Cybersecurity Software Companies – December 2023 Update
Valuations of cybersecurity software companies rose precipitously over the several years leading up to 2020 and 2021. However, valuations subsequently declined through the end of 2022 and into the end of 2023. This article will examine some of the trends currently impacting the valuations of publicly-traded cybersecurity software companies.
This article updates our June 30, 2022 analysis.
Important notes: This article examines potential driving factors for cybersecurity software company valuations from a financial statement perspective. An actual business valuation requires an in-depth analysis of the business operations and associated risk factors that are not always evident from the data on financial statements. Also, to keep the length manageable, this article will focus on what the author interpreted as the primary value drivers. It will not touch on every observation in the data. For a quick read on the basic concepts of risk and return and how they apply in the context of this article, please visit: What is Value? and Risk and Return in the Market Approach.
The industry constituents for this analysis are listed below. The effective date of this analysis is December 29, 2023. A number of companies were removed from the group analyzed in June 2022 due to mergers/acquisitions (Mandiant, SailPoint, Tufin Software, and Ping Identity) or delistings (CYREN). We added DoubleVerify and Integral Ad Science as these companies now have over one year of trading history.
Figure 1 summarizes three items for the cybersecurity software companies:
- Total enterprise value calculated as the sum of market capitalization and interest-bearing debt less cash;
- Median revenues; and
- Median earnings before interest, taxes, depreciation, and amortization (“EBITDA”).
The latest fiscal year is notated “LFY” (calendar 2022), while the latest 12 months is labeled “LTM” (latest available information as of December 29, 2023).
Figure 1 illustrates a significant rise in the enterprise values of publicly-traded cybersecurity software companies through 2020 and 2021, and their subsequent decline in 2022 despite a steady increase in revenue. Valuations rose in 2023 as revenue continued to increase.
Cybersecurity continues to be a primary concern of all companies, with the average cost of a corporate data breach at $4.45 million. Statista estimates that cybercrime will increase 69.9% between 2023 and 2028. IBM estimates that “the average savings for organizations that use security AI and automation extensively is $1.76 million compared to organizations that don’t.” These figures explain the significant growth that the cybersecurity software industry has seen over the last several years and the expectation for continued growth going forward.
Valuation Multiples
Figure 2 presents the historical trend of revenue multiples for the industry.
Based on the trends observed in Figure 2, median revenue multiples rose dramatically through 2021, before declining in 2022. Multiples appeared to stabilize to a degree in 2023. Let’s dive into what seems to be impacting valuations.
The Growth Story
Growth often has a strong influence on how companies are valued. A summary of the consensus forecasts for each group is presented in Figure 3 below (note that “NFY” means next fiscal year; NFY = calendar 2023 for most companies).
In Figure 3, the orange line represents data as of December 2022. The blue line represents information as of December 2023. Revenue projections in 2023 were lower than projections in the prior year. These tempered growth estimates in projected revenue growth may be the culprit for the decline in median revenue multiples seen in Figure 2.
We also looked to identify a meaningful correlation between projected growth rates and observed valuation multiples. See Figure 4 below.
In Figure 4, the companies with the highest growth rates appear to have traded at the highest multiples, while companies with lower growth rates appeared to have sold at lower multiples. However, the dispersion in the data suggests that other factors are likely playing a role in industry valuations.
The Size Story
Larger companies are generally perceived to have lower levels of risk relative to smaller companies. This dynamic can be due to several factors, including improved product or geographic diversification, deeper management teams, access to various distribution channels, and better availability of capital.
Figure 5 presents a possible correlation between size (measured by market capitalization) and LTM revenue multiples.
The data in Figure 5 suggests that larger companies tend to trade at higher valuation multiples. There is variation in the data, which suggests that size is not the only determinant for how investors are pricing these companies. Companies with market capitalizations greater than $10 billion are not pictured above.
The Profitability Story
Revenue multiples are typically heavily influenced by profitability. We usually observe higher revenue multiples in companies with higher levels of profitability. In Figure 6, we plot NFY revenue multiples against NFY EBITDA margins.
For certain companies, profitability appeared to impact the magnitude of their revenue multiples. Those companies with the highest margins generally traded at the higher revenue multiples.
Interestingly, the companies with the highest revenue multiples did not seem to be meaningfully impacted by profitability. These companies were among the largest of the industry constituents (CrowdStrike: $61.3 billion market capitalization, Cloudflare: $28.0 billion market capitalization) and had the highest expected revenue growth rates. Size and growth likely impacted the magnitude of these companies’ valuation multiples.
The Leverage Story
Debt usage tends to increase financial risk to equity holders. Debt holders have a senior position within a company’s capital structure, and debt servicing occurs before any cash flow benefits (i.e., dividends) are issued to equity holders. Greater levels of perceived financial risk to equity holders tend to reduce valuation multiples.
One measurement of leverage is the interest coverage ratio, which measures a company’s ability to pay for its debt obligations (interest expense). In Figure 7, we plot LTM revenue multiples against their associated interest coverage ratios (where available).
Based on the data, companies with better interest coverage ratios (i.e., better ability to service their debt obligations with operating cash flows) tended to trade at higher revenue multiples. Notably, CyberArk, CrowdStrike, and Cloudflare did not follow this trend as they were among the largest companies in the group and are expected to generate the most significant levels of revenue growth in the future.
Tying it All Together
The trends observed in this article suggest that the valuations of publicly-traded cybersecurity software companies appear to be influenced by growth, size, profitability, and financial leverage. A summary of these observations is presented below and compared to observations as of June 2022.
Based on the analytics above, it appears that investors continue to place high importance on growth rates and size/scale. Importantly, profitability and leverage appear to have increasing degrees of influence on valuation multiples, which aligns with other industries we have analyzed in 2023.
I hope you found this analysis helpful. Any input, feedback, suggestions, and questions (including disagreements with my high-level analysis) are welcome! Thanks for reading, and Happy New Year!
Here’s to a successful 2024 to all of my readers.