In mid-March, the VIX, a popular measure of the stock market’s expected volatility, reached a record high, surpassing levels seen during the 2008 financial crisis. The stock market was in freefall and a lengthy recession seemed all but certain.
While questions remain about the strength of the underlying economy, the S&P 500 managed to end 2020 15% higher than where it began the year. Public cybersecurity companies, in general, outpaced the broader market in 2020. High-growth cybersecurity companies (>20% annual growth) saw outsized returns as the majority of companies within this bucket benefitted from strong COVID-19 tailwinds.
Okta, for example, capitalized on the shift to remote work as businesses needed a more sophisticated solution to securely identify employees outside of the company network. Over the year, the high-growth cybersecurity index rose 152% while the medium-growth (10% – 20% annual growth) and low-growth (<10% annual growth) indices achieved gains of 46% and 17%, respectively.
Not all companies, however, posted strong results in 2020. SolarWinds, an IT management and monitoring platform with an IT security offering, was the victim of a highly consequential cyberattack, resulting in a Q4 stock price drop of 27% to finish the year down 19%. Malicious hackers were able to install malware into Solarwinds’ Orion product, allowing them to spy on the end customers for months. Customers included many Fortune 500 companies and various governmental agencies.
While this is an extreme example of an individual company’s poor trading performance, it demonstrates that even companies whose core mission is to provide IT solutions are themselves vulnerable to sophisticated attacks.
The high-growth cybersecurity comps finished the year at a frothy median TEV / NTM revenue multiple of 27.1x. This is up 129% from where the group began the year.
With the exception of the dip in March, public valuation multiples have expanded across the board. Investors continue to seek and reward growth, with the high-growth cybersecurity comps finishing the year at a frothy median TEV / NTM revenue multiple of 27.1x. This is up 129% from where the group began the year (11.9x TEV / NTM revenue). While not as drastic, multiples for medium-growth and low-growth comps also expanded through the year to 8.5x and 5.5x, respectively.
Cybersecurity fundraising within the private markets didn’t skip a beat in 2020. Across the seed, early stage, and late stage cybersecurity investing landscapes, the number of deals stayed relatively flat as compared to years past. Aggregate deal dollar volume, however, continued to grow as deal sizes trended upwards. According to PitchBook Data, Inc., total cybersecurity deal volume in 2020 exceeded $7.8bn, compared to $6.5bn in 2019 and $5.8bn in 2018.
Adams Street portfolio companies, Arctic Wolf and Snyk, were 2 of 18 companies that raised $100mm+ rounds in 2020. The increasing presence of these mega-rounds is one of the key factors driving median deal size expansion within late-stage financings. In parallel, pre-money valuations have been growing as the generous multiples within public markets are being matched (or exceeded) within the private markets.
The number of deals stayed relatively flat as compared to years past, however aggregate deal dollar volume continued to grow as deal sizes trended upwards
Exact revenue multiple data in the private markets is not available, but our observations indicate that hyper-growth cybersecurity companies with solid unit economics are, in some cases, commanding multiples in excess of 40x current ARR. The market multiples within private cybersecurity are undoubtedly rich. But 2020 demonstrated that there is an enormous opportunity to improve upon existing cybersecurity platforms and better protect companies from costly cyberattacks.
The closing of one year marks the beginning of the next and we remain excited about opportunities in the cybersecurity sector. Security has always been a core focus for Adams Street, investing across foundational elements of the security stack, like SIEM (LogRhythm), identity management (ThreatMetrix), and bot detection (PerimeterX).
New and exciting technologies are being built by exceptional entrepreneurs across the sector but there are several subsectors that we find particularly interesting in 2021:
These are just a few areas where we expect significant innovation and customer adoption in 2021. We are excited to see all the upcoming progress within the world of cybersecurity and look forward to partnering with those making it happen.
Source: S&P Global Market Intelligence.
Public market data and analytics provided by S&P Global Market Intelligence. Private market data and analytics provided by PitchBook Data, Inc. List of public cybersecurity companies compiled by Adams Street. Data sourced December 31, 2020.
1. Source: S&P Global Market Intelligence.
2. Source: PitchBook Data, Inc.
Important Considerations: This information (the “Paper”) is provided for educational purposes only and is not investment advice or an offer or sale of any security or investment product or investment advice. Offerings are made only pursuant to a private offering memorandum containing important information. Statements in this Paper are made as of the date of this Paper unless stated otherwise, and there is no implication that the information contained herein is correct as of any time subsequent to such date. All information has been obtained from sources believed to be reliable and current, but accuracy cannot be guaranteed. References herein to specific companies or sectors are not to be considered a recommendation or solicitation for any such company or sector. Projections or forward-looking statements contained in the Paper are only estimates of future results or events that are based upon assumptions made at the time such projections or statements were developed or made; actual results may be significantly different from the projections. Also, general economic factors, which are not predictable, can have a material impact on the reliability of projections or forward-looking statements.