MSSPs took the lead in cybersecurity M&A in 2022 with twice as many deals as in 2021
An analysis conducted by SecurityWeek shows that more than 450 cybersecurity-related mergers and acquisitions were announced in 2022.
In 2022, we tracked a total of 455 deals, compared to 435 in 2021. The US and UK continue to lead in terms of the number of deals, but Israel and Australia were overtaken last year by Canada and Germany.
The number of deals involving companies from the United States increased from 341 to 358, and the UK dropped from 70 to 61 deals.
As for regional data, North America and Europe continue to lead with roughly the same number of M&As as in the previous year. The number of deals involving companies in Asia and Oceania dropped compared to 2021, but M&A activity more than doubled in Latin America.
Financial details of the transaction were disclosed in 62 cases in 2022, significantly less than the 88 deals that had financial terms disclosed in 2021.
In 2022, we saw transactions totaling more than $63 billion in disclosed deal value. Ten companies were acquired for more than $1 billion, roughly the same as in 2021. The most significant deal for the cybersecurity industry was Google’s acquisition of Mandiant.
Thoma Bravo acquired SailPoint, Ping Identity, and Forgerock for more than $1 billion, and reportedly sold Barracuda Networks for $4 billion. Vista Equity Partners acquired two companies for over $1 billion: KnowBe4 and Citrix (Citrix was acquired with Evergreen Coast Capital).
Other major deals include Kaseya’s acquisition of Datto, Carlyle Group’s acquisition of ManTech International, and AMD’s acquisition of Pensando.
Roughly the same number of companies as in 2021 was acquired for millions of dollars, but the number of deals for tens and hundreds of millions has dropped from 64 to 38.
As for the types of companies involved in 2022’s cybersecurity M&A deals, managed security services providers (MSSPs) lead by far, with over 150 deals, more than double compared to 2021. Many MSSPs are looking to buy other managed services providers as part of their expansion efforts.
In addition, a recent survey showed that many MSPs are focusing on growing their cybersecurity practices, with many planning to invest in threat intelligence, detection and response, real-time attack visibility, and forensics and incident response.
SecurityWeek is tracking MSSP deals separately. While it’s important to keep track of these transactions as they play a significant role in the cybersecurity industry, we are currently tracking them separately in an effort to get a better view of the other categories.
Deals in the governance, risk and compliance (GRC) category come in second place, with 58 mergers and acquisitions announced in 2022 involving these types of companies. It’s worth noting that GRC exceeded MSSP in 2021, when nearly 80 transactions were announced.
Companies providing network security and identity-related services were, just like in 2021, the third and fourth most common in cybersecurity deals, but the number of deals related to data protection nearly doubled, moving from the tenth position on the chart to the fifth.
Even in the first half of 2022 it was clear that data protection would be in the M&A spotlight, with the number of deals announced in H1 reaching the same level as in the entire 2021.
The number of deals involving government contractors dropped slightly in 2022 compared to 2021, from 43 to 36, but it remained one of the top types of transactions. This includes Carlyle Group’s acquisition of ManTech International for $4.2 billion.
The US government continues to invest in improving its cyber capabilities. As a result, IT and cybersecurity contractors are scrambling to extend and enhance their capabilities through strategic acquisitions that can pay off down the line.
The data collected by SecurityWeek shows that private equity (PE) companies continue to bet big on cybersecurity, with 18 of the mergers and acquisitions announced in 2022 involving PE firms, approximately the same as in the previous year.
PE firms have acquired companies specializing in cloud security, data protection, threat intelligence, risk management, application security, identity, network security, security operations center (SOC), mobile security, secure access, and managed services.
Three of the 2022 cybersecurity M&A deals involved a special purpose acquisition company (SPAC).
There were more than 10 deals for each of the following types of companies: cloud (32), application (24), specialized (22), consulting (21), incident response (20), training (20), threat intelligence (17), and web and email (16).
The ‘specialized’ category includes companies that provide highly focused security services. The list includes — but is not limited to — blockchain, quantum, payment, PR, healthcare, hardware, education, certification, design and automotive.
We are seeing a similar start in terms of the number of M&A deals in 2023. On one hand, the global economic slowdown may lead to a drop in the number of deals in 2023 as companies may be more cautious and delay expansions fueled by acquisitions. On the other hand, we predict that some firms will be keeping a close eye on the market in hopes of buying startups with promising technologies at a discount.
Monthly summaries of 2022 cybersecurity M&A deals: January, February, March, April, May, June, July, August, September, October, November, December.
Methodology: The data was collected from news distribution services, Google and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. All deals that had a cybersecurity component have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement may not be included. The data could also include deals that may have not been completed after they were announced.
The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, attack surface management, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, and SASE. Identity includes IAM, PAM, secure access, authentication, authorization and fraud. Incident response includes SOAR, SIEM, SOC, and forensics. ‘Other (specialized)’ includes hardware, blockchain, quantum, payment, healthcare, PR, education, certification, design, and automotive. Data protection includes encryption/cryptography, VPN, privacy and backup. MSSP includes cybersecurity solution distributors and companies that provide security services but do not develop their own products or solutions.
Related: Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Related: Cybersecurity M&A Activity to Continue; Growth Funding to be More Conservative
Related: Cybersecurity Investment Remains Strong, M&A Activity Heads Toward New Annual Record