Cybersecurity and the advantages for the passive investor
As the relentless rise of the internet of things continues to digitise and drive interconnectivity across the globe, cybersecurity looks to remain one of the key challenges of our age. The risk of being hacked not only has the potential to impact the bottom line, but it can also destroy reputations, disrupt operations and can even pose a danger to human life. You are likely familiar with the case for investing in cybersecurity – and that is a discussion for another day – but have you considered why a passive approach for this exciting growth story could be preferable? In this piece, we unpack two often overlooked reasons for this.
- Corporate activity is frenetic in cyberspace
Driven by technology, innovation and constant change, the market for cybersecurity goods and services is dynamic in nature. The market is characterised by elevated levels of corporate activity such as mergers and acquisitions, leveraged buy outs, initial public offerings, spin-offs and the likes.
This year alone there has been a flurry of corporate activity in the space with giants like Google and Microsoft continuing to fund acquisitions. Let’s have a look at some recent examples.
Take Google’s recent takeover announcement of Mandiant for USD 7.3 billion. This is Google’s second largest acquisition of all time, exceeded only by Motorola Mobility in 2011. And what is even more incredible is that this eclipses the USD 1.5 billion Google paid for YouTube back in 2006.
The deal will see Mandiant join Google Cloud as Google continues to build cloud-native security as the bedrock of its technology to prevent potential cyberattacks. Founded in 2004, Mandiant delivers cyber-threat intelligence and responds to thousands of security breaches each year. It employs more than six hundred consultants and coupled with research from more than three hundred intelligence analysts, the resulting insights are what power Mandiant’s cyber defense solutions and are ultimately what will enhance Google Cloud. Kevin Mandia, CEO of Mandiant, said of the announcement “Google Cloud shares our mission-driven culture to bring security to every organisation and these efforts will help them to effectively, efficiently and continuously manage and configure a complex mix of security products.”
What about another perfect match? Also in March, UK-based cybersecurity firm Darktrace acquired attack surface analytics firm Cybersprint for EUR 47.5 million. Cyberpsrint is an attack surface management company that provide continuous, real-time insights from an outside-in perspective to eliminate blind spots and detect risks. In other words, it helps its clients monitor various digital assets and automatically identifies and informs of weaknesses, errors, vulnerabilities, or threats.
The acquisition of Cybersprint is aligned with Darktrace’s vision of delivering a ‘Continuous Cyber AI Loop’ and complements its self-learning technology and inside-out view. Through this acquisition, Darktrace will gain a second European research and development center in the Netherlands, joining forces with its highly skilled labour force of leading mathematicians and software engineers.
These are just two examples. So far this year we have also had Akamai acquiring Linode, a cloud hosting company for USD $900 million. Check Point Software acquired Israel-based Spectral, which has created a developed security platform. Or web security and performance company Cloudflare acquired Vectrix, which helps organisations detect security issues across their SaaS applications. These are just a few examples and there is a full summary of 2022 YTD and 2021 at the bottom of the conclusion.
- There is limited coverage by research analysts
With corporate activity being at all time-highs in the cybersecurity sector, this poses challenges for investment banking research. The relative ‘undercoverage‘ of cybersecurity equities has resulted in a relative ‘underappreciation’ of cybersecurity equities in general. No doubt there are challenges for investment banking research analysts to maintain a committed and long-term approach to coverage of cybersecurity equities in such a rapidly moving and dynamic sector. Made harder only by the fact that many of the equities in the sector are recent IPOs and as such have lacked meaningful trading history.
Why passive is better in cyberspace
Such a dynamically evolving sector poses a challenging environment for any investor seeking to pick the winners and avoid the losers. However, the elevated level of corporate activity that provides this challenge is, for index investors, a net benefit if acquiree companies are index members.
And as you can see by the summary below, most of the corporate activity in the last 18 months has involved index members (those highlighted in bold).
It’s also worth noting that a high degree of corporate activity is a sign of healthy evolution and growth in a fast-burgeoning industry, a reflection of the strength of the quality theme that is cybersecurity that will stand the test of time. This contrasts to many other themes that are subject to hype but are not backed by strong and secular fundamentals, earnings or corporate interest.
2022 corporate activity
- March 2022 – SentinelOne announced it had entered into a definitive agreement to acquire Attivo Networks, a leading identity security and lateral movement protection company.
- March 2022 – Google announced takeover of Mandiant for $7.3 billion (Google’s second largest acquisition of all time, exceeded only by Motorola Mobility in 2011. For refs, Google bought YouTube for $1.5 billion in 2006.)
- February 2022 – Darktrace acquired attack surface analytics firm Cybersprint.
- February 2022 – Akamai acquired Linode, a cloud hosting company for $900 million.
- February 2022 – Check Point Software acquired Israel-based Spectral, which has created a developed security platform.
- February 2022 – Web security and performance company Cloudflare acquired Vectrix, which helps organisations detect security issues across their SaaS applications.
- February 2022 – Device security firm Forescout acquired healthcare cybersecurity firm CyberMDX.
