Cisco, IBM, Dell M&A Brawl May Whack Symantec, Palo Alto, Fortinet
Sales of $2 billion is a drop in the bucket — if you’re IBM ( IBM ) or Cisco Systems ( CSCO ). That’s how much tech giant IBM drew in 2015 security revenue. Networking giant Cisco pulled in $1.75 billion in security revenue. But security sales accounted for just 2.4% and 3%, respectively, of those companies’ multibillion-dollar top lines. Both IBM and Cisco say their cybersecurity revenue rose 12% last year. The growth outstripped pure players Symantec ( SYMC ) and Check Point Software Technology ( CHKP ). And the total dollar sales for IBM and Cisco easily topped total revenue for leading security pure players Palo Alto Networks ( PANW ), Proofpoint ( PFPT ), Fortinet ( FTNT ) and FireEye ( FEYE ). Cybersecurity Ventures CEO Steve Morgan says it’s just the beginning of a series of “knockdown, dragout brawls” among tech giants IBM, Cisco, Dell and others specifically in the security software-and-services arena in 2016. And companies like IBM and Cisco don’t enter the ring with kid gloves. This bare-knuckle donnybrook for cybersecurity superiority will be fought with well-padded M&A budgets. The steep decline in security software stocks of late, amid fears of slowing spending on enterprise software, only raises the stakes, making some buyout targets likely more affordable. ‘Panic Spending’ Drove Valuations Lower spending could hit security vendors, but there’s no debate that cybersecurity needs have grown. Hackers stormed the digital bulwarks of Target ( TGT ), Home Depot ( HD ), Sony ( SNE ), JPMorgan Chase ( JMP ) and the Office of Personnel Management in 2013, 2014 and 2015. That drove a lot of what Piper Jaffray analyst Andrew Nowinski calls “panic spending.” More than 60% of 137 chief information officers recently polled by Piper Jaffray had refreshed their security firewalls within the past 12 months. And firewall security ranked only No. 5 on a list of CIO priorities. Endpoint security, compliance, protecting Web applications, and internal-access management topped CIO priorities. These latter four segments will be hot M&A sectors this year, Nowinski says. “A lot of enterprises, in light of all the mega-breaches that occurred in 2014 and 2015, really beefed up and spent a lot on their network perimeters,” he told IBD. “After getting more comfortable with your perimeter (by beefing up firewalls) . . . you need to invest in technology that protects what the hackers are going after.” Symantec, Trend Micro and Intel ( INTC )-owned McAfee lead the endpoint protection sector, according to Gartner. The market tracker says Imperva ( IMPV ) and F5 Networks ( FFIV ) top the Web-application firewall market, while CyberArk Software ( CYBR ) leads the internal-access management segment. Valuations skyrocketed in the hyperactive 2015 threat landscape, Nowinski says. Thus, last year wasn’t one of big consolidation for cybersecurity. “Companies were trying to figure out what were the most strategic assets they needed to add to protect against the changing threat environment,” he said. “The threat environment was evolving very quickly and valuations were going through the roof with these mega-breaches.” But valuations have plunged. IBD’s 26-company Computer Software-Security industry group was down nearly 40% as of Friday from its 2015 high achieved July 24 — after the group plunged 7.4% on Friday. From the start of 2015 through July 24, the group had rocketed 33%. Still, a lot of big dollars are up for grabs in cybersecurity, FBR analyst Daniel Ives says. He estimates that spending on next-generation security wares will jump 30% in 2016, though total IT spending is seen rising just 3%. Gartner estimates that IT security spending will soar from $75 billion-plus in 2015 to $101 billion in 2018. Research firm Markets and Markets sees the cybersecurity market hitting $170 billion by 2020. “It’s such an enormous growth segment, in a very choppy environment,” Ives told IBD. “It’s pent-up demand and it’s the massive threat environment. . . . You look at the technology landscape and cybersecurity is a priority.” Jumping On The Cyber Bandwagon As nontraditional security firms jump on the cybersecurity bandwagon, no potential M&A is off limits, Cybersecurity Ventures’ Morgan says. “If you look at the cybersecurity industry, there are not a lot of unicorns,” he said. “What we’re seeing is (startups) will raise $10 million to $100 million . . . to ratchet up and get acquired by multimillion-dollar tech companies.” In January, FireEye stirred the M&A dust with a $200 million acquisition of cyberthreat intelligence firm iSight Partners , expanding its portfolio again after its $1 billion Mandiant acquisition in 2014. “That’s where we’re going to see the market,” Morgan said. “Any company that has successfully raised (venture