Onapsis on the block?

Contact: Brenon Daly

Enterprise application security startup Onapsis quietly kicked off a sale process about a month ago, according to our understanding. Several sources have indicated that Onapsis, which focuses on hardening security for SAP implementations, has hired UBS to gauge interest among buyers. And while there undoubtedly will be acquisition interest in the startup, Onapsis may ultimately prove to be a bit of a tough sell. The reason? The most obvious buyers for the company don’t typically pay the type of valuations that Onapsis is thought to be asking.

In many cases, the heavy-duty SAP systems that Onapsis helps secure were implemented by one of the big consulting shops. So at least theoretically, it’s not a big leap to imagine one of these consultancies buying Onapsis and offering its platform, exclusively, to help safeguard these mission-critical systems and the data they generate. (Indeed, Onapsis already has partnerships with many of the big consulting firms, including KPMG, PWC, Accenture and others.) While that strategy may be sound, M&A always comes down to pricing. And that’s why we would think it’s probably more likely than not that eight-year-old Onapsis remains independent.

According to our understanding, Onapsis is looking to sell for roughly $200m, which would be twice the valuation of its September 2015 funding. The rumored ask works out to about 8x bookings in 2016 and 4.5x forecast bookings for this year. For a fast-growing SaaS startup, those aren’t particularly exorbitant multiples. Yet they may well price out any consulting shops, which have typically either picked up small pieces of specific infosec technology or just gobbled up security consultants. Any reach for Onapsis would require a consulting firm to pay a significantly richer price than the ‘tool’ or ‘body’ deals they have historically done.

Okta’s growth-story IPO finds an audience on Wall Street

Contact: Brenon Daly 

The unicorn parade on Wall Street continued Friday as security vendor Okta nearly doubled its private market valuation in its debut on the Nasdaq. The subscription-based identity and access management provider initially sold shares at $17 each, but investors bid them to about $24 in midday trading. With the surge, Okta is valued at some $2.4bn. (See our full preview of the offering.)

Okta becomes the third enterprise IT startup to come public so far this year, and it extends the strong performance of these new issues. It also joins the two previous IPOs – MuleSoft and Alteryx – in sporting a rather stretched valuation. Based on a market cap of $2.4bn, Okta is trading at about 15x trailing sales.

Granted, Okta’s sales are growing quickly, having nearly quadrupled in just the past two fiscal years to $160m. Still, the company is commanding quite a premium compared with fellow secure identity specialist CyberArk, which also just happens to be the last information security startup to create more than $1bn of value in its IPO. (To be clear, CyberArk, which went public in 2014, also sells identity-related products in the form of privileged identity management, but doesn’t really compete with Okta.)

Wall Street currently values CyberArk at about 8.2x trailing sales, or just slightly more than half the level that investors are handing to the freshly public Okta. Bulls would argue that Okta merits the premium given that it is growing twice as fast as CyberArk. But others might counter with a question about what that growth is costing each of the companies. Okta lost a mountainous $83m on its way to generating $160m in sales last year. In contrast, CyberArk, which has run in the black for the past four years, netted $28m from its 2016 revenue of $217m.

If nothing else, the valuation discrepancy underscores that growth is still the key metric for investors. Okta’s IPO is simply supply meeting demand, same as it ever was on Wall Street. Indeed, CyberArk has also experienced that. Shares of the company reached an all-time high – nearly 50% higher than current levels, roughly Okta’s current valuation – in 2015, when revenue was increasing north of 50%, compared with the mid-30% level now.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Mastercard makes an antifraud deal of its own 

Contact: Jordan McKee 

After December reaches by Visa and American Express for card-not-present (CNP) antifraud providers, Mastercard makes its move in this space. With the purchase of NuData Security, it gains digital identity and behavioral biometrics capabilities that will play an important role as EMV and growing transaction volumes continue to push fraud into digital channels.

A recent study of 500 US merchants by 451 Research underscored the severity of this problem, showing that 60% of respondents are experiencing an increase in fraudulent activity in their digital commerce channels compared with this time last year. This problem will only be exacerbated as the Internet of Things (IoT) spreads commerce into myriad new connected devices, increasing chargeback and data breach risks for merchants.

Given its scale and complexity, IoT presents a security threat an order of magnitude greater than anything the payments industry has previously experienced. Payment networks and their partners are increasingly being required to operate in foreign environments that differ greatly from traditional CNP channels, such as web browsers. The spread of commerce to new connected endpoints will require new technology, talent and security approaches to ensure that the integrity of the card issuance ecosystem remains intact.

