TMT Global Industry M&A Update – Q4 2019

While IoT provides immense opportunities for cost savings and efficiencies, breaches like these show the need for companies to strengthen their security efforts especially as they continue to add new devices. The IoT market is expected to grow from 27 billion devices in 2017 to 125 billion in 2030^[2]; however, 48 percent of companies that use IoT devices in the workplace don’t have mechanisms in place to detect when their devices are hacked^[3], highlighting the need to prioritize adoption of IoT-specific security measures. This is imperative for not only preventing breaches but ensuring organizations are prepared to securely deploy IoT solutions at the breakneck speed forecasted by many industry analysts.

Why IoT products are more vulnerable to hackers

IoT devices have vulnerabilities that traditional information technology (IT) systems don’t have. These vulnerabilities are not always well understood and often they are not properly addressed during installation. Additionally, the desire to immediately reap the benefits of IoT devices can often mean using a device without first implementing the appropriate security measures.  

Sensors, WiFi and Bluetooth are essential components of IoT devices, but also pose unique security challenges. Sensors capture enormous amounts of data but this data often is outside the existing scope of information the device was stated to capture. As a result, hackers have access to data that a device owner is not aware is being captured. Safety can be compromised if sensors are hacked that have the ability to alter other aspects of physical systems. Network protocols like Bluetooth and WiFi have well publicized vulnerabilities as they give access to systems that once were only accessed locally. This creates privacy risks and also makes it more difficult to make assumption about the security of on-board information processing and interactions with other systems such as heating, door locks, camera, etc.

IoT security is the responsibility of both manufacturers and device owners, and each party responsible needs to be keenly interested in identifying and protecting devices from threats. This requires a shared understanding of responsibilities and the expectation that both parties will do their part to continue to enhance security efforts and put appropriate protocols in place.

IoT cyberattacks by the numbers^[4]

• 82 percent of electronic IoT deployments occur without full quantification of risk.
• 74 percent of known IoT vulnerabilities have not been addressed by security controls.
• 31 days is the average amount of time it takes to identify, respond and recover from an IoT cybersecurity incident.

IoT vulnerabilities by industry

Across the IoT landscape, different industries have gravitated toward IoT offerings that align with their business needs which also means that there are different risk factors, points of entry and hacker motives. While the top motive for executing a breach is financial, a slew of reasons ranging from espionage, fun, convenience and grudges are other factors.

The top breach types by industry^[5]

• Manufacturing: Web applications, privilege misuse and cyber espionage represent 71 percent of breaches with the vast majority of threats being external. 
• Retail: Web applications are overwhelming the most common type of breach. While point of sale attacks are declining, there has been a significant increase in web application attacks. 
• Accommodation and food services industry: Point of sale intrusions web applications and crimeware patterns are the top three types of breaches with financial motives being the reason for the attack. 
• Financial services: Web applications, privilege misuse and miscellaneous errors were the most frequent breach opportunities. While ATM skimming continues to decline, compromised email accounts are becoming a more common form of hacking.
• Information: Miscellaneous errors and web applications make up the majority of breaches. While there were 1,094 incidents, which is higher than in other industries, there were just 155 confirmed data disclosures.
• Healthcare: The most common breach types within the healthcare industry are miscellaneous errors, privilege misuse and web applications. Internal threats are the most common type of threat, these tend to be less common in many other industries.
  
• Professional services: Web applications, everything else and miscellaneous errors accounted for the majority of breaches. From 2014-2018, there has been a significant increase in comprised personal and credentials data.
  

Protecting against a breach 

Standard cybersecurity solutions are not, in our view, sufficient for securing IoT deployments. The unique attributes of a system with hundreds or thousands of sensors, dozens of access points (radios, nodes on the network) and many, many unique users means the most effective IoT security solutions will be built from the ground up with IoT as the purpose. A completely new approach to securing devices is needed that goes beyond passwords and phishing credentials. Leading companies and emerging innovators are forging new cyber security paths for the IoT. 

KPMG Corporate Finance LLC has deep advisory expertise in IoT and has invested significantly in understanding who is leading in IoT cybersecurity. As a leading M&A advisor on IoT capabilities, we are aware of the latest trends and challenges in this space. We welcome the opportunity to speak with you about the strategic landscape in IoT and cybersecurity.

TMT M&A synopsis

• 212 billion deal value in Q4’19: Global TMT M&A aggregate deal value grew from $154.9 billion in Q4’18 to $212.3 billion in Q4’19, a year-over-year surge of 37.1%. The quarter saw 2,050 deals across all TMT sub-sectors, as compared to 1,792 deals announced in the previous quarter.
• Mid-market remains strong: Quarterly mid-market (<$500 million) M&A improved in terms of deal value as well. The 1,997 deals announced in Q4’19 had an aggregated deal value of $30.3 billion as compared to $20.5 billion from 1,759 deals in Q3’19.
• Premium values for software/SaaS: Despite the year-over-year decline in aggregate software deal volume, software companies continue to command premium valuations. The median EV/Revenue multiple paid for software targets increased to 4.0x in Q4’19 (up from 2.5x in Q4’18). 
• Increase in big-ticket ($1 billion+) transactions: Although total deals declined slightly, Q4'19 witnessed a myriad of $1 billion+ technology transactions. The number of big-ticket transactions announced in Q4’19 reached 40 deals, with 33 of these being majority transactions. This is up from 30 deals, 23 of which were majority transactions deals in Q3’19 and 38 deals, of which 26 were majority transactions in Q4’18. With financial players accounting for almost one fourth of these big-ticket transactions, strategic buyers continued to witness consistent competition from their financial counterparts.