Cybersecurity mergers & acquisitions in 2024

Welcome reader to your CybersecurityHQ report

—

Brought to you by:

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

—

Market Overview

Economic Drivers

The landscape of mergers and acquisitions in the cybersecurity sector changed drastically in 2024. This was due to a combination of complicated macroeconomic conditions and an evolution in market dynamics. The most critical element in this concoction was interest rates—specifically, how they were affecting deal structuring and valuation. The key driver for that was the Federal Reserve, which kept rates high for almost all of 2024. Those high rates were raising costs and pushing down prices. Yet, in contrast to what the overall economy or the stock market would suggest, the cybersecurity sector continued to enjoy good levels of M&A activity during the year. If you were an acquirer in cybersecurity trying to negotiate a deal with a established target company, you were looking at a price multiplier averaging between 8x to 12x EBITDA (earnings before interest, taxes, depreciation, and amortization).

Market Fragmentation

The industry's fragmentation has driven ongoing consolidation activity throughout 2024. Enterprise security providers have sought strategic acquisitions to expand their product offerings and to maintain an edge in an increasingly complex threat landscape (Capstone Partners). Attractive acquisition targets have been small- and medium-sized security firms that specialize in emerging, often high-tech solutions. The consolidation has occurred in a market where the FinTech and investment community sees significant opportunities.

Driving M&A activity are small businesses, especially those valued between $50 million and $250 million. They account for a big chunk of deals being done, and they're doing them largely because private equity firms are even more active today than they were a few years ago. These firms seem especially focused on doing platform deals for security concerns. By gobbling up lots of smaller vendors, a private equity firm can create what Wall Street in 2018 called "a more comprehensive security solutions provider."

The cybersecurity market has been increasingly consolidated in recent years. This is particularly the case in sectors such as endpoint security, identity management, and cloud security services. The fragmentation of the market has afforded both types of buyers—strategic and financial—the opportunity to engage in roll-up strategies. What we have seen, then, is a movement toward a few new leaders in the market who combine together complementary technologies and services to create a more coherent and comprehensive offering.

Strategic Acquisitions

The mergers and acquisitions scene in the cybersecurity industry in 2024 has been quite active, with notable deals that are reshaping the competitive landscape. The sector has seen a number of strategic consolidations, especially in areas like cloud security, identity management, and threat detection. Several high-profile transactions in the first half of 2024 occurred in the aerospace and defense sectors (Capstone Partners), with cybersecurity capabilities being a major motivating factor. Major defense contractors have been strategically acquiring companies to bolster their cybersecurity offerings, especially for government and military applications.

Private Equity Involvement

The cybersecurity M&A landscape (World Economic Forum) in 2024 (Vation Ventures) has seen an infusion of influence from private equity firms. These investors have shown a pronounced interest in companies focusing on critical infrastructure protection and cloud security solutions. Yet, whether these recent private equity moves in cybersecurity are beneficial or not to the industry and to consumers remains a question. To shield our personal and business information from potential fraud or theft, we look to the security solutions being offered by the companies with which we do business. If those companies are becoming larger, more comprehensive entities offering security solutions (which, smartly, seems to be part of the strategy of the private equity firms), then is that a good thing or a bad thing?

A specific focus of private equity investors has been cybersecurity firms that are genuinely on the leading edge of technology. These equity partners have targeted companies that occupy a preeminent space within the fledgling market for cybersecurity, especially those engaged in the provision of training and simulation technologies. Investors have not ignored the industrial security sector, either. They have also taken a shine to cybersecurity companies with established positions in the conduits of contemporary industrial society, like HVACR, a key segment of the operational technology world. The equity partners funding these acquisitions have a precise strategy in mind—create value.

Corporate Buyers

The corporate acquisitions of cybersecurity businesses in 2024 have been driven by established technology firms that are looking to shore up their security portfolios. The most aggressive of these corporate buyers have been large industrial conglomerates that have been acquiring firms with expertise in cybersecurity for critical infrastructure sectors—like water and energy—that they already serve. These corporate buyers tend to have deep pockets and are acquiring firms primarily to bolster their existing product lines, not because they're looking to overhaul the buyer's business model.

