Cyber Security – An insight into the sector

1. Introduction

Cyber security companies have raised more than USD 26.9bn in more than 2,350 deals since 2010. This tremendous number has its foundation built on many different reasons. The following graphs describe the current cyber security market and its most important market drivers:

Growing Cyber Threats

• The amount of stored data is growing exponentially and is increasingly considered as a highly valuable asset, which has to be protected from unauthorized access.

Regulation

• Stricter regulation and therefore increasing examinations by audit committees to secure and protect critical data and information.
• Cyber security insurances require smarter security systems from corporate and private individuals.

New platforms

• Ongoing growth of cloud and SaaS usage is leading to new cyber security issues.
• Increasing market penetration of mobile devices and apps is shifting traditional endpoint security.

Outsourcing

• In-house management and cyber security become more complex due to the increasing complexity and levels of required knowledge, coming along with a rising number of outsourcing services

Even today, the cyber security market is a sector, which must not be underestimated. The four market drivers listed above are all interdependent and growing in importance, which is reflected in the total, global growth rate. The market is currently growing at a CAGR of 10.3% and is expected to reach a market size of almost USD 250bn by 2023E (Fig. 1).¹

Sources: Risk Management Solutions Inc. (2018); MarketsandMarkets (2018)

2. RMS Risk Management Solution  – Global Cyber-loss

Figure 2 shows that cyber-attacks are not a local problem of a small number of developing countries; instead, they are a threat for every nation. RMS monitors incidents of cyber loss by the private and public sector across the world. Cyber-attacks have become the largest commercial risk and an increasingly international phenomenon in recent years, especially in the industrialized world.

Source: Risk Management Solutions Inc. (2018)

Cyber-attacks are not a local problem and should be taken serious globally, but especially in developed countries. The RMS cyber loss experience database proves, that cyber losses continue to occur in businesses of all sizes and activities.²

3. Consequences and costs of cyber-attacks

Consequences of cyber-attack vary across countries.

3.1 Costs of cyber-attacks split by consequences (in percentage)³

Figure 3 indicates four of the most serious consequences companies are facing after being targeted by cyber-attacks.

Quelle: Ponemon Institute (2019)

Data is one of the most – if not the most – valuable asset nowadays. Cyber-attacks therefore are a challenge and highly dangerous for all companies. They even interrupt the whole affected business unit in every third case.

3.2 Average annual cost of cybercrime for large organizations (in USDm)⁴

Figure 4 shows the variance in the average costs associated to cyber-attacks in Europe. The average costs for larger organizations (min. 5,000 enterprise seats) were highest in Germany at USD 13.12m, whereas Italy had the lowest value (USD 8.01m) within Europe. Globally, USA has the highest average costs per breach amounting to USD 27.37m.

Quelle: Ponemon Institute (2019)

Obviously, there is a high level of heterogeneity across European countries. By looking at this graph, it becomes clear that cyber security attacks become more expensive. Within Europe, average costs of cybercrime grew by 31% from 2017 to 2018.

4. Global Data Breach Investigation

Number of incidents and breaches

4.1 Cyber-attacks split by industry (excluding Botnets)

The focus of cyber security is the protection of computers, programs, networks and data from unintended and unauthorized access. Affected are not only governments, but also corporations and private individuals collecting, processing, and storing vast amounts of confidential information and transmitting these data across networks. Data breaches have become almost commonplace in recent years. To understand figure 5, it is essential to define “incident” and “breach”¹⁾. An incident is a security event that compromises the integrity, confidentiality or availability of an information asset, whereas a breach is an incident, that results in the confirmed disclosure – not just potential exposure – of data to an unauthorized party.⁵

Sources: Verizon (2018); Nasdaq Inc. (2018). Cybersecurity – Industry Report & Investment case

Sources: Verizon (2018); Nasdaq Inc. (2018). Cybersecurity – Industry Report & Investment case

Within the Accommodation and Healthcare sectors, even though there is only an intermediate number of incidents, most of the incidents result in breaches. This causes concerns and companies within this sector should increase their cyber security measurements. In contrast to this, companies in the sectors Entertainment and Public Service seem to have a safe and functioning cyber security infrastructure in place.

5. Botnet breaches split by geography

A group of computers, which is connected in a coordinated fashion for malicious traffic, is called a botnet. Botnets work in 2 different ways: Firstly, they can target organizations´ customers, infecting their personally owned devices with malware that captures login details. Those credentials are then used to access banking applications and other sites with authentication. The second way involves compromised hosts within the organizations’ network, creating a botnet. A successful botnet breach causes information loss and the loss of customer trust.⁶

Sources: Verizon (2018); Nasdaq Inc. (2018); Cybersecurity – Industry Report & Investment case

Note: The reason why botnets are not included in the breaches shown on the above, that the vast amount of breaches caused by botnets (over 43,000 in 2018) would drown out the remaining breaches.

