The other day I was having lunch with a leader of a company that provides software to help financial institutions comply with various rules and regulations. The focus was around acquisition opportunities. A good discussion ensued, as there are lots of interesting, fast-growing companies in what we call the “GRC” space (Governance Risk and Compliance) that naturally lend themselves to being part of a larger organization. But the main takeaway of our discussion was the growing emphasis on cyber security as part of a GRC solution. “One can’t be all things to all people,” he said, but “we can’t go visit a company without a proposition for their cyber security needs.” This is telling, and fits with our sense of the world in which we live today.
Crime has always been a threat in the digital world. But with the explosion of accessible devices that have access to personal information – much of which is “in the cloud” – the consequences of cybercrime have grown immensely. It seems as if not a week goes by without some firm reporting a data breach that compromised the personal information of tens of thousands of people – or more. My personal favorite is the hacking of the US Office of Management and Budget – potentially compromising the personal information of more than 21 million people – including information relating to their access to classified material. Although the OMB breach was not nearly the largest: According to published reports, Tumblr saw a breach that exposed information on as many as 65 million people; Anthem on 80 million, LinkedIn on over 100 million; Experian on possibly 200 million people; and there are so many more. Hackers can sell this information on the black market to others who find ways to exploit it – establishing credit in false names, obtaining and selling fake ids and so much more. $50 million worth of a digital currency called ether was recently stolen from a supposedly secure vault controlled by the DAO, the distributed autonomous organization. And ransomware (where software locks computers until a ransom is paid) seems to be growing – and paying off. Juniper Research, estimates the number of data breaches rising from 6,000 annually to over 16,000 annually 2020. They estimate the cost to reach $2.5 trillion by then.
Further, even though companies now take many more precautions, hacker tools seem to gain sophistication in lockstep. Given the large amount of money available, why would one take the high risk gamble of heading out to rob a bank when one can hack into a treasure trove of information and monetize it, all while in the comfort of a hacker’s home?
Our resident cybercrime solutions expert, Sam Levy (as well as several others here at Marlin & Associates, are spending considerable time following the cybercrime prevention industry. Gartner estimates that companies spent $76 billion in 2015 defending themselves against these growing threats. They forecast that spending will grow 17.7% annually until at least 2020, reaching a total spend of $170 billion.
Regulators are encouraging robust defenses. Financial regulators in the US, Europe, and elsewhere already require most banks, brokers and insurance companies to establish security measures as do regulators that cover the healthcare industry, government, and more. They are all having difficulty keeping up with the unprecedented increases in cyber-related issues. And it won’t be long before they put in place regulations that will require yet more robust defenses. These actions are likely to spur the success of many cyber security software firms -much as the Patriot Act drove the success of many compliance firms providing AML and KYC -type solutions. The SEC is a case in point. Financial firm readiness is a key initiative for the SEC this year. Many other regulators are following suit with activity at both the federal and state levels, as well as worldwide, such as the EU’s proposed cyber security directive.
Investment in cyber security software companies continues to grow given the market opportunity. In 2015, Dow Jones VentureWire compiled a list of 119 VC investments totaling over $3.3 billion in the US alone. While the number of investments was relatively flat year-over-year, the amount of money pouring into cyber was up more than 75% y-o-y, and more than 330% above 2014. Not to be outdone, strategic buyers are lining up to make their investments in the space. With recent talk of Intel offloading its cyber security division, and Symantec’s recent acquisition of Blue Coat (for $4.65 billion, almost double what Bain paid for it just over a year before, see M&A’s blog article here), one can see how it has become a board-level priority.
We spend considerable time speaking with up-and-coming firms in this industry in the UK, Europe, and Israel, many of which seem to have compelling creative solutions. We haven’t conducted due diligence on these firms, but we certainly are watching firms such as Avanan, which has a creative cloud governance solution; and enSilo, acting on information leaving the network; or Guardicore, a vendor targeting the cloud infrastructures that are evolving rapidly in AWS or Azure; or Cymmetria, whose deception engine seems innovative and growing. Others such as Comilion, “the slack for CIOs,” are providing a new slant on the cyber war with a collaboration engine. We’re also watching Empow, which rather than attempting to beat any single competitor, acts much like the conductor of an orchestra, combining the brute strength of many point solutions “instruments” into one cohesive orchestra of solutions.
Click to enlarge. [Source: Marlin & Associates]
One might wonder, with so many software vendors to choose from, often with very subtle differences in approach, how we or anyone else can sort out the winners from the losers. It’s not easy. As a start, we assembled a market map that we use to help us better understand industry relationships across different dimensions. It’s complex and makes use of logical groups such as those involved in Prevention, Neutralization, and Remediation. My colleague Sam and I are available to explain more; please feel free to reach out.
In the time it took you to read this, another hack has occurred, millions of records have been compromised, money has been stolen, and both the threat from cybercrime and opportunity for this industry has only gotten better.