The U.S. cyber security industry, once one of the hottest targets for venture capitalists, is now grappling with a funding slump that has forced some startups to sell themselves or cut spending.
Amid widespread concerns about cyber attacks and data breaches, hundreds of security startups have sprung up in recent years, promising “next-generation” technologies to fight cyber criminals, government spies and hacker activists.
But many of the new ventures have struggled to gain traction, finding it difficult to stand out from the crowd and provide customers with sophisticated enough security solutions to match the increasingly advanced cyber attacks they face.
“Investors are looking at balance sheets and saying, ‘You raised $100 million and you have nothing to show for it?'” said Promod Haque, senior managing partner at Norwest Venture Partners, which manages about $6 billion in capital.
Private investors pumped a record $3.3 billion into 229 cyber security deals last year, according to data from CB Insights. Venture capitalists, dealmakers and entrepreneurs said funding is drying up for all but the most mature cyber startups with substantial sales.
“Almost every other company I knew who was on the road raising money at the same time had to pull their rounds back and were not able to close,” said Michael DeCesare, chief executive of ForeScout Technologies Inc, a network security firm.
ForeScout reported more than $125 million in 2015 revenue and finalized a $76 million financing round last month. Other deals this year include $96 million in funding for risk analytics firm Skybox Security Inc, and Fidelity Investments’ $50 million investment in anti-virus software maker Malwarebytes.
It now takes six to eight months to close deals, up from about three to four months a couple years ago, said Sean Cunningham, managing director at Trident Capital Cybersecurity.
The founder of a cyber startup that raised money two years ago said he sought additional financing for several months but then gave up. The firm, which did not want to be identified, cut spending and plans to seek financing again in about six months.
Other startups are looking for buyers. A dealmaker at a large security company, who declined to be identified, said the number of incoming inquiries from businesses looking to sell themselves is up 40 percent this year, compared to the same time in 2015.
Last month, iSight Partners – which has uncovered major cyber campaigns from Iran, Russia and other nations – sold itself to FireEye Inc for $200 million in cash plus another $75 million in cash and stock if it meets certain sales targets.
Last August, iSight Chief Executive John Watters told Reuters he planned to take the company public in 2016 at a valuation of at least $1 billion. After the FireEye deal was announced, Watters said his plan changed because market conditions shifted, making it more difficult to raise capital to remain independent.
FireEye CEO Dave DeWalt said the tough funding environment would spawn more deals. FireEye also bought tiny security software maker Invotas for $30 million last month.
The value of cyber M&A activity more than doubled last year to $26.8 billion from $10.3 billion in 2014, according to data from consulting firm EY. The number of deals increased 46 percent to 287.
Cyber stocks had rallied in 2013 and 2014 on expectations the industry would benefit from a seemingly endless streak of headline-grabbing cyber attacks. Private investors, seeing the opportunity, piled onto startups.
“You had a lot of indiscriminate capital that came into the space,” said Bob Ackerman, founder of Allegis Capital and a longtime security expert.
The boom in cyber investing showed signs of faltering last year as earnings of publicly traded cyber companies missed expectations.
Too many startups copied technology already on the market, or products that hackers had figured out how to circumvent. Some highly touted products sold by private companies were found to be “obsolete from the moment they were launched,” said David Cowan, a partner at Bessemer Venture Partners.
Cyber stocks have since underperformed the broader market. FireEye, which this month warned that growth in cyber spending could slow this year, has fallen 35 percent over the past three months, compared to a 12 percent decline in the Nasdaq Composite Index. Qualys Inc tumbled 38 percent over the same period, while Palo Alto Networks Inc dropped 26 percent and the Pure Funds ISE CyberSecurity ETF fell 21 percent.
Robert Thomas, CEO of cloud security firm CloudPassage, which raised $36 million last July, said he expects the funding crunch for startups to last. “I feel fortunate that we got in under the wire and were able to raise (money) for the next two years to carry us through,” he said.
(Reporting by Heather Somerville in San Francisco and Jim Finkle in Boston; Editing by Jonathan Weber and Tiffany Wu)