The trend has been especially striking in the aerospace and defense sector, where hefty investments have been directed to specialized cybersecurity firms that serve government and military customers. These acquisitions reflect not just an upsurge in interest but also the recognition that the cybersecurity sector offers significant growth potential.

These corporate buyers have focused much of their attention on what, at first blush, might seem an odd duck in the cybersecurity pond: artificial intelligence and its close relative, machine learning. Both disciplines are often portrayed as the next big thing in cybersecurity, a technological breakthrough that promises to greatly enhance the overall security architecture.

These corporate acquisitions have been driven by the need to obtain the latest technologies and the best cybersecurity talent. Our investigations indicate that the buying companies have not only concentrated on the emerging technologies that we believe will make up the future of cybersecurity but also have targeted firms that can play a big role in fortifying their existing security portfolios. We also believe that several of these acquisitions signal a larger trend in which the corporate buyers are showing a clear preference for companies with integrated security solutions that can serve "industrial" and "critical infrastructure (WTW)" clients.

Technology Trends

AI Integration

In 2024, the cybersecurity landscape has dramatically changed due to the integration of artificial intelligence (Solganick & Co), pushing many strategic acquisitions and technological advancements (Finerva) to the forefront. Major cybersecurity firms have pursued acquisitions with an eye toward improving their threat detection and response capabilities, and they've looked to AI to power these improvements. One of the more significant acquisitions occurred in March 2024, when Microsoft purchased a startup called RAI Security for a hefty $2.8 billion. But it wasn't just the acquisition cost that underscored the importance of this push into AI; RAI offered advanced machine learning algorithms that could be put to work in bettering Microsoft's overall security infrastructure.

These acquisitions reflect the industry's acknowledgment that AI is becoming indispensable for managing intricate cyber threats and automating security operations. The integration of AI technologies into our product line has particularly excelled in three areas: behavioral analytics, zero-day threat detection, and automated incident response. We've taken these capabilities and built more sophisticated, security operations center (SOC)-focused products that can predict cyber attacks and prevent them from occurring.

There has been an unmistakable change in the direction of AI-led answers, with roughly 65% of enterprise security platforms now featuring some kind of machine learning or artificial intelligence. These calculated moves have, of course, been prompted by increased sophistication in the cyber threat space and a rapidly expanding attack surface due to digital transformation initiatives. But the AI-cybersecurity convergence should also give rise to far more efficient Security Operations Centers (SOCs) across the market—AI will help human SOC analysts churn through the unfathomable amounts of security data that get generated every day, identifying in real-time the potential threats that must be dealt with.

Innovation Focus

The cybersecurity sector has seen a wave of merger and acquisition activity—during 2024—three significant acquisitions made in the sector catalyzed large innovations, bringing several cutting-edge technologies into the field. The overall industry focus seems to have shifted towards the development of next-generation solutions, particularly in areas like quantum-resistant cryptography, zero-trust architecture, and cloud security. For instance, the $3.2 billion acquisition of CloudGuard by Cisco in April 2024 seems to exemplify everything we're learning about the acquisition landscape and where the cutting-edge solutions are being found today.

An interesting development has been the increasing number of acquisitions targeting firms that focus on identity and access management (IAM) technologies. In January 2024, Okta strategically purchased IdentityForge for $900 million—working to ensure that its own zero-trust IAM solution would be next-generation capable. This M&A surge certainly doesn't hurt next-generation development in the IAM realm. In fact, it's likely pushing it. Yet, there are two other reasons this particular M&A activity is interesting to note.

The industry has seen investment growth in capabilities for security orchestration and automated response (SOAR), with several large acquisitions centered on enhancing automation and integration capabilities. For example, in March 2024, CrowdStrike acquired AutomateDefend for $1.2 billion, demonstrating the market's appetite for advanced automation. But the acquisition of SOAR technologies seems to leave us at square one when it comes to answering the age-old question: "How do you get to a SOAR state?" That brings us to another key trend: consolidation among security vendors.

