How M&A is reshaping the cybersecurity landscape

Thanks for the invitation, Martin. I'm glad to be here. The slot after a warm lunch is not always the easiest. People tend to be a bit sleepy, but we'll try our best to make it insightful and good use of your time. So much appreciated. So my name is Philip Gravid. I'm a managing director at Stevens. We're an investment bank, so we advise on m and a transactions, also on public transactions, IPOs. And we have a strong focus on software tech and in particular cybersecurity.

Yeah, my name is Robin Bru Bush. I'm a director also in the Frankfurt office. Working closely together with Philip on several transactions in the past is to add, we also have a more flexible mandate. So we can also do ca capital raises, especially in the tech space. That's very important 'cause there's a number of very attractive businesses growing strongly and we would like to accompany them and support them and advise them on their way of growth and towards becoming bigger and more global players.

So we, we like to speak with everybody in the ecosystem of cybersecurity. So the entrepreneurs, the large platforms, the investors, the lenders to understand all aspects going on, which, which impact our business, and that's m and a transactions. So what we wanna talk about is, is how m and a is actually impacting the sector and how it's shifting also the, the vendor landscape.

So on the, on, on on the first slide, it's, it's really about the key trends. We, we see more and more driving m and a activity. And one big theme that it continues to emerge is that customers wanna reduce the numbers of vendors. So what they're demanding is more and more a unified product suite, what we call a, so for a so-called platform approach. So that has a big impact of platforms becoming much bigger and wanting to add capabilities. The other is, and I think there were several sessions on tech trends here at the conference, but definitely certain tech trends, which, which drive m and a.

You know, obviously the buzzword number one is the role of ai. You see that on the attacker side, obviously AI is, is making attacks more and more sophisticated, more automated, but also on the defense side of being more automated in the offering and even the e even having cyber assistance for cybersecurity talent actually supporting as well. The third is, and I think that's, that's gonna increase heavily, not only in the US but also the EU is regulation. I think we all know that's, that's a driving trend impacting cybersecurity.

We also see a number of re tech, so software companies in the regulatory space now, not more and more looking to acquire businesses in cybersecurity, cybersecurity awareness trending or others. So you see also other adjacent sectors looking to do m and a and cybersecurity because it's more and more coming together.

I mean, in the eu, the, the NNIS two directive. Another theme in, in very important for investors is also cybersecurity and ESG, which you, you, you might not think they, they they fit together, but it's more, more intertwined. If you look at how cyber threats are impacting political elections attacks on critical infrastructure, cybersecurity is more, more on the top of ESG. So within the financial investor community, there's a lot of new private equity funds being raised with investors wanting to invest in, in impact themes.

So IESG themes and cybersecurity is more and more becoming very relevant in that investment thesis. The third is really we see a lot of investor interest in the space from all sorts of investor groups, private equity, buyout funds, venture capital funds, also family offices. A lot of interest to invest in cybersecurity. We've seen a lot more come to this, a lot of take private activity as well.

I mean, Toma Bravo is probably one of the biggest private, the biggest private equity investor in the, in, in in this space at the moment. We move on to, to, yeah, to put some numbers behind that. So where's the deal activity in cybersecurity? And this is really a transatlantic view you see here. So North America and Europe. So for the first half it's been around 5 billion of of deal volume, over 80 deals of which, and that's very interesting of which over 50 have been with private equity involved in the transaction and the median transaction size around around 80 million euros.

And what we see is, is, is three key rationales for acquirers to to, to look at m and a and cybersecurity. One is certainly to buy capability. What what do we mean is, is really buy, you know, additional product features by technology, by tech stack. Second is by growth. That can be into a region we see a lot of the US platforms want to acquire in Europe or buy a customer base.

So either, you know, an enterprise focused business looking to buy into the SME space or the other way around. And the third is, again, this, the, the theme we, we mentioned before, the platform, the platform thesis. So scope and scale that'll be more and more important. If we look at a bit the, the, the transaction activity over time, and this is the past 10 years you see here, and this is again transatlantic view. This is the, the EV enterprise value. So the valuation over the revenue as a multiple.

And what you can see, actually we had pretty much an all time high after covid that was peak of the market in terms of m and a activity in terms of number of deal volume, which you see as a bar chart. And also in terms of the, the graph, the, the valuation multiple was around nine times in 2021. And then 22 around nine times revenues. At that time everybody was focused, growth was the dedicated focus. There was really the number one thing is you had to show growth, growth, growth. Now it's balanced more towards profitability will come onto that a bit later.

But you'll see now we're probably a bit more of a steady state. The revenue multiple has come down by three turns around six times in the current environment. So what we see now in the transaction we're advising on, we still have a, a pricing gap.

