How the Economic Downturn Has Affected Security Funding, M&A
M&A, Funding, Stock Prices Drop Sharply in the Back Half of 2022 Amid Economic WoesThe cybersecurity industry experienced a dramatic drop-off in funding, stock prices, and merger and acquisition activity as the economic downturn took hold in late 2022.
See Also: How to Take the Complexity Out of Cybersecurity
Venture capital financing tumbled to $18.5 billion in 2022, 39% lower than the record-breaking $30.4 billion invested in 2021, according to data from Momentum Cyber in its 2023 Cybersecurity Almanac. The impact of the economic downturn became more apparent as 2022 progressed, and funding in the second half of 2022 plummeted to $6.5 billion, down 46% from $12.1 billion in the first half of 2022 (see: Late-Stage Startups Feel the Squeeze on Funding, Valuations).
"A marginal idea that would have gotten funded two years ago is not going to get funded right now."
– Bob Ackerman, founder and managing director, AllegisCyber Capital
"The fundamentals that drive the underlying cyber market - notably the emergence of new, increasingly sophisticated threats - continue unabated," says Bob Ackerman, founder and managing director of AllegisCyber Capital. "The weaker second half is really a reflection of what the venture community does, independent of what the underlying fundamentals that drive the cybersecurity market are doing."
In a similar vein, the number of venture financing deals tumbled to 414 in the back half of 2022, down 34% from 623 in the front half of the year, according to Momentum Cyber. As concerns over rising inflation and interest rates took hold in the fourth quarter of 2022, the industry recorded just 193 funding deals, which is the lowest figure since the peak of the COVID-19 pandemic in the third quarter of 2020 (see: Early-Stage Startups Pump Brakes on Growth as Downturn Looms).
"The quality bar is that much higher," Ackerman tells Information Security Media Group. "If you're looking at seed opportunities, it better be a damn good idea. A marginal idea that would have gotten funded two years ago is not going to get funded right now. But the quality ideas get funded, and the valuations are largely intact."
Many Big Cybersecurity Vendors Pause M&A Activity
Merger and acquisition activity declined sharply over the course of 2022. There were just 108 deals in the second half of the year, down 30% from 154 transactions in the first six months of 2022. The downturn was even more pronounced from a deal volume perspective as strategic buyers hit the brakes. There was just $16.7 billion of M&A activity in the second half of 2022, down 51% from $34.4 billion in the first half.
Ackerman expects the threat intelligence market to consolidate dramatically in the coming years - from the 107 vendors present today to between five and 10 down the road - as customers realize they're paying for a half dozen or more intelligence feeds that essentially do the same thing. SecOps, incident response and threat intel was the sixth-most-common sector for M&A in 2022, highlighted by the buys of Securonix and Mandiant.
Six of the seven largest buys of pure-play cybersecurity vendors in 2022 were done by private equity firms, and Google's $5.3 billion buy of Mandiant was the sole exception. The top deals carried out by security firms both occurred in the first quarter of 2022 when Fortra bought Alert Logic, and SentinelOne purchased Attivo. Momentum Executive Chairman Dave DeWalt expects strategic M&A to rise in 2023 (see: PE Firms 'on Prowl' for Take-Private Cybersecurity Deals).
"Almost every CEO I know of any cyber company is highly evaluating M&A right now," DeWalt tells ISMG. "It'll be really interesting to watch over this next 12- to 24-month period. The big titans of the industry will be coming together with multibillion-dollar revenue bases in cyber colliding for who gets the most market share."
Stock prices for publicly traded cybersecurity vendors declined in line with the overall market, and low-growth, highly profitable companies fared the best as investors adopted a more conservative approach. The HACK Index - which tracks companies selling cybersecurity hardware, software and services - fell 28.1% in 2022, as high-growth companies sank 42.4% and low-growth companies dipped just 5.5% (see: A Few Cybersecurity Stocks Soared in 2022, But Most Stumbled).
"The public markets are the ones who get hit first in an economic downturn because there's immediate liquidity in that market," Ackerman says. "And then the market adjusts its valuations based on the withdrawal of capital."
Data, OT Security Key Markets to Watch
As many prominent vendors in the cybersecurity industry both grew sales between 40% and 70% over the course of 2022 and experienced a steep drop in their stock price, multiples fell to just one-fifth of their 2021 size in 2022, DeWalt says. In 2021, the average public cybersecurity vendor was worth 48.7 times more than its annual recurring revenue; in 2022, that multiple fell to just 7.8 times annual revenue, he says.
"The first thing that happens when you go into a down economic cycle is: Everybody goes on defense," Ackerman says. "They rationalize the platform, make sure it's stable and right-size for the market. Once that foundation is established, then they go on offense. I think you're going to see an acceleration of M&A activity by the big guys as they get through this consolidation and rationalization process."
DeWalt expects industrial control systems and OT security to get lots of attention from the investment community in 2023 given the technology's lack of penetration and volume of attacks against industrial, non-IT networks. Network and infrastructure security had the fifth-highest level of M&A and financing activity in 2022, including a $125 million Series C funding round for critical infrastructure firm Fortress.
DeWalt says the Russia-Ukraine war has led to increased attention on data management as data wipers, data poisoning and the poisoning of AI algorithms become ways to foment misinformation and disinformation. More financing deals occurred in data security in 2022 than in any sector outside of risk and compliance, and Devo and TokenEx closed $100 million Series F and Series B rounds, respectively.
"The capability and motivation that nation-states have and criminals have from ransomware and other types of attacks is just driving us to protect that data world a lot more," DeWalt says.