An industry known for seeing an opportunity where others see calamity, private equity firms are backing cybersecurity businesses in a bid to capitalise on companies’ increased awareness of cyber threats.
The latest example is EQT’s acquisition of a majority stake in Open Systems from its current owners, who will remain shareholders, using capital from its recently-closed €1.6 billion Mid Market Europe Fund.
“We were starting to look at a couple of cybersecurity assets in the US, and against that backdrop we developed a good understanding of the dynamics and the relevance of cybersecurity and the increased threat level, but also the increased responsibility for companies to handle and manage that,” EQT partner Florian Funk said of the firm’s interest in the sector.
“We came across Open Systems towards the end of last year and started forming a group of industrial advisors, whose advice we were able to utilise during the due diligence process.”
Headquartered in Zurich, Switzerland, managed security services provider Open Systems offers security-enabled networks by fully integrating SD-WAN, network security, web and application security, and incident handling and response. The company operates in more than 180 countries, with 24-hour service centres in Zurich and Sydney and an office in New York.
Open Systems focuses on global enterprise customers with distributed value chain and the need to manage and monitor networks across regions. It operates a subscription-based model, with contracts typically lasting from two to four years.
“It has a high recurring revenue base, which is part of the reason why we liked the opportunity so much,” Funk said.
EQT will focus on building out Open Systems’ core products, and accelerating its go-to-market strategy and service offering toward its customer based in the German-speaking region, while pursuing M&A opportunities and exploring growth potential in the US market.
“In the European market, there are very few focused MSSPs, it’s quite fragmented still, and the market penetration itself is still very low. Perception on the C-level and board level in Europe is lagging behind the US where you have these big scandals around Target and Sony, and attacks like WannaCry,” Funk said.
“Perception at the board level is increasing and it’s become a big business risk item, so companies need to work on improving their security layer. The complexity of the task makes it necessary for someone to provide this as a service.”
Henrik Jeberg, a Silicon Valley-based director with technology M&A advisory firm Hampleton Partners, told PEI a major attraction for private equity firms is that cybersecurity businesses have a “lock-in” with customers that is “second-to-none”.
“It’s relatively easy to rip and replace a CRM system or a marketing-automated system if that’s not working out for you, but once you’ve installed multiple areas of cybersecurity that is not easily ripped out,” Jeberg said.
Jeberg also pointed to the opportunity for roll-ups in the sector. Many smaller companies have become successful in protecting one aspect of the “attack surface” – the collective name for the different points where cyber-attackers can try to enter or extract data – but struggle to expand into a company able to provide a “single pane of glass” – an all-in-one, centralised solution where you can monitor security across all aspects.
“It’s attractive to do follow-on investments, for private equity funds to snap up the attractive companies in the market and built that total offering.”
Research from Hampleton Partners shows private equity buyers are taking an increasing share of cybersecurity acquisitions – 12.4 percent in 2016, up from 7.5 percent in 2014. This is slightly below a 14.6 percent peak in 2013.
The data show private equity firms are targeting larger assets in the space: the average private equity deal size for a cybersecurity business in 2016 was $860 million, up from $600 million in 2015. By contrast, the average deal size across all buyers was $420.7 million in 2016 and $170.9 million in 2015.
Private equity buyers are also paying slightly less, with a median enterprise-value-to-sales of 3.7x in 2016, compared with 4.7x for all buyers, Hampleton data show.
Funk declined to comment on financial details of his firm's transaction, beyond saying that the entry EBITDA multiple paid was “in line with the market for cybersecurity assets” and that the stake acquired puts EQT “in control of the business”. The firm will nominate most of the board, including the chairman.
“The chairman will be Amit Chatterjee, an industrial advisor to EQT,” Funk said. “He was involved in three start-ups around security and is on the board of a company providing software solutions for security operation centres. He will support the management in the further development of the technology and the company.”
Other recent cybersecurity deals include KKR’s acquisition of a majority stake in Optiv Security and Vista Equity Partners’ acquisition of identity and access management software company Ping Identity.
When it comes to deal activity in the space, “we’ve only seen the tip of the iceberg,” Jeberg said. As cybersecurity increases, attackers are working just as hard to find new ways to circumvent security measures, leading to an “arms race” between hackers and defenders.
“Cybercrime is now the largest area of crime in the world,” Jeberg said, “and you can do it from the safety of your sofa with your feet on the table and a computer in front of you.”