So the, the sellers actually still in the world of all time high and have high pricing expectations. Whereas the acquiring companies probably have become a bit more realistic and are in the steady state world. And our job is to bring those together to come to, to a deal and agree on price. And also in the m and a deals, we, we do, we see a big gap between bids, which we haven't seen at all in the years before. So it underpins, there's still a, you know, there's still of a bit of a, a shift to, to adapt to the new valuation environment.

Robin, over to you. Yeah, if we now try to set the scene for the upcoming slides, I mean this, this is a, was an exercise to try to divide the cybersecurity market into different sub-verticals. But it's becoming more and more difficult as the, the consolidation that Phillip mentioned and the platform approach that's ongoing leads to the result that the distinctions between the different segments are becoming more and more blurred. So there are cloud security companies going into endpoint, endpoint companies going into web application.

There's data protection that's kind of the agenda for, for a number of them. So that's why you see logos like Broadcom in there. You see Proofpoint in cloud security, but they're also an email.

So it's, it's becoming more and more this unified approach that global security vendors try to get as much share of wallet as they can and offer as many solutions within different sub-verticals as they can. And this doesn't only, it's not only limited to the vendor side of things. So we also see quite a lot of deal activity recently in the essay called services or the wider ecosystem of cybersecurity being a distributors or managed, managed service providers being acquired, being consolidated. SOC is so the soc side of things is on the agenda.

So it's a very, very active market and as mentioned from the vendors via the, the resellers integrators. So there's a lot going on. And if we now look at a few examples of those consolidation plays, as we call them, Hornet security, which a lot of you might know might be one of the most successful examples in Germany. How AI acquisitions can help diversify the business, internationalize the business, and obviously grow the business. I mean there, there are now a number of, of private equity funds invested 200 security.

The most recent one is TA Associates, a large fund based out of, of London here in Europe. And they have now in total grown the business with all the investors involved to over 100 million of annual recurring revenues. And it's not long ago that this company has started off with, let's say around around 10 million revenues.

So that's, that's quite a success story. And it, it mainly leads to several advantages for the company.

It's, it increases the negotiation power towards channel partners, towards other vendors and and other suppliers to customers as well. If you can in increase your share of wallet, it reduces complexity. But that's mostly from the, from the customer point of view. 'cause you have one point of contact for several solutions out there. And this is, this is just a very, very strong example of how m and a helps create a global player and, and grow the business. I mean Matrix is another example. They entered the US market as firescope. They added an endpoint solution with secure also.

Now I've evolved into a a a very more rounded, a lot broader player and Broadcom, I mean this is kind of a, now the elephant in the room, they have acquired basically everything they could over the last years to diversify away from their semicon business. Mean the VMware transaction, which includes carbon black as still pending. So there are few hurdles that they need to take, but this would be one of the largest tech mergers happening in history. It's about close, yeah, ideally end of this month, but it's, I think it's still pending the, the Chinese government approval.

And if we go to the next page, this is, so these are some other examples of private equity backed platforms and as Phillip mentioned, Toma Bravo might be the most active investor in the cyber security space. And this, they sometimes they, they exit a company, for example, via an IPO, which they did with SailPoint a couple of years back. And then as soon as the share price is to their advantage, they just take it off the, the market and buy it back with a, a public to private deal, which they did last year.

So that's, that's a common thing that you see in the US rather than in in Europe in the US it's, it's more common to, to IPO businesses and then take them off the stock exchange afterwards if the share prices is to, is to the buyer advantage. Other examples are, for example, TTRA, which is where you see a lot of acquisitions over the years.

And what you also see is if you as a, as an investor have a very nice cyber security platform in, in place, you don't necessarily need to to sell it or as soon as you can because what also happens is you can take on further investors down the road and then grow the business together and remain a stake over time. That's what HGGC did. They took on TA associates for example, and Charles Bank, some further tech investors and now grew the business tremendously. 'cause usually the investment period investment horizon is, is roughly around five years.

But this is, there's nothing inside that the business will be sold anytime soon. And if you look to the, to the far right, these are some examples of businesses having been sold over the years. So in Perva, which is active in the, the web application space has been recently acquired by Tireless, which you will all know have a very large security segment. And this just adds to their security capabilities was a large transaction happening.

And you know, selling to a strategic investors is kind of the, the holy grail for a private equity investor because that, that really shows that you've done a great job with your business, but you, there's always a bigger fish in the ocean. So Toma Bravo sold Barracuda networks to KKR last year.

So that, that's also very nice exit solution for, for private equity funds. Yeah.

