announced in H1 2023, 82 involved MSSPs. While the number is slightly higher compared to the 66 announced in the first half of 2022, the total number of MSSP acquisitions will remain roughly the same as last year if deals continue at this pace.
SecurityWeek is tracking MSSP deals separately. While it’s important to keep track of these transactions as they play a significant role in the cybersecurity industry, we are currently tracking them separately in an effort to get a better view of the other categories.
Deals involving companies that offer governance, risk management and compliance (GRC) services are roughly the same as in H1 2022, and so are deals involving identity solutions providers.
Diving deeper in the GRC category, we see risk management, assessment, and penetration testing stand out, with companies that offer these services being involved in more than 30 deals — roughly 10 deals for each category.
We see a significant drop in acquisitions involving network security and data protection companies compared to H1 2022 and the entire 2022. Network security and data protection were the second and fourth most common M&A categories in 2022 and they dropped to the ninth and tenth positions, respectively, in H1 2023.
The number of deals involving firms that offer security consulting services has increased, with 17 acquisitions announced in H1, more than double compared to the first half of 2022 and nearly as much as during the entire last year.
Methodology: The data was collected through news distribution services, Google searches and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. All deals that had a cybersecurity component have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement may not be included. The data could also include some deals that may have not been completed after they were announced.
The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, attack surface management, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, and SASE. Identity includes IAM, PAM, secure access, authentication, and authorization. Incident response includes SOAR, SIEM, SOC, and forensics. ‘Other (specialized)’ includes hardware, blockchain, quantum, payment, healthcare, PR, education, certification, design, workforce, communications, and automotive. Data protection includes encryption/cryptography, VPN, privacy and backup. MSSP includes cybersecurity solution distributors and companies that provide security services but do not develop their own products or solutions.