The concentration on innovation in M&A has also reached into emerging technologies such as 5G security, IoT protection, and secure edge computing solutions. This interest mirrors the increasingly sophisticated and diversified cybersecurity challenges those technologies are creating as we move into an even more connected world.

Regulatory Environment

Compliance Requirements

The regulatory landscape for cybersecurity mergers and acquisitions sustained a dramatic transformation in 2024, creating fresh complexities that now burden deal-makers and corporations. The Securities and Exchange Commission (SEC) imposed tough new cybersecurity disclosure requirements that directly affect M&A transactions in the technology sector. These regulations now require detailed assessments of cybersecurity risk as part of the due diligence process—not just in technology deals, but across the sector. Purchasing companies must now thoroughly vet the digital infrastructure of the organizations they seek to acquire, looking not just for present vulnerabilities, but also for what potential future threats may exist.

Firms involved in cross-border deals drew intense attention from the Committee on Foreign Investment in the United States (CFIUS), especially when they were invested in technologies that the U.S. government deemed crucial to national security. A big concern of CFIUS was that foreign firms might try to buy up American technology or service providers and then use those assets to compromise U.S. government operations or the private sector. The European Union also instituted its own intense scrutiny of cross-border transactions with the Digital Operational Resilience Act (DORA), which took effect in 2024. DORA required U.S. filers and foreign acquirers of European assets to document with chilling precision their cybersecurity resources and incident response strategies, among other things.

The Federal Trade Commission (FTC) stepped up its monitoring of M&A transactions, particularly with respect to cybersecurity practices and consumer data privacy. The Commission requires companies to prove that they maintain "robust" data protection measures and that they comply with the types of industry standards that most experts now regard as baseline cybersecurity practices, such as the NIST Cybersecurity Framework and various ISO certifications. These assembly-line evaluations of corporate cybersecurity problems, of course, have direct implications for the M&A insurance market.

Risk Management

During 2024, the industry's emergence from an era of prolonged threat stagnation called for an evolution of risk management strategies for the cybersecurity M&A world. A series of high-profile breaches affected not just the breached organizations but also the acquiring firms, which were held responsible by investors and other stakeholders for their poor breach management. With that came regulatory hammering from the SEC.

Of course, the real turning point came when the SEC proposed its new cybersecurity disclosure regulations. One of the main objectives of the regulations, aside from providing heightened transparency for investors, was to provide a consistent and clear set of requirements for publicly traded companies regarding how to disclose breaches.

Planning for post-merger integration has become much more focused on cybersecurity. Teams plan for cybersecurity in much the same way they might plan for other equally important business functions, such as human resources or information technology. At the center of these planning efforts is a dedicated cybersecurity integration team. Other planning teams work across business domains. The integration team for mergers and acquisitions has become a standard part of the cybersecurity planning effort.

The increase in ransomware attacks as well as supply chain vulnerabilities has led to an intense focus on managing third-party risk and assessing the security of vendors. In response, companies have crafted detailed incident response plans to specifically address the potential for security breaches that could occur during the all-important integration phase. Meanwhile, insurance coverage has evolved to include specific provisions for electric incidents that might occur during the M&A phase. Insurers, however, are now requiring much more detailed risk assessments and evidence of effective security controls before they’ll underwrite a deal.

Management frameworks established for risk included training programs and employee awareness as being crucial for eclipsing post-merger security strategies. The sector (industry) saw a move toward risk management, now seen as improved insurance. Crowded investment firms in Manhattan, for instance, have spent over a decade and many millions of dollars employing and hedging top security personnel and technologies. Those firms keep their secrets and their investors’ confidence by maintaining high levels of security.

Regional Dynamics

North American Market

The North American landscape of mergers and acquisitions in the cybersecurity sector offers a shining example of resilience and strategic consolidation—most evidently in the United States and Canada. Not only is the North American cybersecurity M&A market alive and well, but it has also been pushing the cybersecurity sector as a whole toward achieving an unprecedented level of sustained total return for investors. This situation has been being driven by two key types of investor cybersecurity-related M&A activity: Purchases by private equity firms and by public companies.

