Mastercard is paying $2.65 billion for a cybersecurity company?!
Their acquisition of Recorded Future might look surprising at first. It makes a lot more sense once you dive into the details.
The financial services and cybersecurity industries have long been converging. This acquisition is both another milestone and a preview of what's to come.
The second and third-order consequences could be even more important. This deal's unique structure gives us clues about what could happen with other later-stage companies in the industry.
Mastercard-Recorded Future is really just the beginning of the story for both financial services and the rest of cybersecurity.
To understand the future, we need to start by looking at the past. Let's talk about how much convergence has already been happening between financial services and cybersecurity.
Past: Financial services convergence was already happening
The convergence of financial services and cybersecurity has been happening for over two decades.
I'm not talking about financial services companies just spending money to buy cybersecurity products and services. They do spend tons of money on cybersecurity—but you probably knew that already.¹
The part you (and me) may not have fully realized is how many financial services companies are active strategic acquirers of cybersecurity companies.
Altitude Cyber has tracked 47 cybersecurity-related transactions by 17 unique financial services acquirers at over $10.5 billion of disclosed deal value since 2007. Here's the data (excluding Mastercard for a second):
Six transactions were over $500 million, and two were over a billion. Add a $250 million strategic investment in BitSight from Moody's into the mix, and you really start to see how strategic cybersecurity, risk, and fraud are to financial services companies.
The trend of cybersecurity-related acquisitions by financial services has been gradually picking up, with 79% of total transactions and 96% of disclosed dollar volume happening within this decade:
But no financial services company has been a more active buyer than Mastercard.² The company has been building and buying cybersecurity-related products for years. They've formally had a cybersecurity business unit since 2017. Their involvement in the industry was significant well before they made it official.
Mastercard has already added identity verification (Ekata), behavioral analytics (NuData), third-party risk (RiskRecon), external threat intelligence (Recorded Future), and more.
With Recorded Future, Mastercard now has nine total acquisitions at over $3 billion of disclosed value:
Note: emphasis "cybersecurity-related." Transactions include fraud, risk, and other adjacent things you'd expect from one of the largest financial services companies in the world.
Recorded Future is Mastercard's largest disclosed acquisition yet, cybersecurity or otherwise. This move signals they're after something bigger. It also shows us what's possible when strategic priorities fully align.
Let's move to the present and dig into the implications of Mastercard's cybersecurity strategy for Recorded Future and beyond.
Present: Why cybersecurity is strategic for Mastercard
In an incredibly open and direct post-acquisition interview with Michael Novinson at Information Security Media Group (ISMG), Mastercard EVP and Head of Security Solutions Johan Gerber clearly laid out the strategic rationale for Recorded Future and the long-term game plan for the rest of Mastercard's cybersecurity portfolio.
Gerber left no doubt about the severity of the problem Mastercard is facing:
"Being in payments, you're one of the most attacked sectors out there. Anybody who wants money will come after you."
This may sound unsurprising at first, but it's surprisingly hard to comprehend the scale of the problem.
Verizon's Data Breach Investigations Report (DBIR) has been chronicling breaches and threat actor activity for 16 years and counting. 95% (!!!) of threat actor motives in breaches are financially-related.
It's been this way for years. Nothing else comes close.
Meanwhile, for Mastercard (and the entire ecosystem of payment processors, banks, ecommerce, etc.), the volume of digital transactions just keeps growing. They're currently estimated at 30-40% of Mastercard's total transaction volume.
If all the companies in the world were mapped to a dart board, Mastercard is at the center of the bullseye.
This brings us to the problem statement. Again, from Johan Gerber:
"How do we constantly increase the level of security across payments?"
The word "constantly" is telling here. Attacks are constant. This is never going to change. Instead of being complacent, Mastercard is choosing to keep raising the bar for security...well, constantly.
Here's the part where Mastercard's strategy gets fascinating. Their interests are much broader than securing their own company and customers. Mastercard is in an incredibly unique position to create value for the entire payments ecosystem.³
The bigger opportunity here is selling sawdust. Sure, it's a bummer that Mastercard is one of the most attacked entities on Earth — but this also means they have a massive amount of both transaction data and first-party fraud data.
A portfolio of cybersecurity, risk, and fraud products makes this a feature, not a bug. Ekata and RiskRecon are good examples of how Mastercard is already using the good and bad sides of its scale to vertically integrate and sell its own sawdust.
The first part of the value chain starts with a new account. When someone wants to use an identity and open an account, Ekata verifies the identity and uses fraud data to indicate whether the attempt is real or fraudulent.
With RiskRecon, they score the entire payment ecosystem — banks, processors, and everyone connected to them — every ten days. When a serious risk gets identified, both the directly impacted party and affected third parties get notified.
Recorded Future underpins nearly every step of Mastercard's transaction and fraud prevention processes from account origination through settlement. Adding external threat intelligence on top of Mastercard's proprietary data potentially has massive upside, both internally and for customers.
The less obvious advantage is the strategic value Mastercard's fraud and transaction data gives Recorded Future. Owning the company outright allows Mastercard to share proprietary data in a way that's hard to do with a partnership alone. This creates a unique moat for both Recorded Future and Mastercard, especially with financially-related threat intelligence.
The real significance of Mastercard-Recorded Future is far beyond a single acquisition. Let me explain why.
