The recent mergers and acquisitions including NTT acquiring Solutionary and Malwarebytes acquiring Zero Vulnerability Labs have ticked Delling's database beyond 650 transactions. With that in mind, it is pertinent to examine the trends and intelligence that this data set has to offer.
Geographic - Transaction size
Deals where both the buyer and seller were US attracted the highest values meaning that if you have a cyber-security product and want to maximise the return, you could do well to head to the US for venture capital funding. Average transaction size between 2004 and 2013 for cyber-security companies:
- Non-US Buyer / Non-US Seller $ 93 Million
- Non-US Buyer / US Seller $ 198 Million
- US Buyer / Non-US Seller $ 295 Million
- US Buyer / US Seller $ 420 Million
Buyer industry sector and influence on multiples
We categorised buyers into industries of defence; IT cyber-security ; professional services; private equity and venture capital, and remaining others.
When transactions were analysed in this context we saw that the defence industry buyers paid the lowest revenue multiples, slightly below the private equity and venture capital community.
Realistically, this was likely to be more of a reflection of the difference in acquisition targets between the buyer groups, with the defence industry focused on services-intensive companies, and many other groups such as the IT and cyber-security industries acquiring product-led companies.
We also found the average cyber-security company-led acquisition paid a multiplier of more than six times higher than the average profit multiple paid by the IT industry, defence, and private equity and venture capital communities - which varied by less than 10 percent.
The difference was again primarily a function of the types of companies being acquired with many cyber-security company-led transactions having to cope with early stage product companies that have significant research and development, sales and marketing expenses but a relatively low base of revenue and profit.
This demonstrates the importance of understanding the market, and particularly of the market as it pertains to your company. The types of companies being acquired, and the level of maturity of those companies, varies significantly between buyer groups, and the prices paid vary accordingly.
Outlying transaction valuations and effect
Means were susceptible to being skewed by outliers and could make a big difference when assessing transactions with a company as the acquirer. Medians were more useful.
A profit multiple of 38.49 was nothing to be sneezed at, but 117.08 as an average profit multiple was really high. So how was it possible that the averages could be that high? Transactions like this:
- Symantec Acquires Brightmail (2004) - Revenue multiple greater than 14. Profit multiple greater than 330.
- McAfee Acquires Stonesoft (2013) - Revenue multiple greater than seven. Profit multiple greater than 420.
These transactions rapidly skewed the averages, particularly in an environment where not every transaction had data available.
That is, if price data was available for all 650 transactions, it would have much less of an impact; but with price data only available for around 10 percent of transactions, and the rest being 'not disclosed', it can have a big influence).
Multiples by year
The average revenue multiple from 2004 until 2006 was a shade over 14 while the average from 2007 until 2009 was a shade under three. It stayed at three from 2010 until mid-2013. Profit multiple data similarly hasn't changed markedly over the period 2007 to mid-2013.
In other words, back in the early days of cyber security, there were fewer transactions being completed, but the ones that were completed tended to be for high valuations - for example, Juniper's acquisition of NetScreen and Symantec's acquisition of Brightmail.
There are now many more transactions, but the valuations have remained steady. That's not a bubble -- it's just a healthy market with strong demand for valuable companies.