- February 2022 – Risk management company Tenable Holdings bought Israel-based attack path management firm Cymptom with the goal of bringing additional context and prioritization capabilities to its platform.
- January 2022 – Google expanded its push into cybersecurity with a new deal to acquire Siemplify, an Israeli startup selling SOAR technology.
- January 2022 – Proofpoint announced buying Dathena, a Singapore-based company specialised in data protection.
- January 2022 – IT management solutions provider SolarWinds acquired Monalytic, a monitoring, analytics and professional services company.
2021 corporate activity
- December 2021 – Palo Alto Networks acquired Bridgecrew, a private cloud security technology platform provider, to boost their Prisma Cloud platform capabilities.
- November 2021 – ZIX Corp announced that they were being acquired by OpenText for $860 million. OpenText purchased all outstanding stocks, delisting ZIX Corp from Nasdaq, as well as acquiring all its outstanding cash and debt.
- November 2021 – GB Group acquired Acuant, a provider of identity verification and KYC/AML compliance products.
- November 2021 – IBM Security reached an agreement to acquire ReaQta’s AI-based endpoint security products automatically identify and manage threats.
- October 2021 – Identity security provider One Identity acquired identity access management (IAM) vendor OneLogin.
- September 2021 – Akamai acquired micro-segmentation solution provider Guardicore for approximately $600 million.
- August 2021 – Check Point Software acquired cloud email protection with Avanan acquisition.
- August 2021 – Educational cybersecurity firm HackerU has bought Cybint for its SaaS-based education platform.
- July 2021 – Microsoft enhanced its cloud security offerings with the acquisition of CloudKnox Security, a cloud infrastructure entitlement management (CIEM) provider.
- July 2021 – Rapid7 bought threat intelligence and remediation firm IntSights Cyber Intelligence.
- July 2021 – Microsoft acquired global threat intelligence and attack service management firm RiskIQ.
- June 2021 – Ping Identity acquired SecuredTouch, known for its fraud and bot detection and mitigation solutions.
- June 2021 – Forcepoint acquired UK-based Deep Secure.
- May 2021 – Cloud security vendor Zscaler acquired Smokescreen Technologies and its active defense and deception technology.
- May 2021 – Splunk acquired cloud-native security company TruSTAR.
- May 2021 – Cisco acquired risk-based vulnerability management firm Kenna Security. Transaction competed in Junee 2021.
- May 2021 – Cybersecurity and resilience advisory firm NCC Group acquired Iron Mountain’s intellectual property management (IPM) business for $220 million.
- May 2021 – Forcepoint acquired Cyberinc which provides remote browser isolation (RBI) technology that gives administrator more granular control over users’ web browsing activity.
- April 2021 – Accenture acquired French cybersecurity services provider Openminded.
- April 2021 – Cybersecurity and compliance company Proofpoint agreed to be acquired by Thoma Bravo, a private equity firm.
- April 2021 – Rapid7 acquired open-source community Velociraptor.
- April 2021 – Zscaler agreed to acquire Trustdome and its cloud infrastructure entitlement management (CIEM) product.
- March 2021 – VMware finalised its purchase of Mesh7, allowing VMware to bring “visibility, discovery and better security to APIs” as per a company blog post.
- March 2021 – SailPoint Technologies acquired ERP Maestro.
- March 2021 – Enterprise security platform provider Fortinet acquired ShieldX, which provides a platform to secure multi-cloud environments.
- March 2021 – McAfee sold its enterprise security business to an investment group led by private equity firm Symphony Technology Group for $4 billion.
- March 2021 – Okta bought IAM rival Auth0 for $6.5 billion.
- March 2021 – Security awareness training provider KnowBe4 acquired MediaPRO, another security and privacy training provider.
- February 2021 – Proofpoint acquired Intelisecure, a provider of DLP managed services.
- February 2021 – CrowdStrike acquire Humio with a view to incorporate the company’s cloud log management and observability technology into its cloud endpoint and workload protection solutions.
- February 2021 – Tenable Holdings acquired Alsid to bring Alsid’s technology and expertise in discovering Active Directory monitoring to its cyber exposure and risk management platform.
- February 2021 – SentinelOne bought Scalyr for autonomous XDR.
- February 2021 – Rapid7 acquired Kubernetes security provider Alcide.IO.
- January 2021 – Managed detection and response (MDR) vendor Huntress purchased EDR technology called Redon from startup Level Effect.
 Financial Times, “Google buys cyber security company Mandiant for $5.4bn”, March 2022. Available at: https://www.ft.com/content/0eabf63d-29d6-49f0-bce8-1ef1d33467e2
 Financier World Wide, “Cyber intelligence: Google acquires Mandiant in $5.4bn deal”, March 2022. Available at: https://www.financierworldwide.com/fw-news/2022/3/10/cyber-intelligence-google-acquires-mandiant-in-54bn-deal
 Darktrace, “Darktrace Acquires Cybersprint”, February 2022. Available at: https://ir.darktrace.com/regulatory-news/2022/2/23/1553096