Private equity finds profit in lucrative cyber businesses

Some of the largest buyout funds in the world are investing in the lucrative cyber security industry, but growing prices for assets are making these acquisitions difficult to pursue.

While one of the most notable investments was private equity firm TPG’s acquisition in 2016 of a stake in McAfee, the cyber security software company, others have found a novel way of achieving value for their investors by purchasing cyber security consultancy companies.

In February, private equity groups BlackRock and Pamplona bought PhishMe, a company that trains employees to avoid phishing scams.

By buying into advisers to the sector, the big private equity firms make sure they do not lose out on a fast-growing industry but at the same time avoid backing a particular technology that may quickly become obsolete.

This strategy has in some cases yielded phenomenal returns for their investors, people familiar with these deals say. But industry experts have warned that companies are becoming more expensive as others find out about the sector’s potential, which will make it harder for money managers to replicate their successful strategies.

Funds such as Carlyle and Blackstone are continuing to invest given the potential for growth, as cyber threats to consumers have increased in recent years and are expected to rise further.

Last year, a ransomware attack via WannaCry, which encrypted users’ data until they had paid a ransom, hit almost 100 countries worldwide, with more than 45,000 incidents registered in countries including Russia, the UK and China. The attack targeted any user who happened to download it rather than a specific institution.

Separately, in January Apple confirmed that every owner of an iPhone, iPad and other Apple product was at risk of hacking, highlighting how widespread the threat is.

Instead of trying to purchase a company that makes, say, a particular anti-virus, we looked at consultants in the industry

Martin Brand, senior managing director, Blackstone

But cyber security threats mean big wins for some. Sophos, the UK cyber security group, raised forecasts twice last year after exceeding market expectations: more companies used its services following a variety of hacking attacks in the first half of 2017.

Revenues also jumped for Blackstone last year, thanks partly to the sale of a stake in Optiv Security to rival KKR. The New York-based private equity giant pursued a strategy known as buy-and-build. This is when a buyout group purchases one company and merges it with rivals to create a leading business and cut costs.

Blackstone first bought Accuvant, a company with 5 per cent market share, in 2014. Shortly afterwards it acquired FishNet, also with 5 per cent market share. The new company, Optiv, became the dominant force in the sector.

“The second-best option had only 1 per cent market share,” says Martin Brand, senior managing director at Blackstone.

Pro-forma revenues at the business grew more than 20 per cent per year from 2011 to 2016. Earnings before interest, tax, depreciation and amortisation grew by 40 per cent in the same period, inspiring plans to list the business. Blackstone received multiple approaches from both private equity and trade buyers, people familiar with the sale say.

Mr Brand explains his firm’s investment strategy: “Instead of trying to purchase a company that makes, say, a particular anti-virus, we looked at consultants in the industry.

“We felt that that was a way to isolate ourselves against the risk that a particular technology succeeds and another one doesn’t.”

You can only ever play this once. Things get more expensive and you get more competition

Blackstone eventually returned six times its investment, according to a person with direct knowledge of the deal. But those familiar with the transaction say it is challenging to replicate this winning formula despite Blackstone’s attempts.

“It’s not easy,” says one. “You can only ever play this once because things get more expensive and you get more competition.”

Others are following the same strategy of buying into the sector without backing a specific product. Carlyle, the Washington-based private equity group, bought Coalfire, a cyber security consultant, three years ago as it looked to enter the sector.

Michael Gozycki, managing director at Carlyle, says his company has spent years analysing the cyber security space and the proliferation of products, which “all face some type of risk around technical obsolescence”.

The buyout fund is exploring acquisitions through Coalfire as it looks to expand the firm, explains Mr Gozycki. “We are always evaluating opportunities, acquisitions through Coalfire as a platform,” he says.

Still, high valuations are not deterring potential buyers. Cyrus Kapadia, vice-chairman of Investment Banking at Lazard, said: “There remains appetite from private equity to invest but finding the right companies at attractive entry valuations remains a challenge.”