Understanding Cybersecurity Market M&A Valuations

The cybersecurity market is on fire. M&A trends across cybersecurity and AI markets have grown faster than ever. After 22 years providing M&A due diligence and valuations, 150 valuations of technology companies in the last 7 years, we still see purely accounting based valuations that don´t reflect the reality of the company.

Cybersecurity, big data and AI valuations use a different math

As far away in time as 1999, Jay Leno, the famous TV star, interviewed Jeff Bezos at the start up stage of Amazon. He asked Bezos how a company that was not making profits, furthermore losses, had so high market valuations, while value was soaring fast. Bezos answered ironically, "seems like a different math, isn´t it?". It is a different math indeed. The valuation of a company adding its digital assets in a value driver that valuations should take into account.

An article in Harvard Business Review, issued in 2018 and signed by three accounting and valuations industry heavy weights explains how companies like facebook, Instagram or LinkedIn are valued far away up from their EBITDA results due to digital blueprint value drivers.

As a firms operates the digital blueprint value grows every day

While today accounting rules treat acquisitions and units created to support operations as expenses, digital blueprint valuations require deductions of all support outlays as expenses in calculating operating profits. Current accounting rules do not distinguish between support outlays, which is what we propose in profits calculation.

According to accounting rules companies do not have to disclose future projects on their accounting statements. Investors buying shares on digital ventures is like buying call options on ambitious undertakings with sweepstakes-like payoffs. Knowing not only outlays supporting current operation but also knowing revenue generation potential is key for investors to make decisions. Investors should think whether those expenses are investment premiums for purchasing call options or operating expenses.

Dividing the company in assets

A company has different business and support units that current accounting rules treat as assets like for example goodwill. Digital blueprint should distinguish units as assets that can be sold as standalone assets. The digital blueprint reflects the value of those assets, which also depends on who buys those assets, as the value is also different for different acquirers.

Experience is telling us we are on the right path

Just a simple question to answer: why companies like LinkedIn or Whatsapp has been sold for amounts that are not connected to EBITDA but to value on sale and value of the assets. In other words digital blueprint calculates value that conventional accounting rules do not reflect. According to media resources, WhatsApp 2013 results, one year before the 19B purchase from Facebook, were loss of 138M US$.

Experience is telling us we are on the right path

Value of the assets, grows much faster than revenue growth as the company operates its digital blueprint grows exponentially. Facebook, Google, Instagram revenues will never grow as fast as digital blueprint value does.

Our due diligence approach

We think there are not two due diligence assignments that are alike, furthermore each assignment requires to analyze different items to make sure we are on the safe side.

Knowing the business model in detail

Most due diligence companies do not spend time knowing the business model of the company in detail. For instance Starbucks business model is far away from selling coffee to people, as well as Zara´s business model is not selling cool clothes. Both companies sell different items that are originated with selling what they are suppose to sell. Zara sells cool clothing but their business model is built around selling at an incredible speed that they repay loans at zero interest. Starbucks sells a nice environment at exclusives places to have a coffee, therefore coffee is incidental. Then, knowing how the company generates revenues and value is critical to design the approach.

Define what is a red flag and what is not: Mind about the purpose

Taking the example above, for most companies 138M losses is a red flag, however not for

Facebook´s purpose. So knowing what is the purpose of the merger or acquisition is also critical for the due diligence design. The purpose also leads to know the value of synergies and whether those will happen or not and to what extent.

Map key items of culture

Corporate culture is a distinctive signature every firm has, difficult to copy, and certainly unique to each firm. In the past we saw several examples of failed mergers as Daimler-Chrysler, HP-Compaq, Amazon-Whole Foods. These are just a few of the famous ones, however culture clashes happen at SME´s all the time. Knowing culture distinctive marks is critical to the due diligence process as it is to define in detail what constitutes a red flag and what not.

Know the key revenue drivers but also the key cost drivers

While most companies measure the key revenue drivers, just a few measure the key cost drivers. A cost drivers is different from a cost source. For example, wages and office rentals are cost sources, while a cost drivers are costs happening behind the scenes as time invested in unnecessary activities. These cost drivers are often not calculated because they don´t show a cash outflow, but very often are higher than the ones in the outflow.

Cybersecurity due diligence approach

Cybersecurity investments are high growth investments known for being turbo-charged investments rather than a core portfolio investment. As turbo-charged investments payoffs happen quicker than in other industries, however they are exposed to sudden changes and faster evolution of risks.

Aside from regular checks we propose a focused approach on he cybersecurity business by reviewing the following items:

• Future projects feasibility and revenue forecasting

• Change speed and capability to be an "ambidextrous organization" that is able to implement current changes while exploring the future business and innovation needs.

• Insurance due diligence, reviewing not only available coverage but past claims and the information provided to the insurance company. Insurance companies rely on real world data to calculate premiums and deductibles. Knowing whats behind the premium and deductibles provide an idea of the risk profile of the company.

• Interview former employees, suppliers, clients to know what the seller or founder won´t tell you or may not know about their own company

• screen the management team, not only searching for red flags, but also for performance key drivers

• As cybersecurity requires top talent, make sure you identify the key people in terms of critical tasks performance and revenue generation, and ensure they are engaged for a reasonable period of time

• Bear in mind that forecasting revenues and costs involve the optimistic factor, which is mainly a human bias that makes forecasting too optimistic, higher than reality revenues and lower costs that actually will be incurred in

• Assess the innovation capacity of the team, as cybersecurity requires a constant innovation exercise

Summary

Cybersecurity investments may deliver high payoffs, however the approach to analyze a company and its market is different than with other firms. Technology companies have a blue print valuation that is often not reflected in the accounting statements. Innovation is a must, not a "good to have" and the analysis should involve real figures and scenarios. While sellers think their valuation is higher than what it is, buyers want to buy at lower prices, information asymmetry works in favour of the seller unless due diligence is focused on the right items, moving away from traditional red flags and valuations