Investment banking: concept, fundamentals, and the role in the cybersecurity ecosystem
Explaining fundamentals of investment banking - what it is, how it works, the role it plays in cybersecurity ecosystem, and the trends defining what it will be focused on in the upcoming years
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Protecting confidentiality, integrity, and availability of data remains one of the most important needs of every organization, which in turn continues to drive the growth of security startups. In my blog, I have been breaking down the complexity of the cybersecurity ecosystem, explaining the roles and trends surrounding channel partners, venture capital firms, insurance firms, and the government, to name a few.
In this deep dive, I am looking at another little-known player in the security industry - investment banks. I will cover the fundamentals of how they work, their role in the security industry, and the trends defining what they will be focused on in the upcoming years.
Fundamentals of investment banking
Investment banking (IB) is a type of banking that organizes complex financial transactions such as mergers and acquisitions (M&A) and initial public offerings. There is a lot that goes into making these deals happen, but fundamentally, there are three main components of investment banking:
M&A, buy-side. Companies hire investment bankers to advise them about purchasing an asset (a company), help with due diligence, including market and financials, navigating M&A capitalization tables, and other nuances.
M&A, sell-side. Companies hire investment bankers to help them get acquired. Investment bankers prepare marketing materials based on their understanding of the market and its sectors, buyers, characteristics that make companies attractive to buyers (total addressable market, key investment highlights, financial forecasts), and so on. Investment bankers help position the company and get it ready for sale, which includes due diligence, preparing the data room (a collection of all documentation needed for review), and other necessary work.
IPO help. The IPOs of CrowdStrike, SentinelOne, Zscaler, and Okta, to name a few, were handled by the Bank of America, while the IPO of ForeScout by Momentum Cyber. Experienced IBs have a deep knowledge of the security space and can execute the deal efficiently.
Investment bankers make money by charging fees. Unlike consultants who typically charge hourly fees, IBs only get paid when the deal they were hired to execute - the IPO, purchase, or sale - gets completed. Because the compensation relies on achieving a successful outcome, investment bankers are incentivized to know the segment they operate in and to have strong relationships with people in the industry. Someone from a potential acquirer can call in anytime and ask about trends in any market area, who the players are, what makes one company better than another, and so on.
The other aspect of investment banking is helping to finance these transactions. Bank of America, Barclays, Morgan Stanley, and other large financial institutions help acquirers fund their transactions. We are talking about billions and hundreds of millions of dollars - the kind of money that most companies don't have sitting in their bank accounts.
Lastly, investment banks can play a role in helping companies access funding, especially if we are talking about raising large amounts of capital from institutional investors. At an early stage, investment decisions are made based on the vision, product, and technology - parameters that are not easy to understand for many investment banks. That’s when the founders know best, and can get VCs excited about the future they are building. At later stages, raising capital becomes less and less about the vision and more about the hard numbers and P&L (profit and loss) statements. Banks have great expertise in translating the numbers to the investors and can do it much better than many founders who can be very technical and customer-focused, but not as well-versed in finances. Additionally, at later stages, cybersecurity companies no longer need as much value-add in the form of industry-focused knowledge and connections, so the pool of potential investors is much broader, and that’s where banks can provide a lot of value in the form of access.
Cybersecurity industry from the investment banking perspective
The short-term outlook of the space
A decade ago, there were only a handful of public cybersecurity companies, and the number of startups was substantially lower than what it is now. The sector picked up in the past five to seven years. Today, several aspects define the outlook of the industry from the IB perspective:
Several big companies are likely to go public at some point - Arctic Wolf, Recorded Future, Snyk, Netscope, Lacework, Illumio, and a few others. There aren’t many businesses in the industry that have reached the $150-$400 million ARR bar, so the IPO pipeline is very small, especially if taken as a percentage of the total number of cybersecurity companies.
