Cybersecurity Market Update: January 2021

Key Takeaways for Q4 2020

• COVID-19 impacted virtually every industry in 2020 – for better or for worse. Cybersecurity was no exception.
• Cyberattacks reached an all-time high last year as cybercriminals took advantage of increasingly vulnerable targets. The challenge of securing a distributed workforce, coupled with increased phishing, malware, and web attacks, has amplified the importance of having a resilient cybersecurity posture with best-of-breed tools.
• Despite the pandemic, public and private cybersecurity markets have remained strong. Adams Street shares its views on interesting investment opportunities in the sector in 2021.

Public Market Recap

In mid-March, the VIX, a popular measure of the stock market’s expected volatility, reached a record high, surpassing levels seen during the 2008 financial crisis. The stock market was in freefall and a lengthy recession seemed all but certain.

While questions remain about the strength of the underlying economy, the S&P 500 managed to end 2020 15% higher than where it began the year. Public cybersecurity companies, in general, outpaced the broader market in 2020. High-growth cybersecurity companies (>20% annual growth) saw outsized returns as the majority of companies within this bucket benefitted from strong COVID-19 tailwinds.

Okta, for example, capitalized on the shift to remote work as businesses needed a more sophisticated solution to securely identify employees outside of the company network. Over the year, the high-growth cybersecurity index rose 152% while the medium-growth (10% – 20% annual growth) and low-growth (<10% annual growth) indices achieved gains of 46% and 17%, respectively.

Not all companies, however, posted strong results in 2020. SolarWinds, an IT management and monitoring platform with an IT security offering, was the victim of a highly consequential cyberattack, resulting in a Q4 stock price drop of 27% to finish the year down 19%. Malicious hackers were able to install malware into Solarwinds’ Orion product, allowing them to spy on the end customers for months. Customers included many Fortune 500 companies and various governmental agencies.

While this is an extreme example of an individual company’s poor trading performance, it demonstrates that even companies whose core mission is to provide IT solutions are themselves vulnerable to sophisticated attacks.

The high-growth cybersecurity comps finished the year at a frothy median TEV / NTM revenue multiple of 27.1x. This is up 129% from where the group began the year.

With the exception of the dip in March, public valuation multiples have expanded across the board. Investors continue to seek and reward growth, with the high-growth cybersecurity comps finishing the year at a frothy median TEV / NTM revenue multiple of 27.1x. This is up 129% from where the group began the year (11.9x TEV / NTM revenue). While not as drastic, multiples for medium-growth and low-growth comps also expanded through the year to 8.5x and 5.5x, respectively.

Private Market Recap

Cybersecurity fundraising within the private markets didn’t skip a beat in 2020. Across the seed, early stage, and late stage cybersecurity investing landscapes, the number of deals stayed relatively flat as compared to years past. Aggregate deal dollar volume, however, continued to grow as deal sizes trended upwards. According to PitchBook Data, Inc., total cybersecurity deal volume in 2020 exceeded $7.8bn, compared to $6.5bn in 2019 and $5.8bn in 2018.

Adams Street portfolio companies, Arctic Wolf and Snyk, were 2 of 18 companies that raised $100mm+ rounds in 2020. The increasing presence of these mega-rounds is one of the key factors driving median deal size expansion within late-stage financings. In parallel, pre-money valuations have been growing as the generous multiples within public markets are being matched (or exceeded) within the private markets.

The number of deals stayed relatively flat as compared to years past, however aggregate deal dollar volume continued to grow as deal sizes trended upwards

Exact revenue multiple data in the private markets is not available, but our observations indicate that hyper-growth cybersecurity companies with solid unit economics are, in some cases, commanding multiples in excess of 40x current ARR. The market multiples within private cybersecurity are undoubtedly rich. But 2020 demonstrated that there is an enormous opportunity to improve upon existing cybersecurity platforms and better protect companies from costly cyberattacks.

What We’re Excited For in 2021

The closing of one year marks the beginning of the next and we remain excited about opportunities in the cybersecurity sector. Security has always been a core focus for Adams Street, investing across foundational elements of the security stack, like SIEM (LogRhythm), identity management (ThreatMetrix), and bot detection (PerimeterX).

New and exciting technologies are being built by exceptional entrepreneurs across the sector but there are several subsectors that we find particularly interesting in 2021:

• API Security: APIs have exploded in popularity and have become the de facto plumbing for software to connect both internally and externally. Not only are APIs becoming more prevalent, but they are carrying more sensitive data than ever before, making them a goldmine for would-be hackers. Given API interactions vary significantly based on who/what is on the other end, the traditional WAF rules-based approach is ineffective and results in a high false positive rate. Companies such as Salt Security, Traceable, and Noname Security provide AI/ML-first platforms purpose-built to identify an organization’s API exposures, analyze traffic, and detect anomalies before malicious attacks can materialize.
• Cloud Infrastructure Security: The migration to cloud has been one of the most disruptive movements within tech over the last two decades. It has enabled countless innovations across both application and infrastructure layers. COVID-19 has only accelerated this shift. Not only are companies moving more workloads to the cloud, but they are also deploying hybrid and multi-cloud architectures that create new security challenges. Cloud infrastructure security solutions provide critical tools around authentication, container security, vulnerability monitoring, and threat detection across a customer’s entire cloud environment. Lacework recently announced a massive $525mm series D investment for their cloud security automation platform, just one data point for how large the cloud security market is. Other up-and-coming companies like Bridgecrew and Orca Security also offer innovative platforms to tackle securing cloud workloads.
• Asset Management: One of the primary challenges that CISOs face today is a seemingly simple one: identifying what IT assets exist within an organization. It is a very basic question and the answer should provide the foundation for a company’s cybersecurity policies. Plainly put, an organization needs to first know what assets it has in order to ensure those devices are sufficiently secured. As asset management company Axonius says, this sector is the “Toyota Camry of cybersecurity”: it will never be the flashiest platform, but it solves a fundamental need. Device sprawl will continue to grow as more companies adopt a distributed working model, further accentuating the need for an effective asset management solution.

These are just a few areas where we expect significant innovation and customer adoption in 2021. We are excited to see all the upcoming progress within the world of cybersecurity and look forward to partnering with those making it happen.

Source: S&P Global Market Intelligence.
Public market data and analytics provided by S&P Global Market Intelligence. Private market data and analytics provided by PitchBook Data, Inc. List of public cybersecurity companies compiled by Adams Street. Data sourced December 31, 2020.

1. Source: S&P Global Market Intelligence.
2. Source: PitchBook Data, Inc.

Important Considerations: This information (the “Paper”) is provided for educational purposes only and is not investment advice or an offer or sale of any security or investment product or investment advice. Offerings are made only pursuant to a private offering memorandum containing important information. Statements in this Paper are made as of the date of this Paper unless stated otherwise, and there is no implication that the information contained herein is correct as of any time subsequent to such date. All information has been obtained from sources believed to be reliable and current, but accuracy cannot be guaranteed. References herein to specific companies or sectors are not to be considered a recommendation or solicitation for any such company or sector. Projections or forward-looking statements contained in the Paper are only estimates of future results or events that are based upon assumptions made at the time such projections or statements were developed or made; actual results may be significantly different from the projections. Also, general economic factors, which are not predictable, can have a material impact on the reliability of projections or forward-looking statements.