Skip to main content

Roaming the high-energy halls of CES 2016 (Consumer Electronics Show) in Las Vegas in January raised the expectation of a big spike in M&A targeting cybersecurity technology -- again.

It's not only that CES hosted its first CyberSecurity Forum this year, with a specialized agenda focusing on the issue. The internet of things (IoT) dominated the show, presenting abundant new-business opportunities, all of which come with formidable cybersecurity challenges. Likewise, car-makers were a predominant presence at CES, touting the connected cars of the very near future -- another prospect rife with large, obvious cybersecurity challenges. Both the IoT and connected car opportunities require ecosystems of cooperating enterprises to realize their full potential. That will drive new forms of partnering, such as industrial mash-ups; they will also exacerbate the cybersecurity challenges involved.

Consider the scope of those cybersecurity challenges. IoT systems in every industry and connected or autonomous cars, in particular, will dramatically multiply the number of "endpoint" devices (or nodes) in information system networks, as well as the volume of information exchange being transmitted. Those endpoints and those transmissions must all be protected. The billions of communicating sensors envisioned as part of IoT networks are essentially endpoints that need protection. The complexity and multidimensionality of the cybersecurity challenge are about to skyrocket -- at a time when many feel that the "good guys" are already falling behind the hackers.

By EY's reckoning, the value of deals targeting cybersecurity leaped 160% in 2015, to $26.8 billion from $10.3 billion in 2014 (I am global sector head for EY's transaction advisory services for the technology sector). And volume increased 46%, to 287 deals from 196 in 2014. But, investors may want to note, this is likely only the start of long-term growth.

We've been studying this issue in part because it's the same disruptive cloud and mobile technologies we saw enabling the digital transformations now sweeping through all industries that have increased businesses' cyber vulnerability. Consequently, nation states with geopolitical motives, "hacktivists" with ideological motives, organized crime with financial motives and a modern cyber version of corporate espionage are all rapidly emerging to exploit that increased vulnerability.

But what will drive the imminent spike in cybersecurity M&A is that organizations throughout the world are all waking up to the true nature of this challenge simultaneously. Their realization demands they look way beyond their IT infrastructure to fully understand their cyber risk. They must think more broadly about all their business relationships and assess their cyber threat environment from economic and geopolitical perspectives as well. Such cyber threat assessments will be far broader than in the past and will require new approaches and new technologies.

Ironically, M&A presents cyber threat actors with particular opportunity. M&A is one of the few times when all functional areas of an organization collaborate to understand and assess risk. A large amount of documentation and data goes back and forth between the companies. That volume of activity creates an extremely attractive opportunity for cyber threat actors, so companies must make an extra effort to protect their M&A process.

Furthermore, because their technology increasingly underpins other global industries, technology companies are particularly attractive cybersecurity targets. If an intruder manages to insert malicious code in a tech product that is then sold to customers, that intruder could potentially infiltrate the tech company's customer base. So tech companies must go further when building cyber defenses.

In fact, our report suggests that cybersecurity is one of those areas in which the best defense is a strong offense. Tech companies in particular, and all companies in general, should proactively hunt for what cyber experts call "advanced persistent threats" (APTs) that may already be lurking in their corporate networks or in the networks of their business partners and M&A targets. Corporations must become proactive cyber hunters, and stay keenly focused from pursuit through actual acquisition/merge.

All of these factors, taken in aggregate, point to a strong year ahead in cybersecurity dealmaking.

Questions? Please contact me

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.