6 questions CISOs should ask if their cybersecurity vendor is acquired

The sharp increase in funding and mergers-and-acquisition (M&A) activity in the cybersecurity industry over the last year has brought into focus the challenges that organizations can run into when their vendor is acquired by or merges with another company. Specialized, pure-play security companies are being bought by bigger and more generalized technology vendors or by private firms seeking to cash in on the cybersecurity boom.  

Data that S&P Global Market Intelligence compiled last November showed there were 151 M&A cybersecurity deals in the first three quarters of 2021 alone compared to 94 over the same period in 2020, 88 in 2019, and 80 in 2018. Many companies secured massive venture capital (VC) investments from private equity firms. Some were acquired outright by these firms. VC firms poured nearly $22 billion into cybersecurity firms last year, which was a record. 

The trend highlights the problems that companies face when security technologies and services that they have invested in are suddenly integrated into another platforms, sidelined, or taken off the market entirely. It has heightened the urgency for security leaders to pay attention to what is going on and know what questions to ask when another company acquires their vendor or service.

The chances of getting a straight answer from either the acquiring or the acquired company will often be dim, says Jeff Pollard, an analyst with Forrester Research. This will especially be the case if the acquirer has plans to significantly deprecate the other company’s technologies or services or lay off staff. Even so, it’s always a good idea to try to get as much information as you can, he says.

“To the extent possible, pin them down on what the vendor is going to look like when it is incorporated into the other company,” Pollard says. If the acquiring company says it is going to integrate the acquired vendor’s technology into their platform, ask what that means, he says. Will it be integrated into the user interface, or be part of a bigger platform?

Pollard and others identified six questions that security leaders need to ask if their vendor is acquired:

1. Will the product be continued or integrated?

Product continuity can be a major issue following an acquisition or merger. Products can be dropped or discontinued when the acquiring company has similar or overlapping technologies. Similarly, product road maps can be changed or shortened following an acquisition. A security team that invested in a particular technology on the assumption they could scale it as requirements change could suddenly discover the product is being fast-tracked to obsolescence after an acquisition. These things can happen when an acquiring company has a larger platform offering or is buying another company for their expertise and not necessarily their products, says Daniel Kennedy, an analyst with 451 Research, part of S&P Global Market Intelligence.

Ask whether the product you invested in will continue to be offered, in what form, and for how long. Will updates be available and for how long? If the technology is being melded into a larger platform offering, make sure to understand the acquiring company’s go-forward strategy for the product as part of the larger offering, he says, “Do I need to then install that larger offering or should I start to look for a pure-play replacement? What’s the go-forward licensing arrangement and costs?” Kennedy says.

Charles King, an analyst at Pund-IT, says the acquiring or acquired vendor should be able to provide insights into what customers can expect for at least two to four years, including whether they plan to retire or replace existing systems and technologies, “In some cases, that process is less complex or problematic than customers might fear,” King says. “But there are enough extreme examples that customers are wise to ask or demand that vendors provide as much clarity as possible.”

2. To whom will your vendor’s founder/CEO and other top executives report? 

Find out what the founders or top executives of the acquired or merged company plan to do after the transaction is complete. Often, sellers include terms in the sale agreement that make them eligible for additional compensation from the buyer of the sold business attains specific financial targets. The duration of these so-called earnout periods can range from between three and five years.

Find out what kind of earnout period the founders or executives of the acquired company have, says Richard Stiennon, chief research analyst at IT-Harvest. “Do the founders or executives have a limited earnout time frame? Are they going to stick around or cash out in 12 months?”

Make sure to find out what kind of roles they have at the new company, Stiennon says. Are they strategic roles or likely just titular in nature? “Sometimes the executives change the vision and direction of the acquirer and end up leading it,” he notes.

Pollard says that often when a large company acquires a much smaller vendor, the executives and founder of the acquired company can report to vice-president and general manager level executives at the larger company and not C-suite executives. This can happen if the acquirer, for instance, buys a smaller firm just for a specific technology. In these instances, the executives of the acquired vendor will have little ability to influence decisions that the acquirer might make about product roadmaps, support commitments and other issues, he says.

3. What is the acquiring company’s talent retention record?

Pay attention to the acquiring company’s talent retention and acquisition policies. Do they have a record of letting people go after acquiring a company? What are their plans for the existing team? If your security services company was acquired by another vendor, the talent retention record of the acquirer becomes especially important, says Kennedy. If you are paying a premium price for your security services, you need to ensure that you don’t end up with tier-1 help-desk level support after the acquisition, he says,

“An ideal place to be is that your vendor has acquired a complementary service that will benefit you,” Kennedy says, “or two vendors you already have relationships with are part of the acquisition and the combined capability is additive.”

Don’t hesitate to ask whether major personnel changes in sales, services and support staff might happen, says King. In many cases, those employees are the people who customers see and interact with on a regular basis and the ones they call and trust when problems or emergencies occur. “Those workers are also among the most likely to be downsized or replaced with the acquiring vendor’s existing staff,” King says. “That process can be extremely jarring, especially when the new vendor has a substantially different approach or dedication to customer service.”

4. Will the brand continue?

Sometimes an acquiring company will retain the brand of the vendor that they have acquired. The acquired company, however, often becomes an integral part of the acquirer. If the latter happens, there’s a strong likelihood that the product plans and roadmaps that your vendor had will change or be eliminated altogether and replaced with the acquirer’s roadmap and plans, says Stiennon. Knowing what the acquiring company’s plans on branding are can be useful.

“Will the product and company maintain its own brand?  This tells you if the product you have purchased will still be supported and continue to be improved,” Stiennon says. “If not, then the product will merge into a bigger platform or hit end-of-life and be retired.” In that case, be ready to purchase and use the acquiring vendor’s whole platform to get the features you had, he says.

5. Is the acquiring company a private equity firm?

Find out if the organization acquiring your security vendor is a private equity firm, Stiennon says. Private equity companies were involved in a lot of the investment activity in the cybersecurity space last year. According to Momentum Cyber, private equity firms purchased 130 cybersecurity firms in 2021. That’s more than any other year. Examples include Thoma Bravo’s acquisition of ProofPoint for $12.3 billion, a Symphony Technology Group-led consortium’s purchase of McAfee for $4 billion, and Bain Capital and Cross Point Capital’s $900 million purchase of ExtraHop.

Be cautious if the company acquiring your security vendor is a private equity firm, Stiennon says. “If so, watch out for financial shenanigans,” he says. “PE firms engage in leverage and either hope to roll up a lot of companies and package them for an IPO or they hope to flip the company in a sale.” Either of those outcomes could have a direct impact on your investment in the acquired vendor’s technology or service, he says. 

6. What is the acquiring company’s culture?

If your security vendor will be acquired or has been already, pay attention to the culture of the acquiring companies, says Pollard. Many vendors in the security space are expertise-driven and set up their companies with a practitioner’s mindset. Often, these companies were established to address a specific problem or set of problem. “The culture is often big on expertise and skills at these firms,” Pollard says. They have a real commitment and passion and know their stuff.”

If your vendor is one such company and was acquired by a much larger, product-centric, portfolio-driven company, bad things can happen. “There’s probably a two-year time span for you” to move he says. “You need to start thinking about product replacement and migration six months to a year out,” Pollard says.

In the best of circumstances, security leaders will quickly discover that the acquiring vendor understands the importance of the investments they’ve made and benefits they have enjoyed and intends to continue working with them in a similar fashion, adds King. “If not, it’s best for IT customers to understand what’s coming and determine whether they should start looking for new options.”