The Cybersecurity M&A Rush

2021 saw a jump in cybersecurity deals, and a slowdown in this chunk of tech M&A this year seems highly unlikely. In the first three quarters of the past year, 151 transactions closed compared to 88 and 94 in 2019 and 2020, respectively, with most of them in the identity and cloud security sector. This year could surpass last year’s record figures in M&A deal numbers and value.

There are multiple reasons why paying 11.3 times the average trailing twelve-months-sales to acquire a reliable cybersecurity firm could be a good idea. Nowadays, a hacker attack, data leak, or general severe cybersecurity malfunctioning could spell the death sentence for even a solid and highly profitable corporation. Market players showed to be more than happy to pay hefty premiums to merge with a company that can protect and manage their networks and data. This behavior feels akin to buying insurance against unpredictable and potentially catastrophic events, but with the benefit of making systems more efficient.

The pandemic massively increased the interest in cybersecurity companies and fed market players’ and government paranoia. We learned that nearly everything can be done online, and the need for more investment in network and data protection became painfully obvious. Restrictive border measures during the pandemic accelerated this digital transformation. Besides the driving factor of remote work, e-commerce boomed, and buzzwords like the internet of things, identity management solutions, and even the metaverse are repeated ad nauseam. Moreover, the rising interest in cryptocurrencies and digital assets creates a compelling opportunity for cybercriminals. Cyberattacks and data leaks occasionally made headlines in the last ten years, injecting a substantial dose of fear to companies and governments. From the actions of Edward Snowden to Yahoo’s data leak during Verizon’s merger, or the more recent LinkedIn scandal involving 700 million of its users, some firms were reminded of the importance of cybersecurity management the hard way.

The cybersecurity market is growing at a fast pace. In 2020, the estimated value was $156.26 billion, and it is expected to reach $352.25 billion by 2026, according to a Mordor Intelligence study, meaning a compound annual growth rate of around 14.5%.

The attention players pay to cybersecurity in today’s deal world can be observed not only by looking at the number of companies acquired in the sector, but also by looking at how due diligence is conducted and purchase agreements are drafted. In mid-2020, the ABA Mergers and Acquisition Committee published a study tracking two newly appearing representations and warranties in sale and purchase agreements related to privacy and cybersecurity. Deal lawyers increasingly view cybersecurity due diligence as a crucial element for a successful closing, and cyber risk remains one of the biggest concerns post-acquisition. The complexity of the threats requires firms to spend money and time to discover and protect against cybersecurity threats. This is especially true in the finance, healthcare, retail, and energy sectors.

With a fast-growing market, rising pressure on governments and corporations, and remote work presumably becoming a permanent option for many workers, we will likely experience further growth of cybersecurity deal activity in the following years, which may have interesting effects on the M&A legal practice. From being perceived as a tedious and negligible detail, cybersecurity has become a pivotal component of every deal, and the companies operating in the sector are becoming irresistible targets. Valuations are soaring, and paying attention to cybersecurity action in 2022 will be necessary to keep abreast of the M&A development.