If we, if we come on to what are the valuation Themes? If you're an investor looking to buy a cybersecurity business and there's a, there's just a few recurring themes that we always encounter in our, in our work, in our deal work. The first one is the market position and you know, what are the USPS of your market, of your model? How secured, how defensible is your, is your position, your competitive positioning. And what we see a lot for European companies in particular is investors ask, what's your right to win against the big US tech platforms? What's your right to win against Microsoft?

So that's, that's very important. The second is again, it, it plays into the, the theme of conservation consolidation and platform approach is how scalable is, is your business and how scalable is it outside of your home market.

So, you know, if you have a cybersecurity business in a European geography, let's say Germany, where you do 90% of your revenues, investors will ask, can you do the same across other European countries? The market, I mean the market we see is very favorable for cybersecurity investments.

You know, we have a lot of macro events, crime crisis, Israel and others, but actually they underpin the importance of cybersecurity. It's not at the top of the agenda of, of, of literally every investor. So the question here is, as investor, how well positioned are you as a business to take advantage of those tailwinds in the market? Customer base, really important. Investors will drill down on how sticky, how loyal is your customer base. They will look, you know, are you more in the enterprise segment in the SME segment, this will be an in-depth part of the analysis and will drive valuation.

They will look at churn rates, they will look up how much potential is there to upsell in your customer base, customer base, et cetera. Yeah, growth. I think obviously a key one is, is part of scalability obviously, but what is the organic growth strategy? Obviously m and a is inorganic, that's an accelerator, but how well is the business position to really drive growth? And there's, as you might know, investors have this rule of 40 as a, as a proxy for how, how the balance is between growth and profitability.

So the sum of profitability measured in EBITDA plus growth together is, should be around 40. That's the, the magic number for investors rule of 40.

So the, the more you are above rule 40, the the better. Yes. Sales efficiency, that's really a lot about go to market. Smaller companies are very different viewed at when, when you're larger you tend to to build up more direct sales force. Otherwise you might benefit more from a partnership model.

Again, there to be seen, it'll be how successful are you in securing partners and, and making sure your, your partners are, are loyal, established, and doing a good job of selling your product revenue. I mean the, the quality of your revenue base is something investors again, will, will, will analyze in depth how much is, is really reoccurring.

Is it truly ARR is it a, a truly subscription model In Germany, we have often that companies have a lot of on-prem historic historically in particular, if your client base is, for example, financial institutions, they tend to be very on-prem as a, as a legacy deployment model. But obviously the, the key driver for valuation in a higher premium multiple is a subscription model is a pure recurring R model. How diversified is your revenue stream. A lot of questions around that. And then the last point here on the slide is, is EBITDA and free cash flow.

I, I'd say three years ago, you know, EBITDA and profitability was really not of a focus. Every investor just looked at growth and, and they didn't care much about profitability. That has changed. So now investors are really, you don't have to be massively profitable, but you have to demonstrate a route to profitability in the near term to break even, right? Growth is still the holy grail. Everybody wants high growth and scalability, but, and you know, the larger company gets the more it bounces out and the the, the shift is more from growth to, to profitability from an investor perspective.

But that is, that is a new, that is a new environment of focusing on, on on EBITDA and obviously free cash flow. If, if you want debt financing, which, which obviously helps the returns for private equity investors. And may one thing to add here, I mean Philip and I, we advise a lot of companies in Germany and what kind of the theme through and through is that they have, they tend to have a very, very good product. They have invested over the years to, to develop the best product that they can.

And it's, it's kind of, or maybe it's kind of the German yeah, attitude and how we go about things. We are a country of engineers, so we think if we have the best product the customers need have to find us automatically. I mean that differentiates us a little bit from the US or Anglo-Saxon players. They focus more on go to market and spend a lot of on marketing and a little less on product and can develop the product along the way. If customers say that there's some features missing or something is, is not right, we, Germans are a little bit different about it.

We wouldn't dare to go to market as aggressively as they do with a product that's not perfect as we would see it. So things in terms of go to market, that's something in Germany, we could, might see how they do it over there and we focus more on our product. But that's just how it's Yeah, but that's a very good point because that is, we see that in the deals we're selling, so we sell a German cybersecurity business. The amount of interest from the US investor base is enormous because obviously they see the opportunity, great product, but we can accelerate the growth very easily.

1, 2, 3 levers in the go to market. And, you know, that's, that's just in the core of their DNAI see we're already running out of time. Yes. I'm sorry about that. Gimme 30 seconds. I mean this one we can pretty much skip. It's again, valuation over time showing the, the peak after Covid and the steady state. I won't go through recent deals we've done, we work very integrated as a team across Europe. That's Robin, myself and Frankfurt, London and the US We're one of the most active m and a advisors in cybersecurity. So if you wanna talk to us, please let us know.

I'm sure we'll connect via Martin, cooping or others. And thanks a lot for your time. Thank you. Thank you.