There are many companies in the middle with about $25-$100 million ARR which will need to get acquired. Companies in this range won’t become IPO scale and are likely to hit the limits of their growth potential in the short term. When the markets are hot, such as what we've seen in 2021, businesses in this bucket can go public even though their fundamentals might not be fully in place. Today, we see the markets rationalize, and the bar for IPO has gone up. There are several big strategic consolidators - Cisco, Palo Alto, and Arctic Wolf, which have historically been buying smaller companies. SentinelOne and CrowdStrike are important players but their market capitalization is substantially smaller, hence their ability to acquire companies in the space is fairly low.
While the pipeline of deals for IPO is very small, there is a big market opportunity for mergers and acquisitions. This understanding makes investment banking in security hyper-focused on the M&A segment (both the buy- & sell-side).
Given the number of vendors, and the fact that in the past few years, many cybersecurity companies received capital at high valuations, a particular area of interest is strategic M&A opportunities. In an environment like what we’ve seen in 2020-2021, when companies with $10-20 million ARR have billion-dollar valuations, strategic acquirers are finding it hard to make acquisitions. While Palo Alto has been known for buying companies with little revenue at high prices, plugging them into their platform, and executing tremendously well on turning them into fantastic revenue generators, very few other companies have done that.
Whether the economic situation stabilizes soon or not, companies will need to find paths to survive and continue growing. It is inevitable that a percentage of the startups will struggle to maintain the same valuation after the funding runs out, and will be looking to do down rounds or to get acquired. In both cases, investment banks will see their deal flow increasing.
The complexity of making cybersecurity M&A happen
Cybersecurity is an important part of the broader tech ecosystem. To illustrate that, it’s worth looking at some of the cybersecurity deals of 2022 – KnowBe4, SailPoint, Ping Identity, ForgeRock, Datto, VMware, Citrix, and CSI, - each worth over $1 billion. The total addressable market for cybersecurity investment banking is big because it includes all the IPOs that happened in the last few years, all the M&As, all the private companies receiving funding, and so on.
It is also a challenging space as the number of strategic acquirers is much smaller than in, say, enterprise software. In cybersecurity, there are fewer financial sponsors and a lot fewer strategic purchasers who are known for buying security startups.
Importance of domain knowledge for investment banking
Cybersecurity is a deeply technical and nuanced discipline that can be hard to navigate for outsiders. I have previously explained how this impacts the ability of VCs to make investment decisions; the same is true in banking.
A deep understanding of the cybersecurity industry can act as a differentiator for investment bankers working in the field. Not only is it useful when talking to corporate development teams and founders of security startups, but it can also impact the ability of bankers to do their jobs. Potential acquirers want to know who are the players in different segments, which unique angle each of them is approaching the market from, why the sector as a whole matters, who is using the products, what the use cases are, and so on. Investment bankers who are well-versed in the fundamentals of the security market are therefore able to offer much more value to their clients.
In cybersecurity, technology is a key factor that separates the winners from everyone else. The challenge is that financial investors do not think in terms of security capabilities, they think in terms of financial performance. Investment bankers are well-positioned to become a translator between providers of capital and visionary entrepreneurs.
Where domain knowledge becomes even more critical is when the investment bank is working on a specific deal. At that time, the focus is on financials - modeling financial projections for the upcoming three to five years and understanding the return on investment. It is, however, not possible to get the financial forecasts right unless the CEO, the founders, and the investors trust the banker to truly understand what the company does. The most fundamental question in security is the same, regardless of the market segment or the length of the category abbreviation: what problem is this tool trying to solve? If a banker cannot answer this question, he or she will likely produce numbers that are out of touch with the reality of the business.
Deals that involve strategic buyers require banks to be able to tell a story that is not based on numbers. Why is this company going to be a good addition to the company’s portfolio? Without domain expertise, it is hard to make a case for why a cybersecurity company should buy one product over another.