While Mastercard has positioned its pickup of NuData as an IoT antifraud play – and could conceivably extend NuData’s technology into various IoT settings over time – we see near-term applicability to traditional CNP antifraud use cases. In particular, its work around digital identity and biometrics will help extend Mastercard’s security efforts from the network to the device, helping to combat the wave of fraud currently occurring in mobile and e-commerce. Terms of the deal weren’t disclosed. NuData had about 70 employees.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

With Okta, infosec no longer conspicuously absent from the IPO market

Contact: Brenon Daly 

Even as several other fast-growing enterprise IT sectors have all seen unicorns gallop onto Wall Street, richly valued information security (infosec) startups have stayed off the IPO track. The sector hasn’t seen a $1bn company created on a US exchange in more than two-and-a-half years. Infosec has been conspicuous by its absence from the tech IPO market, especially considering that no other single segment of the IT market has as many viable public company candidates. Fully one-quarter of the startups in the ‘shadow IPO’ pipeline maintained by 451 Research’s M&A KnowledgeBase Premium come from the infosec space. (See related report.)

At long last, one of the infosec unicorns is (finally) ready to step onto the public market: cloud-based identity management startup Okta has publicly revealed its paperwork for a $100m offering that should price next month. The company, which raised nearly $230m in venture backing, had already achieved a $1bn+ valuation in the private market – and will head north from there in the public market.

Wall Street will undoubtedly find a lot to like in Okta’s prospectus. The company is doubling revenue each year, with virtually all of its sales coming from subscriptions. (Professional services accounts for roughly 10% of total revenue, a lower percentage than most of the big-name SaaS vendors.) Subscription revenue gives a certain predictability to a company’s top line, especially when coupled with the ability to consistently expand those subscriptions. Okta notes in its prospectus that its customer retention rate, on a dollar basis, is slightly more than 120%, an enviable rate for any subscription-based startup. Put it altogether and revenue at Okta for the fiscal year that ended in January is likely to be in the neighborhood of $160m, up from $86 in the previous fiscal year and just $41m in the fiscal year before that.

Having quadrupled revenue in just two years, Okta’s red ink isn’t likely to worry many investors. Through its first three fiscal quarters (ended October 31, 2016), Okta lost $65m, up from $55m in the same period the previous fiscal year. As is often the case with SaaS providers, Okta’s losses stem primarily from heavy spending on sales and marketing. Early on, Okta was spending slightly more than $1 on sales and marketing to bring in $1 of subscription revenue. It has since slowed the spending, with the result that in its latest quarter it spent $32m on sales and marketing to bring in $38m in subscriptions. (For comparison, Box – one of the more egregious spenders – shelled out $47m on sales and marketing to generate exactly the same subscription revenue as Okta ($39m) in its most recent quarter when it originally filed to go public in 2014.)

Okta’s IPO would represent the first new $1bn valuation for an infosec vendor on the NYSE or Nasdaq since CyberArk’s offering in September 2014. Sophos went public (rather quietly) in 2015 on the London Stock Exchange, and the two domestic infosec IPOs since then (Rapid7 and SecureWorks) both currently trade underwater from their offering. In contrast to the recent infosec shutout, startups from several other IT sectors have all been able to enhance their $1bn private-market valuation on Wall Street, including Nutanix, Atlassian, Twilio and Pure Storage. That list will get a little longer as MuleSoft is set to debut at more than a $2bn market cap, up from $1.5bn in its final round as a private company.

CA’s two M&A strategies come together in Veracode

Contact: Brenon Daly 

CA Technologies plucks Veracode out of the IPO pipeline, paying $614m for the application security scanning startup. The acquisition bridges the two areas where CA has been shopping recently: security and DevOps. According to 451 Research’s M&A KnowledgeBase, all 10 of CA’s transactions in the four years leading up to the Veracode purchase have either brought additional technology for software development or security, primarily related to identity and access management. Including Veracode, CA’s recent shopping spree has cost the company slightly more than $2bn.

Originally a spinoff of Symantec, Veracode raised $122m from investors over the past 11 years, including a late-stage round in September 2014 that was expected to bridge the company to the public market. Shortly afterward, it tapped J.P. Morgan Securities to lead the planned offering. (J.P. Morgan gets the print for advising Veracode on its sale.) The IPO paperwork was filed with the SEC but never publicly revealed.

As it angled toward Wall Street, however, Veracode’s revenue growth slowed a bit, according to our understanding. (Subscribers to the M&A KnowledgeBase can see our estimate of Veracode’s top line.) Also working against an IPO for Veracode has been the rather lackluster market for new tech offerings overall, compounded by a slump on Wall Street for the two previous information security vendors to come public on US exchanges, SecureWorks and Rapid7. In opting for a sale rather than an IPO, Veracode secured a valuation that essentially matches the multiple that CA paid in its similarly sized pickups of fellow infrastructure software providers Automic Software in December and Rally Software in May 2015.

