GRC, MSSP firms powered cybersecurity M&A activity in 2021
More than 430 cybersecurity-related mergers and acquisitions were announced in 2021, according to a study conducted by SecurityWeek.
An analysis of the cybersecurity M&A deals of 2021 shows that of the 435 deals made public by companies, a majority involved organizations in North America and Europe.
A majority of the transactions involved firms based in the United States, followed by the United Kingdom and Israel.
Financial details have been made public for 88 deals, including 11 where companies were acquired for more than a billion dollars. More than 60 acquisitions involved tens or hundreds of millions of dollars.
Billion-dollar plus deals include STG’s acquisition of McAfee Enterprise and FireEye, Permira acquiring Mimecast ($5.8B), Thoma Bravo acquiring Proofpoint ($12.3B), Okta acquiring Auth0 ($6.5B), and NortonLifeLock acquiring Avast ($8.6B).
After the COVID-19 outbreak was declared a pandemic in March 2020, the volumes and values of global technology deals seemed to be taking a hit. However, they bounced back in the second half of 2020, a trend that has continued throughout 2021, when they reached record highs.
Cybersecurity M&A deals have aligned with this general technology trend, with 451 Research reporting an aggregate transaction value of nearly $50 billion for the first three quarters of 2021, compared to roughly $12 billion in the same period of 2020. (451 Research uses a different methodology, but their data confirms SecurityWeek’s own findings).
The rise in cybersecurity M&A activity has largely been driven by the pandemic (enterprises have invested more in cybersecurity and cloud architecture due to employees working remotely) and major cyberattacks.
M&A activity breakdown by type of company
In terms of field of expertise, many M&A deals in 2021 involved governance, risk management and compliance (GRC), managed security services provider (MSSP), network security, identity, and cloud security firms. More than 40 mergers and acquisitions involved government contractors, and 19 involved private equity companies.
The steps taken recently by the U.S. government to improve its cyber capabilities will lead to increased spending on cyber solutions and services. As a result, IT and cybersecurity contractors are scrambling to extend and enhance their capabilities through strategic acquisitions that are likely to pay off down the line.
Spending is expected to significantly increase in the private sector as well over the next few years, and private equity firms are betting big on cybersecurity — they are buying cybersecurity firms for hundreds of millions and even billions of dollars.
MSSPs are also using acquisitions to extend their capabilities and reach, as they come to realize that offering a wider range of services and solutions will likely pay off long term.
On the other hand, it’s not surprising that many companies have agreed to be acquired. An M&A exit strategy, particularly for smaller companies, is much more feasible compared to an IPO, especially in such uncertain times.
SecurityWeek predicts that M&A activity will continue to increase and we will see at least 400 deals in 2022 as well.
Monthly summaries of cybersecurity M&A deals: January, February, March, April, May, June, July, August, September, October, November, December.
Methodology: The data was collected from news distribution services, Google and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. A majority of announcements that mentioned “cybersecurity” have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement are likely not included.
The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, threat detection, and SASE. Identity includes IAM, PAM, secure access, authentication, authorization. Incident response includes SOAR, SIEM, SOC, and forensics. “Specialized” includes blockchain, cryptocurrency, quantum, encryption/cryptography, lawful surveillance, and automotive. Data protection includes privacy and backup.