Contact: Brenon Daly
Enterprise application security startup Onapsis quietly kicked off a sale process about a month ago, according to our understanding. Several sources have indicated that Onapsis, which focuses on hardening security for SAP implementations, has hired UBS to gauge interest among buyers. And while there undoubtedly will be acquisition interest in the startup, Onapsis may ultimately prove to be a bit of a tough sell. The reason? The most obvious buyers for the company don’t typically pay the type of valuations that Onapsis is thought to be asking.
In many cases, the heavy-duty SAP systems that Onapsis helps secure were implemented by one of the big consulting shops. So at least theoretically, it’s not a big leap to imagine one of these consultancies buying Onapsis and offering its platform, exclusively, to help safeguard these mission-critical systems and the data they generate. (Indeed, Onapsis already has partnerships with many of the big consulting firms, including KPMG, PWC, Accenture and others.) While that strategy may be sound, M&A always comes down to pricing. And that’s why we would think it’s probably more likely than not that eight-year-old Onapsis remains independent.
According to our understanding, Onapsis is looking to sell for roughly $200m, which would be twice the valuation of its September 2015 funding. The rumored ask works out to about 8x bookings in 2016 and 4.5x forecast bookings for this year. For a fast-growing SaaS startup, those aren’t particularly exorbitant multiples. Yet they may well price out any consulting shops, which have typically either picked up small pieces of specific infosec technology or just gobbled up security consultants. Any reach for Onapsis would require a consulting firm to pay a significantly richer price than the ‘tool’ or ‘body’ deals they have historically done.