It is obvious, that botnets are a global problem. Especially developed countries show an increasing amount of breaches and a lot of companies struggle to clear infections. One simple counter measurement is the implementation of two factor authentication, in order to decrease breaches caused by botnets.

6. Valuation multiples overview

Historical events are reflected in the ratings of cyber security companies. They are well known in the market for the reasons why there have been upward and downward trends in company valuation in the past.

6.1 EV/EBITDA and EV/Sales Multiples

In the early 1990´s the hacktivism started and with it the first attacks on traditional information technology infrastructures. Around 2007, cyber-attacks started to engage Industrial Control Systems (ICS) and Operational Technology (OT) environments. Those developments created awareness for the industry and consequently valuation multiples boosted.⁷

Sources: S&P Capital IQ ; Hospelhorn, S. (2018), Press, G. (2018), Momentum Cyber (2019)

As part of the financial crisis and the collapse of Lehmann Brothers, the cyber security industry – similar to any other sector – suffered its severest decrease in valuation of all times (multiples more than halved).

Since the presidential election in the USA in Q4 2016, valuation multiples increased sharply for a short period. A potential reason therefore could be the Russian Information War. During this war, new attack methods had been developed, e.g. extortion and ransomware. When ransomware rose, in just one day the code reportedly infected more than 230,000 computers in more than 15 countries.

In the same year, Equifax failed to patch an Apache Struts vulnerability that compromised the data of an estimated 143m Americans. Consequently, hackers gained access to around 209,000 consumer credit cards (largest data breach of credit card numbers and information up till then).⁸

Today new technologies like Artificial Intelligence (AI) and machine learning are not only transforming the environment of many companies, but also give rise to a „new breed of smart attacks“.⁹ Therefore, companies should be prepared in order to keep pace with the market developments and to protect their customers.¹⁰

Since the historical low multiples during the financial crisis 2008, the cyber security market has recovered with an on average much stronger EV/EBITDA multiple expansion compared to EV/sales.

7. VC funding activities of the last 5 years

More and more investors seek to participate.

The graphic below shows the venture capital funding activity in the cyber security sector from 2014 until today. Only the largest transactions (threshold of USD >100m) are included in this analysis. Especially in past years, the funding activity has strongly increased. However, not only the amount of transactions, but also the amount raised has seen an uplift. Both developments indicate that the cyber security market is highly attractive to investors and will continue to show strong traction in upcoming years (Fig. 9).

Sources: CB Insights; S&P Capital IQ; Wilhelm; A. (2019)

According to a report by Techcrunch, North America leads the rest of the world with USD 4bn in VC funding in the cyber security sector, with Europe and Asia head-to-head at around USD 550m each. The development is also reflected in the overview above – in the past years, venture funding landscape became more active with an increasing number of investors entering the field. Amongst others, this is primarily driven by the accelerating number of high-profile cyber security attacks in the last years.¹¹

8. Cyber Security in and around M&A

With regard to M&A, the flourishing cyber security market is arousing the interest of many different buyers and investors who are looking for a profitable and sustainable investment. As the market for cyber security products and services grows, so do the corporate values of the companies. This is reflected in the mergers and acquisitions of cyber security companies that took place in 2018 and 2019. Despite the fact that buyers and investors have completely different investment focuses in the cyber security sector, the fundamental interest of all is based on the recognition that information is the most important resource today.

Considering the M&A process in general, cyber security also plays a relevant role. A Gartner study shows that by 2022, 60% of companies involved in M&A activities will consider cyber security a critical factor in their due diligence process – today this figure is still at 5%.¹²

Buyers and financial investors in M&A transactions are regularly confronted with risks, such as data protection or data loss, which occur, for example, during the due diligence process. Another common scenario is the discovery of security problems after a transaction has already been completed, which means that there is often no safe place for the buyer at this point.

