Log in

Sophos should become a more-stable and stronger competitor thanks to its acquisition by Thoma Bravo

18 October 2019 | Research

Tom Rebbeck

Article | PDF (3 pages) | Cyber Security

"Thoma Bravo appears to have selected a market segment to focus on; it is backing several firms in this segment, rather than trying to pick (or create) a winner."

Listen to or download the associated podcast

The USA-based private equity firm Thoma Bravo announced on 14 October 2019 that it was buying Sophos, a UK-based security firm. The purchase price was GBP5.83 per share; this is a 37% premium over the pre-deal price, and gives Sophos an enterprise value of GBP3.1 billion.

Private ownership should provide Sophos with the support and stability that it needs to pursue its strategy, without the distraction of the short-term concerns that are associated with being a public company. For example, during 2018, Sophos’s share price was hit by investors that were unnerved by uneven revenue growth, and this may have taken management attention away from longer-term ambitions. Thoma Bravo’s purchase further increases its exposure to a sector that it knows well. It will be hoping to repeat the success that it is having with other acquisitions.

Thoma Bravo is investing heavily in technology firms that supply small and medium-sized businesses (SMBs), particularly in the cyber-security sector

The logic of the deal for Sophos’s shareholders is clear given the premium over the share price that has been offered. The motives of the buyer are more interesting.

Thoma Bravo already knows the cyber-security sector well. Its website lists 12 security firms in its current portfolio, and a further 7 previous security-related investments. Current investments include Barracuda, which it owns, and McAfee, in which it has a minority stake.

Thoma Bravo is comfortable with competition between the companies in which it has invested, unlike some other private equity firms that prefer to merge acquisitions or explore collaboration between portfolio companies. Thoma Bravo appears to have selected a market segment to focus on (technology firms that supply SMBs); it is backing several firms in this segment, rather than trying to pick (or create) a winner. Many managed service providers (MSPs) focus on the SMB market, and as such, Thoma Bravo also owns or has stakes in Barracuda, ConnectWise, Continuum and Solarwinds, all of which supply MSPs. (Sophos is also active in the MSP space, and has a dedicated MSP division.)

Sophos has a number of strengths that make it an attractive prospect, in addition to fitting Thoma Bravo’s more-general interest in the security market. It is a European firm and generates most of its revenue from within the region, unlike most other major security firms that tend to be strong in North America and weaker elsewhere. The SMB focus is also unusual for a security firm; most security vendors pay little attention to this market. Sophos has invested heavily in supporting its channel partners, which is in keeping with its SMB focus. Additionally, Sophos’s core firewall and endpoint protection products are well-regarded and easy-to-use, which is valuable when targeting a market where few have specialist internal security skills. Sophos is investing heavily in improving its products further (its spend on R&D was USD144 million in FY2019; this is equivalent to 20% of its revenue).

Sophos does face challenges, however. The greatest threat to Sophos’s revenue is likely to come, not from other pure-play security firms, but from other technology firms that are adding security as a feature. For example, Microsoft’s security products that are bundled with Windows 10 are becoming ever more powerful and may, at least for some SMBs, provide sufficient protection.

Bundles of SD-WAN and basic firewalls are also becoming commonplace in the network security market. Sophos does have its own SD-WAN product, but this does not have the traction or market awareness of solutions from Cisco, Nokia (Nuage Networks) or VMware (VeloCloud), for example. The challenge for Sophos will be to make its bundle of security products (for example, its bundle of endpoint and network security) more valuable to customers than bundles of security solutions with other types of products (such as Microsoft’s bundle of endpoint security and its operating system).

Sophos’s performance in 2018 underwhelmed investors

Sophos’s results for its FY2019 (which ended in May 2019) were positive overall, and the company reported 11% year-on-year revenue growth. However, the uncertainty over its performance disappointed investors (Figure 1). Indeed, the price agreed by Thoma Bravo (GBP5.83) is more than 10% off Sophos’s January 2018 peak share price of GBP6.54. Quarterly revenue fell in the first quarter of FY2019, and then again in the second quarter. Even in the most recent results, the quarterly revenue of USD180 million is less than USD5 million above the comparable quarter in 2018.

Figure 1: Sophos’s share price, June 2015–October 2019

Source: Analysys Mason, 2019

Sophos can concentrate on longer-term goals as a private company

The Thomas Bravo deal should put Sophos in a better position to invest, both organically and through acquisitions. The declining share price meant that Sophos’s management was under pressure to improve the company’s short-term visibility, and this may have affected its ability to pursue a longer-term agenda. The deal with Thoma Bravo should increase Sophos’s potential to follow its long-term plan.

Thoma Bravo is a supportive shareholder, as can be seen with its other acquisitions, such as Barracuda Networks. Barracuda’s share price as a public company had suffered due to concerns over revenue growth (similarly to Sophos). Its share price fell from a peak of USD46.51 in April 2015 to just USD11 a year later. Thoma Bravo bought it for USD27.55 per share in November 2017. As a private company, Barracuda has been able to grow its annual revenue from under USD400 million at the time of acquisition to approaching USD500 million in October 2019. Barracuda now has a target to reach a revenue of USD1 billion within 3 to 4 years, with growth coming through a mixture of acquisition (two bolt-on acquisitions have been completed since the Thoma Bravo deal) and continued investment in R&D.

Thoma Bravo’s acquisition of Sophos will not change the cyber-security industry landscape. This deal is not trying to change the value chain for security services, unlike other recent mergers involving VMware/Carbon Black and Broadcom/Symantec. However, assuming that Thoma Bravo takes a similar approach to Sophos as it has done to its other acquisitions, the deal should help to make Sophos a more-stable and stronger competitor.


Article (PDF)