DataTribe Insights - Q2 2021:
With Empty Gas Pumps, Cyber Risks Get Real
The DataTribe Team
Even as corporate earnings show consumer and business spending resuming with pandemic restrictions easing, cybersecurity is center stage for more people now than ever. In December 2020 and February 2021, respectively, the SolarWinds and Microsoft Exchange compromises were breaches — unprecedented in significance and breadth — that underscored the vulnerability of even the biggest and best companies. In Q2 we saw ransomware attacks make headlines and threaten to disrupt everyday life at the gas pump and supermarket. Attacks at Colonial Pipeline, JBS, and Kaseya show the increasing scope and complexity of securing a digital society.
With cyber crime remaining ever-present, so too is the demand for cybersecurity solutions. Investment into the space is increasing at all company stages in both deal volume and valuations. According to PitchBook, in the first half of 2021, cybersecurity companies have raised 96 percent of the capital raised in all of 2020. Even though most of that capital is in later stage companies, seed stage cybersecurity founders are expecting higher valuations as more money chases cybersecurity overall. While money seems plentiful, that does not mean raising it is any easier. Companies that lack evidence of product market fit still find it challenging to raise capital.
Given the increasing amounts of capital invested and higher valuations, we can not ignore today’s frothy similarities to the dot-com bubble when money seemed endless and talent became scarce. Granted today’s NASDAQ PE Ratio of 25 is nowhere near March 2000 levels of 175. As part of the dot-com bubble, telecom proved to be over-invested with little differentiation between companies. Because the cybersecurity landscape is increasingly crowded, the question bears asking again here – is cybersecurity over-invested? Probably not, given the ever-increasing digital threats that drive demand for cybersecurity — a factor setting this apart from the market conditions of the late ‘90s.
Return to Office: Slack vs. Impromptu Encounter
In the press and among our own team here at DataTribe, there has been much debate about what the post-pandemic norm for office work will be. While we know that organizations will return to the office for work, most of the startups the DataTribe team has talked to have founders distributed across different cities, and plan to grow their businesses with remote work as the standard. We are hearing that remote work is critical in attracting knowledge workers and can be a disadvantage for companies who do not offer it. It raises the question, how will startups create culture with remote workers? Certainly, tech companies like Automatic, Expensify, and Zapier have proven it is possible. So as more startups scale with remote teams, DataTribe is watching to see how the tools, including security, adapt to serve them.
Q2 Cyber Deal Activity: Tracking the Pandemic Recovery
Q2 2021 showed promising deal activity, with completed deals for both seed and series A nearing historic highs. More importantly, the numbers reflect a full recovery from the effects of the pandemic, exceeding reported deals completed in the past two years. This quarter’s high of 25 reported seed-stage cybersecurity deals was last topped in Q1 2019 with 32.
The upward trend in investment in cybersecurity is representative of all early-stage venture investments. Cybersecurity remains a small fraction of all investment, averaging little over 3% each quarter over the past 5 years, and remaining on that course throughout the pandemic and the current bounceback.
In Q1, we reported a significant spike in valuations in cyber, a trend also widely reported across all venture investment categories. In Q2, valuations in all verticals continued to increase, while cybersecurity fluctuated back down. However, if you draw a trendline over the past five or 10 years, valuations in both cybersecurity and all verticals, at both seed and series A are up. For example, median seed stage cybersecurity valuations were down 71% since 2020, but up 4.9% since 2018. Valuation data tends to be noisy, so it remains unclear if this quarterly downtick is indicative of a larger trend or simply an exception. We will keep an eye on this as the rest of the year plays out.
In Q2, we saw the rising amounts of capital invested remain consistent in both cybersecurity and all verticals. In Q2 2021, Pitchbook data on seed round sizes in cybersecurity reflected a 33.3% increase over Q2 2020, and a 300% increase over round sizes in Q2 2011. For series A cybersecurity deals, we saw a fluctuation down -14.3% Q2 2021 vs Q2 2020, but a 200% increase over round sizes in Q2 2011. Both seed and series A cybersecurity deals reflected a 100% increase when comparing Q2 2021 to Q2 2016.
Bills Aimed at Big Tech Risk Unintended Consequences
In June, Congress initiated six bills aimed at regulating big tech companies, and in early July, President Biden issued his Executive Order on Promoting Competition. Both have generated much debate on their impact on the innovation economy. Ultra-large tech companies such as Facebook and Google present a long list of issues — ranging from society-destabilizing amplification of disinformation to stifling innovation by blocking nimble startups. Given that these companies are approaching the scale of nation states, it is not a bad thing to look more closely at regulating them. However, Congress needs to be careful that well-intended policies do not damage the vitality of the U.S. technology sector.
Since we are in a post-Sarbanes-Oxley world where the bar on IPOs is higher, the most likely positive outcome for founders, startup employees, and investors is for a startup to be acquired by a larger company. While it seems intuitive that we want to disincentive a Facebook from snapping up the next Instagram, the approach proposed in the Platform Competition and Opportunity Act has more downside risk of damping M&A, reducing exits, and in turn disincentivizing startup formation and innovation in the most vibrant part of the economy — tech.
In a world where the transaction costs to acquirers are higher due to additional regulation, many acquisitions that would otherwise be done simply will not be pursued. This would prolong the path to exit for founders, add risk to startups, and lower the return to investors. Importantly, most of these smaller transactions that could be affected by making M&A harder are not the anti-competitive type that the legislation is targeting.
These policies are incredibly complex and striking the right balance will be hard. The place to focus is on updating antiquated laws to better define anti-competitive behavior and monopoly power in a digital economy. Inserting additional regulatory oversight into the M&A process — even if it’s only applied to the largest companies — is not the way to go.
Thought of the Quarter
New Approaches to API Security Are Emerging
Here at DataTribe, we are seeing founders seeking funding for startups focused on configuration management, and cloud, API, and data security.
The prominence of cloud applications has given rise to application programming interfaces (APIs), which standardizes communication between applications. According to Akamai Technologies, 83 percent of all web traffic now goes through APIs. It’s become a significant attack vector. While much has been written about early API security entrants like Salt Security, NoName Security and ThreatX, and we’ve seen several taking different approaches.
One of the aspects of the new approaches centers around tooling that helps developers to implement secure API patterns in the first place — as opposed to tools that seek to monitor API traffic and behaviors in order to make them more secure.
New Administration’s Impact on Cybersecurity
In May, the Biden Administration put out the Executive Order (EO) on Improving the Nation’s Cybersecurity. The EO focused on accelerating adoption of security best practices around identity and authentication management (IAM), via zero trust, and cloud security.
The European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), both implemented in 2018, drove the development of a new compliance industry. Companies are now responsible for protecting consumers’ data and have consequences if they do not. Startups, like BigID and OneTrust, emerged to help companies comply with the regulation.
This EO is supported by a formidable security team, and a newly created National Cyber Director role, all of which should expedite implementation of the order, and help drive its impact. IAM and Cloud are well served sectors, DataTribe has seen several innovative seed stage startups working on the next generation of IAM and Cloud Security solutions. We will continue to watch if the EO helps to accelerate adoption of next generation technology like these in addition to the existing solutions.