Security Experts:

U.S. Government Says Thales Must Divest HSM Business Before Acquiring Gemalto

The U.S. Department of Justice announced Thursday that it requires Thales to divest its General Purpose Hardware Security Module (GP HSM) business before it can proceed with the proposed purchase of Gemalto for $5.67 billion. This condition is in line with the requirement of other antitrust and monopolies authorities around the world.

Thales' GP HSM production was acquired two decades ago when it purchased nCipher. It's HSM product line has remained associated with nCipher, under the name nShield. Compliance with the DoJ requirement can be achieved by first reconstituting nCipher as a stand-alone unit, and then selling it to a third-party organization.

This process is already in progress. nCipher Security became a separate stand-alone business within Thales and held separate from the rest of the Thales Group pending its divestiture to a third-party buyer on January 7, 2019. On February 22, 2019, Entrust Datacard announced it had signed a definitive agreement to acquire nCipher Security from Thales.

This appears to be an excellent solution for all parties. There is natural synergy between Entrust's trusted identity business and HSMs. At the same time, Thales will be able to proceed with the much bigger acquisition of Gemalto. And for the government acquisition authorities, competition is preserved.

"This structural solution fully preserves competition in the sale of these critical machines used by corporations and governmental agencies to protect their most sensitive data," said Assistant Attorney General Makan Delrahim of the Department of Justice's Antitrust Division. "As a result, American consumers and taxpayers will continue to benefit from competition in this industry." 

Thales, headquartered in Paris, France, is a globally active firm concentrating on five main industries: aeronautics, space, ground transportation, defense, and security including cybersecurity. In 2017, its global revenue was approximately $19.6 billion.

Gemalto, headquartered in Amsterdam, Netherlands, is globally active in providing authentication and data protection in banking and payment; enterprise and cybersecurity; government; mobile; and the industrial internet of things. In 2017, its global revenue was approximately $3.7 billion.

Entrust Datacard, headquartered in Minneapolis, U.S., provides trusted identity and secure transaction technologies globally. Solutions range from financial cards, passports and ID cards to authentication, certificates and secure communications. The acquisition of nCipher and its HSMs will allow Entrust to offer own-brand secure storage for encryption keys as part of the expanding PKI market, typified in securing IoT devices.

Related: Utimaco's Acquisition of Atalla HSM Product Line Gets Regulatory Clearance 

Related: Enterprise Data Encryption Challenged by Key Management 

Related: EU Antitrust Officials Probe Thales, Gemalto Merger 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.