capital) funding would be a takeover candidate.” Alan Kessler, CEO of privately held Vormetric, calls these “tuck-in acquisitions.” “I think the pace of acquisitions is probably going to accelerate simply because of what’s happening in the overall market demand for solutions,” Kessler told IBD, “but also the fact that some of the smaller players may have difficulty getting funding at a valuation that is appealing to their investors.” Vormetric falls into that “tuck-in” field. The encryption specialist is in the process of being acquired by Thales, a French company focused on “creating a safer world,” according to its website. Thales isn’t a pure cybersecurity player but it touches 80% of online-processing payments, Kessler says. Vormetric will be threaded into Thales’ data security group when the transaction closes, likely in late March. Kessler expects IBM and Cisco to continue adding new cybersecurity offerings to their portfolios. And the market recognizes that — big tech firms know enterprise-level software, Enterprise Strategy Group analyst Jon Oltsik told IBD. “There’s consolidation in the customers, the enterprise; they want to buy fewer tools from fewer vendors,” Oltsik said. “They want an integrated platform because what we’ve done in the past isn’t working anymore. “And the efficiency of the technology has to be enterprise class, so that kind of speaks to the bigger vendors who know how to service the enterprise.” In the largest pure-tech merger ever, Dell last year agreed to acquire EMC for $67 billion in — and thereby got its hands on EMC’s RSA security business. In December, Dell confirmed rumors that it filed a $2 billion IPO for its SecureWorks business, which it acquired in 2011 for $612 million. “They single out cybersecurity and decide that’s their spinoff?” Morgan said. “That says a lot about the market.” The pure players have done some tucking of their own. In 2015, Fortinet acquired Meru Networks for $44 million and Check Point spent $80 million on Lacoon Mobile Security. Also in 2015, Cisco followed up its $2.7 billion acquisition of Sourcefire in 2013 by acquiring OpenDNS for $635 million. And Raytheon acquired Websense for $1.9 billion, to create privately held Forcepoint. Between 2014 and 2015, Microsoft ( MSFT ) — which Oltsik calls a cybersecurity “wild card” — spent $600 million to buy three Israeli cybersecurity firms. “You would not call Microsoft a cybersecurity company,” Morgan says. “But you’re starting to see them get very active in cyber. IBM would be another interesting company.” In 2015, IBM’s total sales fell 12%, to $81.7 billion, even as its cybersecurity sales rose 12% to $2 billion. “That’s a lot (of growth) when you’re counting in the billions,” Morgan said. “That’s not on a lot of people’s radar. That gets lost a little bit in the context of much bigger companies.” Pending Cybersecurity Nuptials? FireEye’s iSight acquisition is the only confirmed M&A in the sector this year. But CyberArk stock surged in January on rumors that Check Point is seeking to acquire it . Culturally, it makes sense — they’re both Israeli firms, Ives says. Should Check Point and CyberArk merge, such a deal would be larger than a tuck-in, Morgan says. Although Check Point is much larger — with a $13.5 billion market value to CyberArk’s $1.3 billion — both are credible performers, he said. “I’m not sure we’d call that a merger or an acquisition,” he said. “CyberArk and Check Point, if that were to happen, I think you’re looking at two companies coming together and looking to move into a much larger position in the market.” Cisco, Oracle ( ORCL ), IBM, Hewlett Packard Enterprise ( HPE ) and Symantec will stoke 2016 M&A, Ives says. He lists Qualys ( QLYS ), CyberArk, Fortinet, FireEye and Imperva on his takeover list. He says the timing is especially ripe for Symantec to make an acquisition. Symantec completed its Veritas sale to the Carlyle Group on Jan. 29, saying it received $5.3 billion in after-tax proceeds from the deal. Symantec acquired data storage firm Veritas for $13.5 billion in 2005, a deal that many analysts questioned. Mountain View, Calif.-based Symantec struggled in 2015, when revenue fell 2.4% to $6.54 billion. Now, Symantec will apply the cash from the Veritas sale toward an acquisition that strengthens its position, Nowinski said. Oltsik sees platform plays taking out Resilient Systems, Phantom Cyber, Invotas or ServiceNow ( NOW ) as automation becomes an increasingly important piece of cybersecurity. Smaller firms like Malwarebytes and Code DX also could be swept into the M&A frenzy, Morgan says. “In a different tech sector, where there’s not as much M&A activity, you have to be doing some very cutting-edge things to be an acquisition target,” he said. “Here, if you walk and talk and raise money in the cybersecurity space, you’re a target.”