Deals insight: regulators must protect the cybersecurity market from a private equity takeover

Cybersecurity is a highly disruptive theme. It comprises a body of technologies, processes, and practices designed to protect networks, computers, programs, and electronic data from attack, damage, or unauthorized access by individuals, companies, or nation-states. Today’s always-connected world offers multiple opportunities for bad actors to target and disrupt companies’ business operations or countries’ critical national infrastructure. 

The market’s complexity drives merger and acquisition (M&A) activity, and cybersecurity is typically a hotbed of activity.  

Over the last few years, several private equity (PE) players have bought multiple cybersecurity companies to create extensive cyber portfolios. These companies are then combined, or ‘rolled up’, by the PE companies to create a new company comprising several smaller entities.  

For example, in October 2023, US PE firm Thoma Bravo completed a deal to acquire identity and access management (IAM) provider ForgeRock for $2.3 billion. It then announced that it had combined ForgeRock with its portfolio company Ping Identity, which it acquired in August 2022 for $2.8 billion. 

Regulators have started to take a close interest in these deals. The Thoma Bravo-ForgeRock deal came close to being challenged by the US Department of Justice (DoJ) over concerns that it would harm competition in the IAM market, an increasingly important area of the overall cybersecurity industry. The DoJ was worried that ForgeRock was too similar and, therefore, too close a competitor to Ping Identity. As if that were not enough, Thoma Bravo also owns another identity company, SailPoint Technologies. 

Roll-up deals can potentially create dominant players in markets like IAM, with multiple disparate companies that previously competed with one another being combined into one entity to maximize profitability and value for the PE company.  

This has already happened in other areas of IT. For example, Cloud Software Group was formed from the combination of TIBCO and Citrix after their acquisition by Vista Equity Partners and Evergreen Coast Capital. 

In April 2024, Thoma Bravo announced plans to acquire UK cybersecurity company Darktrace for $5.3 billion. However, regulatory action to halt the deal is unlikely. Darktrace’s focus is AI for threat detection, not IAM, and having had a brush with the regulator over ForgeRock, Thoma Bravo would have gameplayed any Darktrace referral before bidding.  

However, given private equity companies’ increasingly strong ownership position in cybersecurity, action will be required in the future. Thoma Bravo has one of the largest cybersecurity portfolios in private equity, representing approximately $45 billion in total enterprise value. Another player, Insight Partners, currently invests in 58 cybersecurity companies. 

More assertive regulatory action is, belatedly, more likely with the publication in December 2023 of far-reaching merger guidelines from the DoJ and the Federal Trade Commission. The guidelines, aimed at the wider competition landscape and not just cybersecurity, include proposals to reduce PE-driven ‘roll-up’ acquisitions to protect market dynamics. Given PE companies’ increasingly prominent position in cybersecurity, it is time for regulators to apply those guidelines. 

By David Bicknell, principal analyst at GlobalData Thematic Intelligence. 

GlobalData, the leading provider of industry intelligence, provided the underlying data, research, and analysis used to produce this article. 

GlobalData’s Thematic Intelligence uses proprietary data, research, and analysis to provide a forward-looking perspective on the key themes that will shape the future of the world’s largest industries and the organisations within them.