Future: What this means for other companies the cybersecurity industry
Mastercard-Recorded Future is just one example, but good deals like this one can influence the rest of the industry in a big way. I see this as a beacon for strategic buyers, investors, and later-stage companies throughout the ecosystem.
Cybersecurity companies in the IPO pipeline
Recorded Future was a viable IPO candidate, especially by historical public market standards for cybersecurity-related companies. Maybe not the top of the heap, but definitely viable.
At ~$300-400M in revenue, they are well above the ~$175M revenue scale it took for 30 other cybersecurity-related companies to go public between 2012 and 2022.
Cybersecurity has (roughly) 20-30 other private companies sitting in the $250-500M revenue range today (including both VC and PE-backed). It's a big backlog — and we still haven't had a traditional IPO for a pure cybersecurity company since ForgeRock went public almost exactly three years ago.
Some companies in the pipeline will successfully go public, but not all 20-30 of them. This means the rest will either (a) raise capital/debt to extend their runway and scale bigger, (b) sell directly to strategic buyers, or (c) sell majority or full stakes to growth equity or private equity buyers (what Recorded Future did).
If high quality, scaled cybersecurity companies like Recorded Future are willing to be sold at a reasonable revenue multiple, we're going to see more strategic acquisitions and fewer IPOs.
Strategic buyers in cybersecurity
We could see more "non-traditional" strategic buyers like Mastercard if (a) the convergence of cybersecurity and everything keeps happening, and (b) more companies outside of cybersecurity view security as strategic.
Mastercard and Visa are two of the ~20 most valuable public companies in the world, valued at $448.9 billion and $524 billion respectively as of today.⁴ Mastercard had $7 billion in cash and cash equivalents sitting on their balance sheet as of their latest earnings report. Companies this big can make huge acquisitions look like bargain shopping at Nordstrom Rack.
As security becomes more strategically important for companies outside of cybersecurity and big tech, the pool of potential buyers capable of $1B+ acquisitions gets bigger. With over 100 VC and PE-backed companies valued at $1 billion or more (on paper), we need as many strategic buyers as we can get.
The revenue multiple for this deal looks like a reasonable ~8-9x, exactly the average of today's public market comps for cybersecurity companies (and higher than Rubrik's ~6x IPO earlier this year).
Everyone wants the 40-50x multiple Wiz almost got, but it's exceptionally rare to find a strategic buyer willing to pay that much for a scaled company. An exit at 8-9x revenue is a pretty good outcome right now, and it's a reasonable number for more strategic buyers.
Growth equity
An easy-to-overlook detail in this transaction is that Recorded Future sold a majority stake to Insight Partners for $780 million in 2019. Rather than waiting and eventually raising a gigantic early 2020's venture era round and trying to go public, they sold most of the company — a very good exit, but atypical for the times.
The blueprint for Insight Partners and Recorded Future might become a lot more common after this deal. Selling to Insight Partners was a highly strategic move, not a desperate hail mary to save the company. Christopher Ahlberg, co-founder and CEO of Recorded Future, explained at the time:
"With a single shareholder, where there is alignment, you can execute more effectively."
Recorded Future wanted a strategic partner for their next phase of growth, and they clearly got one with Insight Partners.
Comparable situations have happened in the past with similarly good results. A few examples (though not exactly the same) are Thoma Bravo with SailPoint (the first transaction), and Vista Equity Partners with both Ping Identity and JAMF.
This model works especially well in market conditions like today. It provides near-term liquidity and eventually facilitates IPOs or strategic acquisitions. Growth equity or private equity backing is going to be an appealing option for a lot of later-stage companies while subscale IPOs aren't an option.
Convergence, vertical integration, and exits
There's a lot going on here — a lot more than what meets the eye from a single transaction.
The history and accelerating trend of financial services converging with cybersecurity, risk, and fraud is worth paying attention to. As Johan Gerber says, "The lines are graying out between cyber and fraud."
Mastercard is going to keep vertically integrating components across the entire ecosystem of cybersecurity, risk, privacy, and trust as their strategic priorities become more clear.
Their cybersecurity and customer experience solutions business is well into the hundreds-of-millions in revenue once Recorded Future and its ~$300M-400M of ARR closes.⁵ Expect a constant drumbeat of strategic build, buy, and partner activity for years to come.
For the rest of the cybersecurity industry, this deal is both a victory and a poignant reminder about how hard it is to achieve a successful outcome. Sometimes, the best possible strategy is acquisition that makes perfect sense on both sides.
Acknowledgements
Thank you to Dino Boukouris, John Gould, and the team at Altitude Cyber for collaborating with me on the financial services M&A data in this article.
Footnotes
¹Remember the whole 'J.P. Morgan spends half a billion on cybersecurity' thing a few years ago?! Accurate or not, financial services as an industry spends a lot on cybersecurity.
²Although LexisNexis is close, with eight acquisitions and $1.6 billion of disclosed value.
³And monetize some of the value they create, of course. Some capabilities they build and acquire are solely for the benefit of their cardholders and/or merchants. The ideal situations are when Mastercard can both protect itself and provide value back to the rest of the ecosystem.
⁴And we thought Palo Alto Networks being valued at $100 billion+ was impressive. Okay, it's still impressive...but companies like Mastercard and Visa give us some context about how massive the financial services industry is.
⁵It seems unlikely Mastercard's cybersecurity business unit is over $1 billion in cybersecurity-related revenue yet. I could be wrong. In any case, it's a nine-figure business and well on its way to a billion.