Veracode has steadily expanded its customer base, more than doubling that count since 2014 to 1,400. And, based on 451 Research surveys of more than 200 information security buyers, the company still has room to move higher once it is acquired by CA, which is expected in Q2. In our Voice of the Enterprise: Information Security survey in late 2016, Veracode ranked only as the fourth-most-popular supplier of application scanning, trailing open source tools from Qualys and IBM.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

How secure is your deal, legally?

Contact: Brenon Daly 

For all of the attention paid to the financial and strategic aspects of M&A, it certainly pays to remember that, at their core, acquisitions are fundamentally legal processes. The terms and conditions of any acquisition effectively codify all of the other points that come up over the weeks or even months of negotiating a deal. Pricing, timing, governance, executive responsibilities – all of those key M&A considerations, along with dozens of other smaller-but-still-thorny concerns, are ultimately spelled out in a legally binding agreement.

Most of the final provisions of any deal surface during the earlier due-diligence period, which, depending on your particular view of law, can be a process to either help optimize the outcome of the combination or simply lessen the chances that you’ll get screwed in the transaction. Given the direct influence that due diligence has in shaping the ultimate acquisition agreement, it’s worth noting what the two sides are paying attention to when they strike a deal.

One key area of M&A-related examinations that’s getting an increasingly sharper focus is information security. A survey last October of 150 senior members of the tech M&A community, including a number of lawyers, revealed that not a single respondent reduced the amount of due diligence they did on a target company’s cybersecurity practices last year. Further, in the most recent edition of the M&A Leaders’ Survey from 451 Research and law firm Morrison & Foerster, fully eight out of 10 (82%) respondents said the level of scrutiny actually increased over the course of 2016, with the remaining 18% saying it held steady.

Obviously, as has come out in Verizon’s ongoing attempt to purchase Yahoo’s operating business, cybersecurity considerations can have a dramatic impact on a deal. The acquisition will now drag on a few months longer and the price will be lowered by $350m, or 7%, because of the massive data breaches that Yahoo revealed after the late-July announcement. As Verizon moves ahead with its plan to acquire the faded purple website, the transaction is nonetheless a reminder that cybersecurity concerns in M&A need to figure into boardroom discussions, not just courtroom disputations.

Big Yellow and big buyouts push infosec M&A spending to record

Contact: Brenon Daly

What happens at the top end of a market usually goes some distance toward setting the overall tone in that particular market. At least that’s one way to view M&A in the information security sector, which has surged to a record level of spending led by transactions involving the two largest vendors. Up until recently, both Symantec and McAfee had been largely out of the market as the companies worked through earlier strategy bets that didn’t pay off.

So far this year, infosec shoppers have spent $14.3bn on deals, according to 451 Research’s M&A KnowledgeBase. That tops the previous record of $13.5bn in 2010. However, a look inside the deal flow indicates that the previous record was much more concentrated: the single-largest transaction in 2010 (Intel’s $7.7bn purchase of McAfee) accounted for more than half of that year’s overall deal value, while the single-largest transaction in 2016 (Symantec’s $4.7bn pickup of Blue Coat Systems) accounts for just one-third of this year’s spending.

Intel’s partial unwind of its experiment with McAfee is contributing to this year’s record. But more dramatically, it’s the reversal at Symantec that has boosted overall spending in the infosec space. After shying away from significant acquisitions in recent years, Big Yellow has now inked its two largest security deals in just the past the past five months. For perspective, the combined $7bn Symantec has shelled out since last summer for Blue Coat and LifeLock is more than it has spent, collectively, on its 25 other infosec purchases since 2002, according to the M&A KnowledgeBase.

In addition to large corporate buyers, big financial acquirers have also been contributing to this year’s record spending. Both TPG Capital’s carve-out of McAfee and PE-backed AVAST’s consolidation of AVG were valued in the billions of dollars. For comparison, the previous record year of 2010 didn’t feature any billion-dollar PE transactions.


Baking in security isn’t a good recipe for Intel

Contact: Brenon Daly

Intel’s multibillion-dollar experiment in bringing security in-house and baking it into its silicon is over. The chipmaker announced plans to mostly unwind its six-year-old acquisition of McAfee, which stands as the largest information security (infosec) transaction in history. However, Intel’s divestiture of a majority stake of its infosec division is being done at a substantial discount to the original purchase.

Under terms, Intel will retain a 49% stake in the infosec business, which will revert to the McAfee name, with private equity firm TPG Capital acquiring a 51% stake. The buyout shop will pay $1.1bn in cash and assume $1bn in debt. (The co-owners of McAfee plan to raise a total of $2bn in debt, with $1bn of that held by TPG and $1bn held by Intel.) Altogether, the transaction gives McAfee an enterprise value of $4.2bn, compared with an enterprise value of $7bn for McAfee in Intel’s mid-2010 puzzling purchase.