To close gaps in their knowledge, investment analysts have access to Gartner, IDC, and Forrester reports, as well as industry blogs, experts, startup founders, security leaders, investors, and other people who can help them build an understanding of the security industry.
Types of investment banks operating in cybersecurity
There are many ways to categorize investment banks working with cybersecurity deals. One of them is to look at their security expertise.
Generalist investment banks with focus and expertise in cybersecurity
Many investment banks work across different industries but have a particularly strong domain expertise in cybersecurity. Often these are large institutions that realize the need to deepen their enterprise software specialization and have someone specialize in security.
There are plenty of examples of IB firms that fit into this category. Marco Poletti is Goldman Sachs’ head of Cybersecurity Investment Banking; Keith Skirbe is Houlihan Lokey Global Technology Group's Managing Director covering the cybersecurity sector; Bank of America Merrill Lynch has two Managing Directors in Software and Cybersecurity Investment Banking - Pratik Mehta and Rajeet Chatterjee.
One of the advantages that powerhouses such as Bank of America have over smaller players is their connection to buyers outside of security. This is important because we see that it’s not just cybersecurity enterprises who are looking to buy security startups. I have previously looked at the role played by cloud providers and private equity firms, but there is much more: defense contractors, service companies, and even leaders in other sectors such as energy, manufacturing, media, and insurance, are interested in adding security capabilities to their portfolios. A case in point is Ivanti: the company competes with ServiceNow and wasn’t known as a security buyer, but in 2020 it acquired MobileIron. ServiceNow itself has been buying security companies and expanding its presence in the industry in the past five years.
One of the reasons why the market of potential acquirers of cybersecurity is much broader is that a lot of what we are used to seeing as security categories are actually much more generic use cases, just implemented in security. We are likely to see more smart acquirers focus on use cases and what the product is capable of doing, not just the abbreviation the company is trying to sell it under.
As more and more companies outside of security see cyber as strategic play, we will see more and more M&A happen outside of the traditional cybersecurity sector. This is where investment banks with large connectivity across industries and segments are able to add a lot of value.
Generalist investment banks with no cyber expertise
The second category of investment banks is those where cybersecurity deals are handled as a part of enterprise software. While it is not always easy to make a definitive judgment about what firms fall under which category, it is safe to conclude that the vast majority of IBs do indeed lack access to professionals with a deep understanding of security, which, in turn, makes it hard for them to access deals from the industry.
Cybersecurity is a very nuanced and highly technical discipline, and thousands of vendors in the space do not make it easy for “tourists” to make sense of this complexity. Founders of security companies naturally prefer to work with advisors who can appreciate this complexity, and understand their pain points. The same is true for the “buy-side” and corporate development teams that need to be able to rely on investment bankers for important decisions.
Industry-focused investment banks
The last category only includes one investment bank - Momentum Cyber - the industry’s only boutique investment bank focused exclusively on cybersecurity advisory.
The fact that Momentum’s team only works with cybersecurity companies, makes it easier for them to develop a deep understanding of the trends, and build relationships with industry leaders, cyber-focused VCs, and other players in the ecosystem. Momentum Cyber industry reports are one of the best sources about the investment side of cybersecurity.
Every investment bank has its cut-off point; bigger institutions have a higher bar for the deals they work on because their cost is much higher. Unlike large investment banks such as Bank of America and Morgan Stanley which typically only do transactions worth over $200-250 million, Momentum Cyber does a fantastic job also covering deals worth $50 million and up.
What cybersecurity startup founders need to know about investment banking
Investment bankers are deal brokers - their job is to find startups ripe for sale and help them sell themselves, help acquirers complete mergers and acquisitions, and help companies go public. While these are the most common ways in which startup founders would engage with investment bankers, there are also others such as fundraising and valuations. Below is a quick overview of some factors founders should know about investment banking.
Investment bankers and fundraising
One of the ways investment bankers add value to the ecosystem is by connecting founders to investors willing to provide startups with capital. Instead of investing their own money, investment bankers act as brokers and charge a success-based fee. Some IBs also charge a retainer fee.
