SailPoint, Tufin go private in run of cybersecurity acquisitions by PE firms

The highly fragmented cybersecurity sector continues to consolidate, with acquirers, both financial and strategic, willing to pay a high premium for a business with plenty of expected growth.

The frothy pace of cybersecurity acquisitions continued in the first months of 2022, even as M&A in other sectors slowed down or saw values compress sharply. Five cybersecurity companies announced deals since the last months of 2021, with transaction sizes running the gamut.

Most recently, Thoma Bravo LP said on April 11 that it would take SailPoint Technologies Holdings Inc. private in a transaction grossing $7.46 billion. That came on the heels of Tufin Software Technologies Ltd.'s April 6 announcement that it would be acquired by affiliates of private equity firm Turn/River Management LP at an enterprise value of about $544.1 million. A month prior, Alphabet Inc. announced that it would acquire Mandiant Inc. for about $7.55 billion, leading to speculation about what other public cybersecurity firms could be targeted next.

Those transactions rounded out a trend that began at the end of 2021, when Permira Advisers Ltd. agreed to acquire Mimecast Ltd. for a gross transaction value of $5.91 billion. Permira and Advent International Corp. just weeks prior led a group of investors on the $20.86 billion acquisition of legacy consumer security company McAfee Corp., the largest sector M&A transaction in history.

The Mandiant deal was just "the tip of the iceberg to a massive phase of consolidation," Wedbush Securities analyst Daniel Ives said in a recent note. Ives cited the "massive growth backdrop" for the sector as enterprises across industries accelerate their digital transformation strategies and the recent invasion of Ukraine by Russia as further reinforcing the need for cybersecurity preparedness on the part of nation-states.

There are a number of other publicly traded cybersecurity companies that could be the next target of consolidation, Ives said ahead of the Tufin deal. These included SailPoint, Ping Identity Holding Corp., Varonis Systems Inc., Qualys Inc., Tenable Holdings Inc., Rapid7 Inc. and CyberArk Software Ltd. Those firms are each comparable to Mandiant, with market capital between $2 billion and $7 billion and annual revenue between $300 million and $600 million.

Thoma Bravo is valuing SailPoint at 16.0x the company's trailing-12-month revenue, one of the largest multiples among recent sector deals. The acquisition extends Thoma Bravo's consolidation of the sector, where it is one of the most active acquirers in the space. The private equity firm and its operating companies have announced 20 cybersecurity acquisitions since the beginning of 2019, according to 451 Research.

The high multiple for SailPoint is not far outside of the norm for Thoma Bravo. The firm has been paying double-digit multiples for cybersecurity operating companies for the past three years, hitting an average 16.4x multiple in 2020.

By comparison, the average multiple sectorwide is 8.8x in 2022, year to date, the highest of any year so far.

451 Research is part of S&P Global Market Intelligence.

Comments are closed.