Though a smaller market than the US, the UK cybersecurity M&A and VC market is active and growing. Some sizable deals in the UK have made headlines in the global technology press, most notably Thoma Bravo’s acquisition of Sophos for $3.9 billion last year.
“Cybersecurity remains a top target for acquisition around the world and the UK is no exception. Deal flow in this space has been consistent since 2015,” says Jonathan Simnett, director at technology M&A advisory firm, Hampleton Partners.
UK cybersecurity market in 2019
For years Sophos was the busiest deal-making cybersecurity company in the UK. In 2019 alone it made three acquisitions of US companies: cloud security startup Avid Secure, endpoint security platform DarkBytes and managed detection and response (MDR) provider Rook Security.
In 2019, private equity firm Thoma Bravo bought the Cambridge-based Sophos for $3.9 billion. Though Sophos was its only security buy in 2019, Thoma already has other security firms in its portfolio, including Imperva, Barracuda Networks and Veracode. Henrik Jeberg, director at Hampleton Partners, has previously told CSO that being bought by Thoma will allow Sophos – which had primarily targeted the mid-market — “on the fast lane towards developing next-gen cybersecurity solutions for the enterprise.”
In a move designed to establish itself as a major player in the security consulting space, French telco Orange bought UK cybersecurity service provider SecureData (and its consulting subsidiary SensePost) for a fee thought to be around $120 million. Orange also bought Dutch managed security services provider (MSSP) SecureLink for just over half a billion euros the same year.
“The standout recent buys [in 2019] were the $3.8 billion purchase of Sophos by US private equity firm Thoma Bravo in October, France’s Orange buying SecureLink Group for $577 million in May and Palo Alto buying the UK’s Twistlock for $410, also in May,” says Simnett. “These all featured in the top ten global cybersecurity deals in 2019.”
UK cybersecurity startups appealing targets
UK companies were popular acquisition choices for international buyers. In 2019 Finland’s F-Secure bought MWR InfoSecurity for $103 million, and Australia’s Shearwater acquired Manchester-based network security company Secarma for $9.6 million.
US-based companies were also keen to buy. Minneapolis-based HelpSystems acquired content threat protection startup Clearswift, Florida’s KnowBe4 acquired Leicester-housed security training provider Twist and Shout, California’s HID Global purchased the identity solutions business of De La Rue, and Minneapolis-based Entrust bought nCipher from French defense company Thales.
“Overall, UK security companies are more often being bought than buying,” says Hampleton’s Sinmett. “It’s a characteristic across the board in tech that UK companies, in most cases, need to be acquired to scale to their full potential so, in many ways the UK acts as a scale-up incubator for firms that will eventually come under foreign ownership for further investment and access to global markets.”
2019 also saw UK companies going international themselves with Chester’s GBG acquiring Atlanta-based digital identity verification and authentication provider IDology for $300 million and London MSP Haven Cyber Technologies buying Sweden’s Onevinn. Cyber Security 1 AB’s acquisition of Warwickshire’s IntaForensics and CSI group acquiring backup and recovery specialist Tectrade were rare cases of UK cybersecurity companies buying local.
“The largest transaction in the identity and access management space in 2019 was UK’s GB Group’s acquisition of US-based IDology,” says Simnett. “Driven by the desire to expand in North America – a key growth market for GB Group and the world’s leading region when it comes to cybersecurity – GB Group paid 7.9 times enterprise value/sales to get its hands on IDology’s customer base. IDology primarily serves US customers, which account for 99% of its revenue.”
VC funding on the rise
The UK Government report into the cybersecurity market claimed 2019 was a “record year” for investment. The report highlights $451 million in fundraising across eighty deals and says that over £1.1 billion has been raised since 2016.
2020 VC funding in the UK already busy, with UK cybersecurity startups raising £496 million in the first half of 2020 according to Lorca. In January, UK open-source security startup Snyk completed its Series C funding round of $150 million to reach a valuation of $1 billion while RazorSecure, a transportation-focused threat monitoring service, raised $3.3 million. Despite the COVID19 pandemic leading to a downturn in VC funding globally, UK-based privacy tech startup Privitar managed to raise $80 million in April. BAE Systems spinout SOC.OS raised $2.5 million in July.
UK cybersecurity M&A in 2020
So far, the UK market has been quiet for deal activity in 2020. January saw London-based based Mimecast buy anti-phishing startup Sagasec for an undisclosed amount thought to be around $40 million, while quantum communication startup Qubitekk bought the quantum key distribution (QKD) patent portfolio of British defense company QinetiQ. In March Accenture revealed it had bought UK cybersecurity consultancy firm Context Information Security from Babcock International Group for an undisclosed amount, while in May Venafi announced it had acquired UK-based Kubernetes training and services provider Jetstack. In June, Siemens Digital Industries (DI) acquired UltraSoC, a Cambridge, UK-based System on Chip security startup. July saw Herjavec Group buy London-based Identity Management firm Securience. In September London-based Snyk bought Swiss secure-coding startup DeepCode.
“Cybersecurity will remain a top target for venture and private equity funding in 2020/2021 and the historical trend of an increasing percentage of technology companies being acquired by private equity will continue,” explains Simnett.