US merger guidelines may mean PE companies are more likely to see regulators taking assertive action. Credit: g0d4ather via Shutterstock.

In April 2024, UK cybersecurity company Darktrace agreed to be bought by US private equity (PE) company Thoma Bravo in a $5.3bn deal.

Assuming it goes ahead, the deal will remove another home-grown tech company from the London Stock Exchange. It will also be the latest example of PE generally, and Thoma Bravo in particular, snapping up a cybersecurity company.

Related Company Profiles

View all

However, new US merger guidelines may mean PE companies are more likely to see regulators taking assertive action to examine and potentially block cybersecurity acquisitions.

The new rules put in place by the Department of Justice (DoJ) and the Federal Trade Commission (FTC) in December 2023 reflect concerns in the Biden administration about so-called ‘roll-up’ acquisitions by PE companies.

Under such acquisition strategies, a buyer accumulates market share through a series of relatively small acquisitions over time. The new merger guidelines aim to address the concern by noting that if an acquisition is part of multiple related acquisitions, the regulatory agencies may examine the whole series of deals. 

Cybersecurity ready for regulation

Some might argue that regulators have already been sharpening their pens on cybersecurity.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

In December 2022, the DoJ asked US cybersecurity firm ForgeRock for more information about its planned $2.3bn buyout by Thoma Bravo. ForgeRock operated in the growing identity and access management (IAM) area of cybersecurity, and Thoma Bravo had already acquired two other IAM companies, Ping Identity and SailPoint Technologies. Despite investigating the deal, the DoJ eventually let the bid through, and it was completed in August 2023.

Thoma Bravo subsequently merged ForgeRock with Ping Identity, thus taking one competitor out of the IAM marketplace. The deal could perhaps be justified only by an argument that the merged company might be better positioned to compete with larger companies in the IAM space, such as Microsoft and Okta.

Thoma Bravo’s plans for Darktrace

Thoma Bravo’s plans for Darktrace will likely involve using the PE company’s market clout to help Darktrace expand its footprint in the US. It would be no real surprise to see Darktrace provided with investment funds for acquisitions of its own.

As of December 2023, Thoma Bravo’s cybersecurity portfolio represented around $45bn in total enterprise value. Other private equity companies such as Insight Partners, TA Associates, Francisco Partners, and Advent International have also made significant cybersecurity investments.

It will take time for the merger guidelines to take effect, but it is almost certain that PE companies’ cybersecurity acquisitions will face considerably more antitrust scrutiny in the future than in recent years.