According to a report by Forbes, more than one-third (~40%) of the acquiring companies involved in an M&A transaction said that they had discovered a cyber security problem during the integration of the acquired company after the takeover – and the number is rising. The most prominent example of such a scenario is certainly Verizon. In this case, a security vulnerability was discovered in Yahoo! after the takeover agreement for the acquisition of the company had already been signed.¹³ This almost led to the reversal of the transaction and ultimately to a reduction of the purchase price by USD 350 million. The consequences included a USD 35 million fine to pay the U.S. Securities and Exchange Commission’s (SEC) securities fraud charges. In addition, Yahoo! had to pay a further USD 80 million to settle potential lawsuits with dissatisfied shareholders. A slightly more thorough due diligence can avoid many unnecessary costs on both the buyer and seller’s side.¹⁴

This example illustrates that companies are well advised to take a thorough look at cyber security before and during an M&A process.

A study that deals with the topic of cyber security in M&A and summarizes the experience of 2,779 due diligence experts reveals 4 findings, amongst others, that should be kept in mind¹⁵:

1. A data protection violation that has not been detected or found is a so-called deal breaker for most companies. 73% of the surveyed experts confirmed that a company with an unreported data privacy breach is an immediate deal breaker according to its in-house M&A strategy. The really dangerous thing about malware-laden systems is post-merger integration, where the systems of the acquirer and the acquired company are merged. This is often used to unknowingly build bridges, where malicious software can spread to other computer networks.
2. Decision makers sometimes feel that they do not have enough time to carry out a proper evaluation of cyber security. Only 36% of the experts surveyed confirmed that their IT team is given enough time to thoroughly review the cyber security standards, processes and protocols of the company under investigation before the M&A transaction takes place. Too often, the actual due diligence of cyber security takes place in the process phase of post-merger integration. In a world with increasing pressure to move faster and faster to complete an acquisition, time is of the essence. Confidently executed transactions are those in which care and prudence lead to a successful acquisition with no problems.
3. Internal IT teams may not be technically capable of performing cyber security evaluations. Only 37% of the IT experts surveyed agree that their IT team has the necessary skills to conduct a cyber security evaluation for an acquisition. Hackers use a wider range of techniques to gather and monetize information. The methods they use to obtain this information are highly sophisticated, making it difficult to defend against and detect such attacks. For example, advanced techniques allow attackers to retrieve data without these attacks being detected over a long period of time.¹⁶
4. Companies assign some or all of their cyber security evaluation to third parties. Almost all of the experts surveyed (97%) stated that their companies spend money on external service providers for IT audits or cyber security.¹⁷  This circumstance creates a situation where the necessary IT competence is not entirely or not at all available in-house. This again often leads to the fact that the actual decision makers cannot adequately interpret the results of a cyber security evaluation.

Furthermore, it often seems to be the case that due diligence focuses on issues related to privacy (GDPR) rather than security in general. A recurring emphasis on the importance of the risks of privacy breaches is not surprising, as companies must publicly disclose personal data breaches to consumers. The media therefore often focuses their attention on just such breaches. However, the importance of overall system security should not be overlooked during due diligence. In recent years, one could observe a sensitization of the topic in politics, on the customer side and on the investor side. Delay in the detection and reporting of a security breach can lead to significant public criticism of the company and legal risks, including the risk of fines and potential liabilities due to class actions on the customer and shareholder side. It is precisely such scenarios that a thorough IT due diligence should ultimately avert.

It should also not be forgotten that any risk identified in a due diligence can lead to a reduction in the purchase price. This naturally includes the risks in the cyber area. Therefore, it is especially important from the buyer’s point of view to identify such risks in order to include the upcoming upgrade of IT and cyber security in the purchase price.

The market for M&A advisory services is also affected by cyber-attacks, as are other industries mentioned in this article. In the course of an M&A process, highly sensitive information and data is transmitted and exchanged via channels that are not always sufficiently secured. Service providers such as Dropbox or WeTransfer are relatively popular methods to transfer data from the clients’ computers to the consultants’ computers due to their simple application and user-friendliness. Here, one should ask oneself the question whether the documents are stored temporarily at the chosen provider without the knowledge of the user.

The central collection of data at the M&A advisor or lawyer often represents a significant part of sensitive company information and should therefore be protected against cyber-attacks. This is often not yet sufficiently guaranteed. In the near future, one can expect some changes regarding security in the M&A world, e.g. the application of a two-factor authentication in virtual data rooms to protect even better against cyber-attacks. Two-factor authentication increases security by making it very difficult for password hackers to log into the system under a false username. Whatever the M&A process in the future will look like, it will have to be more secure than it is today. The risk of not being able to upgrade is immensely high and the potential damage to the reputation of the consultant and the client can hardly be quantified in monetary terms. The topic of cyber security influences the M&A process from many different angles and will continue to play an increasingly important role in the development of the M&A process.