We wrote 6 months ago about “Activities and Opportunities in Cyber Security”, talking about the growth of the market during 2016, and looking forwards to the likely growth during 2017. Financing activity for the first three quarters of 2017 totalled around £2.6 billion, roughly on track to equal the 2016 total of £3.5 billion. The likely number of transactions is also likely to remain stable, with 210 transactions to Q3 2017 against a total of 268 transactions in 2016.
M&A volume is likely to remain on par with 2016 (108 transactions to Q3 2017 vs 137 transactions in 2016), however the average per transaction value is likely to be smaller this year (£5.75 billion to Q3 2017 vs £15.5 billion in 2016). Taking into account that this is skewed further by £4.25 billion of the 2017 transaction value arising from just 8 transactions, I would suggest that this means the ‘average’ deal size has fallen against 2016. That the average M&A deal size has fallen could, however, support the view that companies in this rapidly growing sector are being acquired earlier, at lower transaction values, perhaps because of their early stage.
2017 has included some notable transactions, with at least two acquisitions with a transaction value of over £500 million, and a number of fundraisings over £100 million. Over the last 18 months, we’ve seen some of the large, more traditional ‘whales’ in the market starting to become acquisitive.
Looking ahead to 2018, it is safe to say that cyber security is going to remain firmly on the agenda, at least across Europe. Here in the UK, we will see the Data Protection Bill come into force, including the UK applications of the EU-wide General Data Protection Regulations (GDPR). These regulations put a very significant responsibility on Data Processors (as defined by the Information Commissioner’s Office) to protect sensitive data, including ensuring the removal of data that is no longer required, and carries heavy penalties for non-compliance.
Before then, the Second Payment Services Directive (PSD2) will come into force, allowing banking customers to use third party providers (TPPs) to manage their finances. This requires the sharing of customer banking details through an API (application program interface). Should the TPP experience a breach, the bank would be liable for a fine under GDPR, which provides for a fine of up to the greater of €20 million, or 4% of global annual turnover. Much of this will hinge on the requirement under PSD2 for providers to provide ‘strong customer authentication’.
Because of this requirement, we believe that 2018 will see strong investment in and acquisitions of companies specialised in identity & access management, likely with high valuations. We also believe that 2018 will see growth for companies offering secure “digital shredding” services, as businesses seek to remove unnecessary data to prevent exposure under GDPR.
Back to ArticlesWhether you're thinking about selling your business, making a strategic acquisition, or need to raise finance for your business, Baird Partners can help. Request a callback or send us a message today.