All of this is not typically available to early-stage startups: services of investment bankers are not cheap, and they won’t typically get involved in transactions below a certain threshold. In other words, for founders looking to start their companies, investment bankers offer no shortcuts.
Where investment bankers can become useful is at later stages, when the company is looking for large amounts of capital to expand its operations (series C or later, typically around $50 million and higher). At this stage, investment bankers can offload a lot of the fundraising process off the CEO’s shoulders, taking care of reaching out to new investors, negotiating deals, and the like. Notably, if a startup is growing fast and there is enough interest from VCs, it will likely not need to engage investment bankers at all.
In 2021, there was a lot of fear of missing out on the investor side, and a lot of deals were made with little thinking about paths to profitability and sustainable growth. Many companies did not have solid plans in place but were able to make things work because of the overall market conditions. Today, the market has changed dramatically, and finding capital is no longer that easy and barrier-free; having someone who can help shape the story from the financial as well as vision standpoint is becoming increasingly important. For companies at later stages looking for funding, investment banks can be a great fit as they can build conviction much quicker by leveraging their expertise in finance, telling the company’s story, and reaching a large pool of strategic investors.
Investment bankers and M&A
As I have previously discussed, it is very uncommon for early-stage cybersecurity startups to go through a merger; the vast majority of successful exits are acquisitions.
The way investment banks add value would depend on whether the startup is looking to sell itself (“sell-side”) or to buy another player (“buy-side”). Since the second scenario won’t be relevant to most early-stage founders, here is a brief explanation of what an investment bank would do when hired by a startup looking to get acquired:
Analyzing the acquisition activity in the segment, understanding M&A trends, setting the valuation for the company, and advising it about the timing of the transaction
Researching what makes companies in the particular cybersecurity segment attractive to buyers, and creating marketing materials to represent the startup in the best light possible
Identifying, connecting with, and handling communication with prospective buyers
Establishing a process to accept and evaluate formal bids for the company
Collecting and organizing all the documentation needed for due diligence, and helping the startup to ensure that it goes smoothly
Providing help in negotiating the terms of the sale
Typically, when a startup is actively looking to get acquired, there are reasons for this pressure - either it understands that it won’t be able to go public, it is running out of money, the founders are looking to move on, the competition is heating up and it needs to exit quickly, or a combination of these. One of the companies that have reportedly engaged an investment bank and are looking to get acquired is Cybereason.
Investment bankers and IPOs
Investment bankers play a critical role during the IPO, enabling founders and investors to cash in and earn the returns they have worked so hard for. In this process, bankers act as intermediaries between the company and the public, helping secure commitments from institutional investors, and underwriting the IPO (meaning deciding what the opening share price should be).
One clarification worth adding here concerns institutional investors. Many people assume that an IPO is when a company makes its shares available to the general public, so individuals like you and me can buy them. This is an oversimplification and is also quite far from reality. The main investors in any public company are institutions - international banks, pension funds, investment corporations, and others. One of the jobs of investment bankers taking care of the IPO is to make sure there will be enough interest from these large buyers; a company cannot go public simply by allowing people to buy individual shares online. During the underwriting, an investment bank typically buys a certain portion of the new stock, which it then resells at the stock exchange.
Closing thoughts
In recent years, we have seen large investment banks understand the importance of developing domain expertise to be successful in cybersecurity. Bank of America and Momentum Cyber are great examples of how it can be done.
Investment banks are important yet underappreciated and often misunderstood players in the cybersecurity ecosystem. It is useful for cybersecurity founders to know what they are, how they fit in the broader picture, and what problems they solve for their clients. While most (if not all) cybersecurity startups won’t likely be exposed to investment bankers until their company has received investment, validated its product-market fit, and built a sustainable business model, knowing what they do can help give a better view of this complex yet fascinating industry.