An analysis conducted by SecurityWeek shows that more than 230 cybersecurity-related mergers and acquisitions were announced in the first half of 2022.
SecurityWeek has cataloged 234 cybersecurity M&A deals between January 1 and June 30, 2022, with a surge observed in the first half of June. At this pace, the number of deals made in 2022 will exceed the 435 announced last year.
Of all the M&A deals in H1 2022, 195 involved companies in North America, and 62 involved European companies. Roughly two dozen deals involved firms based in Asia, Oceania and Latin America.
A majority of transactions involved companies in the US, followed by the UK, Canada, Germany and Australia. Compared to last year, there have been fewer deals in Israel, which led to a drop in the overall volume of deals involving Asian organizations.
Financial details were made public for 39 deals, for a total of $51.5 billion. The deal size exceeded $1 billion in the case of seven acquisitions. This includes Vista Equity Partners and Evergreen Coast Capital acquiring Citrix for $16.5 billion, Google acquiring Mandiant for $5.4 billion, Thoma Bravo acquiring SailPoint for $6.9 billion, and Kaseya acquiring Datto for $6.2 billion.
In 2021, governance, risk management and compliance (GRC) companies accounted for the highest percentage of M&A deals, followed by managed security services providers (MSSP), network security, and identity firms. In the first half of 2022, MSSPs took the lead and the GRC category dropped to second place, with network security and identity remaining in the same spots.
For MSSPs, mergers and acquisitions help them expand or enhance their capabilities, and in many cases enable them to extend their geographical reach.
Twenty-one mergers and acquisitions involved government contractors and 14 deals involved private equity firms. In the case of private equity, there appears to be an increase compared to 2021, when these types of companies were involved in a total of 19 deals across the entire year.
Getting acquired by a private equity firm can enable companies to grow and expand. On the other hand, private equity companies continue to trust that their investment in cybersecurity will pay off. Data collected by SecurityWeek shows that private equity firms have acquired a wide range of organizations, including cloud, identity, network security, risk management, security operations center (SOC), data protection, mobile security, and managed solutions providers. Some have acquired firms that provide security solutions to government agencies.
The volume of mergers and acquisitions involving data protection solutions providers has increased significantly, with 21 deals announced in the first half of 2022, roughly the same as for the entire 2021.
The data shows a similar situation for application security companies — 17 deals were announced to date in 2022 and approximately the same during the entire 2021.
While the volume and value of global tech deals appeared to be taking a hit at the start of the Covid-19 pandemic, they quickly bounced back and even reached record highs in 2021. Experts believe cyber may be more resilient to economic conditions compared to other verticals, largely due to regulatory requirements and increasing cyber threats.
On the other hand, some cybersecurity companies appear to be concerned — or at least cautious — with major players such as Lacework, OneTrust and Cybereason announcing significant staff cuts in the face of macroeconomic uncertainty.
Monthly summaries of cybersecurity H1 2022 M&A deals: January, February, March, April, May, June.
Methodology: The data was collected from news distribution services, Google and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. All deals that had a cybersecurity component have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement may not be included. The data could also include deals that may have not been completed after they were announced.
The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, attack surface management, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, threat detection, and SASE. Identity includes IAM, PAM, secure access, authentication, authorization. Incident response includes SOAR, SIEM, SOC, and forensics. Specialized includes blockchain, cryptocurrency, quantum, encryption/cryptography, lawful surveillance, healthcare, and automotive. Data protection includes VPN, privacy and backup.
Related: Cybersecurity M&A Activity to Continue; Growth Funding to be More Conservative