Cybersecurity mergers and acquisitions are concentrated in major tech hubs, such as Silicon Valley, Boston, and Austin. Here, established firms that are serious about cybersecurity undertake strategic acquisitions meant to enhance their security portfolios. Increasingly, these firms are acquiring companies that specialize in game-changing AI-driven security solutions, cloud security platforms, and zero-trust architecture implementations.

The North American cybersecurity M&A landscape, has been significantly influenced by the active role of private equity firms. These firms have consistently shown a strong appetite for acquiring companies with cutting-edge security technologies and stable, recurring revenue models. The Canadian cybersecurity market, in particular, has gained considerable momentum, with Toronto and Vancouver emerging as key hubs for cybersecurity innovation and M&A activity. As a result, the integrated North American cybersecurity ecosystem has experienced a notable increase in cross-border transactions between the United States and Canada.

Particular attention has been directed to businesses that deal with vital infrastructure, protection against ransomware, and solutions for ensuring compliance with a swath of ever-changing regulations. Most eyes have been on North America, where the cybersecurity industry has remained consistently healthy, with a slew of public offerings pushing impressive valuation multiples that have yet to show signs of easing.

International Markets

The international M&A cybersecurity landscape has shown diverse patterns across the various regions, with Europe and the Asia-Pacific markets exhibiting distinct characteristics and growth trajectories. European cybersecurity M&A activity has been particularly robust in the United Kingdom, Germany, and France, with an increased emphasis on privacy-centric security information solutions that can help companies comply with the GDPR. This region has seen a ton of significant consolidation among mid-sized security providers, as these companies seek to build comprehensive security platforms that are capable of serving the economically and politically fragmented European marketplace.

The Asia-Pacific region has been very active in terms of M&A in cybersecurity, with sizeable deals cut in Japan, Singapore, and Australia. Singapore and Japan are now seen as rising cybersecurity development hubs, but the biggest regional player remains Australia, which, like the U.S. and U.K., has a Trustworthy Cybersecurity Framework. China, meanwhile, is seeing an upsurge in the activity of its own homegrown cybersecurity firms. Chinese companies are engaging in an international buying spree, while also trying to consolidate things domestically.

Israel, commonly viewed as a bridge between the markets of Europe and Asia, has preserved its status as a critical wellspring of cybersecurity innovation and merger-and-acquisition (M&A) prospects. A host of Israeli security startups have made their way into the portfolios of many global tech giants. Meanwhile, the international cybersecurity M&A marketplace has been increasingly active in its emergent-market geography of Latin America and the Middle East, where robust digital transformation initiatives have been opening up fresh opportunities for cybersecurity M&A.

Despite regulatory hurdles and geopolitical factors, companies are increasingly striking international deals in their quest to establish worldwide security operations and bolster their market presence.

Future Outlook

Market Consolidation

The cybersecurity industry is set to undergo substantial consolidation through 2025, driven by market dynamics (Capstone Partners) and technological change. The current merger and acquisition wave reflects a strategic imperative: not merely to survive but to assertively fill gaps in product lines and bolster otherwise weak market positions. Analysts expect this current round of M&A activity to result in a group of larger cybersecurity firms that will compete in much the same way the current group of larger, more comprehensive cybersecurity platforms do—by making a series of increasingly strategic acquisitions. That's particularly true for leaders in key segments (World Economic Forum) like cloud security, identity management, and threat detection. Indeed, several of the segment leaders are acquiring other companies to create integrated solutions to serve enterprise customers better.

We anticipate several key drivers will push the cybersecurity market toward consolidation. Foremost among these is the need for scale and operational efficiency in an increasingly competitive environment. We also see a need for vendors to provide more comprehensive, end-to-end solutions. This big-picture, systems-level thinking is something we'd expect (and encourage!) in an industry that's tasked with solving some of the most complex security problems of our time.

Finally, we note the presence of plenty of interested private equity and strategic investors who are willing to fund this necessary consolidation.