Sales at Intel’s infosec unit totaled $1.1bn in the first half of this year, according to the company. Annualizing that amount would put revenue at $2.2bn, meaning McAfee is valued at less than two times sales in its divestiture. That’s a relatively low multiple for infosec companies. In its 2010 purchase, for instance, Intel paid roughly 3.5 times sales for McAfee. Furthermore, rival Symantec currently trades at roughly the same 3.5x multiple.

Intel’s divestiture of McAfee, which had been rumored for some time, underscores the fact that infosec is an industry in transition. The move means that two of the largest and longest-standing security companies have undergone dramatic corporate overhauls since just the start of the year. Back in January, Symantec sheared off its Veritas storage business so that it could focus entirely on security. It then followed that up in summer by announcing the second-largest infosec transaction, according to 451 Research’s M&A KnowledgeBase. Symantec paid $4.65bn for Blue Coat Systems, an acquisition that, unusually, installed Blue Coat executives into the top three spots at the acquiring company.

The comeback kids of the tech IPO market

Contact: Brenon Daly

If there’s going to be a recovery in the tech IPO market, information security (infosec) looks like it will lead the way. According to 451 Research’s recently launched M&A KnowledgeBase Premium, one-quarter of the 72 startups that we think are of a size and mind to go public in the near future come from the infosec industry. The ‘shadow IPO’ pipeline is one of the key features of the new premium version of 451 Research’s industry-leading M&A KnowledgeBase.

The premium version of our M&A KnowledgeBase features a full financial profile of the candidates, as well as 451 Research’s qualitative assessment of each company’s technology and its competitive positioning in the market. For instance, the profile of Veracode includes our proprietary estimates of the application security startup’s bookings for both 2015 and 2016, plus our analysis of its expansion into the new growth market of mobile apps. Altogether, KnowledgeBase Premium has a shortlist of 18 infosec vendors that could be eyeing an upcoming IPO, including Carbon Black, LogRhythm and ForeScout.

Although the IPO market has been mired in a slump recently, with just three enterprise-focused offerings so far this year, many private companies have matured to the point where their business models are comparable to their publicly traded brethren. Further, many are putting up growth rates that leave Nasdaq and NYSE firms in the dust. That’s particularly true in the infosec space, where a recent survey of 881 IT budget-holders by 451 Research’s Voice of the Enterprise found that 46% of respondents had more to spend on security in the coming quarter, compared with the start of the year. That was 10 times the percentage who indicated that their infosec budgets were shrinking.

Of course, merely having a business that’s ready to go public doesn’t necessarily mean that the company needs to file an S1. Most of the infosec companies have plenty of cash in their treasuries, with the 18 pre-IPO vendors having raised about $2bn in venture backing. (KnowledgeBase Premium not only tracks fundings, but in some cases it also notes the valuation of the funding.) Additionally, many of the publicly traded infosec names – including both of the sector’s most recent debutants, Rapid7 and SecureWorks – haven’t necessarily found bullish investors on Wall Street.

But as the Twilio offering and its subsequent aftermarket trading has shown, a company with a strong growth story can almost always find buyers, regardless of what’s happening in the overall market. With that in mind, we’ll watch for more of the 72 names on our M&A KnowledgeBase Premium IPO shortlist – particularly those in the bustling infosec arena – to move from the pipeline to Wall Street in the coming quarters.

IPO pipeline by sector

Source: 451 Research’s M&A KnowledgeBase Premium

BeyondTrust on the block?

Contact: Brenon Daly

Less than two years after acquiring BeyondTrust, Veritas Capital is looking to sell the privilege identity management vendor, several market sources have indicated. We understand that the private equity firm has retained UBS to run a narrow process, with the expectation that BeyondTrust would fetch at least twice the price the buyout shop paid in its September 2014 purchase. (Subscribers to 451 Research’s M&A KnowledgeBase can see our estimated terms of that deal by clicking here.)

BeyondTrust is expected to generate about $100m in sales this year and throw off roughly $40m of cash, according to our understanding. Recent transactions involving similar-sized identity and access management (IAM) vendors have gone off at about 6x sales. That’s roughly the multiple we estimate Vista Equity Partners paid for Ping Identity in early June, as well as the estimated valuation Thoma Bravo paid for IAM vendor SailPoint two years ago. (Subscribers to 451 Research’s M&A KnowledgeBase can view our estimated terms of the Ping deal and the SailPoint transaction.)

One reason acquirers have paid above-market valuations for identity-related providers is that cloud technology is predicated on knowing who users are and what they should have access to. That’s been reflected in infosec budgets. In the latest survey of IT security professionals by 451 Research’s Voice of the Enterprise, identity management ranked in the top quartile for security projects in the coming year.

VotE InfoSec priorities Q1 2016

Source: 451 Research’s Voice of the Enterprise: Information Security, Q1 2016