Search giant Google will acquire cybersecurity startup Siemplify in a $500m deal despite an increasingly hostile attitude toward such deals from governments around the world.  The UK’s new National Security and Investment (NSI) Act threatens to block Big Tech acquisitions, and similar proposals are circulating in Washington, Brussels and Beijing. It’s hardly a secret as to why market watchdogs are scrutinising these deals more and more.

“Yesterday, Apple’s market cap broached $3tn – and that’s a huge number. It rivals many national GDPs,” Lil Read, thematic research analyst at GlobalData, tells Verdict.  “These companies are powerful and it’s hard to stand up to them.”

But both politicians and regulators are trying. Lawmakers are increasingly arguing for stricter rules to choke the market dominance of the Silicon Valley goliaths. Similarly, regulators like the Federal Trade Commission chair Lina Khan are – even without new regulations – gearing up to bite into Big Tech’s market dominance.

“But these are big, big companies with almost as deep pockets. It’s not an easy battle to win from either side,” Read says.

Regulators haven’t officially opposed the idea of Google acquiring Siemplify – at least not yet. Nevertheless, acquisitions like it have become central to the argument over how much power huge companies should be allowed to wield.

Google and Siemplify deal one of many

Of course, none of this is mentioned in Google Cloud Security VP Sunil Potti’s official statement announcing the Siemplify acquisition. Instead he argues that the deal ties into Google’s goal of “advancing invisible security and democratising security operations for every organisation” and that “Siemplify shares our vision in this space.

“In a time when cyberattacks are rapidly growing in both frequency and sophistication, there’s never been a better time to bring these two companies together,” Potti adds. “We both share the belief that security analysts need to be able to solve more incidents with greater complexity while requiring less effort and less specialized knowledge. With Siemplify, we will change the rules on how organizations hunt, detect, and respond to threats.”

Interestingly, Google’s acquisition of Siemplify is not the only cybersecurity buy-out made recently by a Big Tech firm. Microsoft, for instance, acquired three cybersecurity ventures in June and July 2021. By the end of the year, there were roughly 40 cybersecurity acquisitions being made per month.

“It’s perhaps no surprise – cybersecurity is such a big issue,” David Bicknell, principal analyst at Globaldata’s thematic research team, tells Verdict. “The last two years have been dreadful from a cybersecurity point of view, we’ve had bigger and bigger ransomware attacks, more daring attacks.”

There has been no shortage of acquisitions made by Big Tech firms over the past year. Alphabet kicked off 2021 by completing its $2.1bn acquisition of Fitbit, which had been announced back in November 2019. Google also bought CompilerWorks and Provino Technologies in 2021.

Microsoft almost set a record in Q3 2021 by completing seven acquisitions during that period. It then rounded off the year by completing its $19.7bn acquisition of Nuance Communictions after the European Commission approved the deal, despite the UK Competition and Markets Authority having launched an antitrust probe into it just weeks earlier.

Not all acquisitions have gone so smoothly. Nvidia’s acquisition of Arm is still up in the air after regulators in the US, Europe and Asia launched probes into the deal.

In December, South Korean chipmaker Magnachip Semiconductor Corporation tore up a $1.4bn merger agreement with Chinese private equity firm Wise Road Capital, following a request from the US Treasury Department.

British regulators have similarly launched antitrust probes into Facebook’s $315m acquisition of Giphy.

Acquisitions like these could become even more difficult to complete due to the NSI Act and similar laws being proposed across the globe as well as regulators increasingly putting these deals in their cross-hairs.

The National Security and Investment Act

The UK NSI Act enables the government to scrutinise and intervene in certain acquisitions if those deals run the risk of harming national security. It came into force on January 4, 2022.

It requires businesses and investors to notify the government of certain acquisitions across 17 sensitive areas of the economy. These areas include artificial intelligence, advanced robotics, computing hardware, space technologies and data infrastructure. It doesn’t take a huge imaginative leap to see how cybersecurity acquisitions could fit into those categories.

“The UK is world-renowned as an attractive place to invest but we have always been clear that we will not hesitate to step in where necessary to protect our national security,” said business secretary Kwasi Kwarteng.

“The new investment screening process in place from today is simple and quick, giving investors and firms the certainty they need to do business, and giving everyone in the UK the peace of mind that their security remains our number one priority.”

The law is not geared towards choking the market dominance of Big Tech firms, but it can clearly present them with a few stumbling blocks along the way.

Other proposals are more direct. In the US, Republican senator Josh Hawley presented a Big Tech bill in April. If passed, the proposals would bar any company with a market value exceeding $100bn from ever buying another business again. The proposal has several similarities to an antitrust bill introduced by Democratic senator Amy Klobuchar in February.

“This country and this government shouldn’t be run by a few mega-corporations,” Hawley said at the time.

The European Commission is similarly gearing up to introduce the Digital Markets Act and the Digital Services Act, a package aimed at boosting competition and choking unfair market dominance.

And that’s beside the individual antitrust probes and fines already levied by the the Commission and EU member states against Big Tech firms.

However, the analysts Verdict has spoken are sceptical about the impact these probes and the threat of looming legislation will have when it comes to future acquisitions, at least in the short run.

“I would imagine that if they want to acquire a company and they can see a strategic reason for acquiring it, then they won’t shy away from doing it,” Bicknell says. “And if and when the regulation really sort of happens, then they’ll cross that bridge when they come to it. But if there’s a strategic decision they want to make and they feel like they need to acquire [that company], then I think maybe the mindset is, ‘well, we’ll acquire it. And if we need that for our business, then we’ll do it. And then we’ll see what happens down the line.’”

Google did not return requests for comment before the publication of this story.