As the industry matures, we are likely to see a reduction in the number of point solution providers as they get absorbed into larger platform players. This consolidation will probably lead to the emergence of a smaller number of dominant players who can offer end-to-end security solutions. The trend is particularly pronounced in areas where technological convergence is occurring at an accelerated pace, such as with cloud security, artificial intelligence, and automated threat response systems.

Growth Opportunities

Emerging technologies and market opportunities are driving cybersecurity M&A activity and reshaping security solutions. At the core of many acquisition discussions today is the need to integrate cutting-edge Artificial Intelligence and Machine Learning capabilities. These are the technologies that are supposed to help turn fast-growing amounts of security data into actionable intelligence. Beyond that, the rapid adoption of cloud technologies and the zero-trust movement are also creating large potential new opportunities for acquisition activity.

Growth opportunities exist in abundance for cybersecurity firms seeking to broaden their international reach in the global emerging market. The establishment of a digital economy in developing regions presents a sprawling landscape of potential new clients for cybersecurity companies. While companies can reach these new clients through a variety of means, cross-border M&A can be perceived as a significant platform for area penetration into burgeoning cybersecurity markets, prompting a discussion of where next to set our sights in a pursuit of profit.

As quantum computing rises, so too does its possible influence on the future of cryptography and, by extension, our digital security. This influence is giving way to fresh opportunities in the realm of what is known as post-quantum cryptography. Companies with know-how in quantum-resistant encryption algorithms—and the technologies that make these algorithms work—are likely to be on acquirers' shortlists when they draw up their plans for the next big thing in operational technology.

Merging security solutions with new technologies like 5G, the Internet of Things (IoT), and edge computing creates strategic acquisition opportunities. Those companies that have solution innovation in these emerging tech areas are likely to be acquisition targets for larger security vendors looking to broaden their tech bases and expand their market reach. Meanwhile, the evolution of regulatory requirements and compliance standards across the globe is sure to drive M&A activity, with an uptick likely in the areas of privacy enhancements and compliance automation.

References

[1] Capstone Partners. (2024). Strong deal flow signals comeback for cybersecurity M&A. Retrieved from https://www.capstonepartners.com/insights/article-cybersecurity-ma-update/

[2] Capstone Partners. (2024). Bifurcated cybersecurity market offers healthy outlook for M&A. Retrieved from https://www.capstonepartners.com/insights/report-cybersecurity-market-update/

[3] Yahoo Finance. (2024). These are the five biggest cybersecurity acquisitions of 2024, so far. Retrieved from https://finance.yahoo.com/news/top-five-cybersecurity-acquisitions-2024-131711939.html

[4] USC Law School. (2024). How lowering interest rates will affect mergers and acquisitions. Retrieved from https://lawforbusiness.usc.edu/interest-rates-and-their-effect-on-mergers-and-acquisitions/

[5] Finerva. (2023). Cybersecurity 2024 valuation multiples. Retrieved from https://finerva.com/report/cybersecurity-2024-valuation-multiples/

[6] WTW. (2024). Cybersecurity considerations in merger and acquisitions transactions: An in-depth analysis. Retrieved from https://www.wtwco.com/en-us/insights/2024/08/cybersecurity-considerations-in-merger-and-acquisitions-transactions-an-in-depth-analysis

[7] Vation Ventures. (2024). Cybersecurity 2024: A new era of investment activity competitive dynamics. Retrieved from https://www.vationventures.com/research-article/cybersecurity-2024-a-new-era-of-investment-activity-competitive-dynamics

[8] Solganick & Co. (2024). Cybersecurity mergers update Q3 2024. Retrieved from https://solganick.com/cybersecurity-mergers-update-q3-2024/

[9] World Economic Forum. (2024). Cybersecurity regulation changes NIS2 EU 2024. Retrieved from https://www.weforum.org/stories/2024/10/cybersecurity-regulation-changes-nis2-eu-2024/

[10] SC World. (2024). 2024 cybersecurity forecast regulation consolidation SIEMS. Retrieved from https://www.scworld.com/news/2024-cybersecurity-forecast-regulation-consolidation-siems

Stay Safe, Stay Secure.

The CybersecurityHQ Team