Large hotel chains, global media platforms, airlines, and leading retail brands are just some examples of companies that have suffered from hacks and digital attacks in recent years.
Attackers have also been targeting business leaders, with Twitter CEO Jack Dorsey’s Twitter account being hacked last summer, and consumers globally through phishing scams and email vulnerabilities. With digital attacks growing in size and frequency and costing businesses $150M per attack on average, cyber security has become a key strategic priority for public and private organisations, opening a window of opportunity for companies developing innovative cyber security solutions. At KPN Ventures, cyber security is one of our most active and successful investment segments and we proudly support CUJO AI, Cybersprint, EclecticIQ, Security Matters (exit), and ZecOps. Furthermore, we are investor and an active supporter of Dutch Security TechFund, which invests solely into (cyber) security companies. In 2019, we presented our research about the cyber security investment landscape in Europe and for 2020 we wanted to see how the Dutch cyber security investment landscape was evolving. However, as cyber security is relevant for the whole ecosystem we, KPN Ventures, decided to perform the analysis jointly with various local stakeholders: Hague Security Delta, Dutch Security TechFund and KPN Security. In order to deliver an objective analysis we used Dealroom as a source for deals, which shall probably be not exhaustive, and added input from the above mentioned local stakeholders. We are therefore pleased to share our joint analysis of the Dutch cyber security market in this article in which we unpack the recent investment landscape and lay out our outlook for the sector in 2021 and beyond.
The number of cyber security companies in the Netherlands has grown substantially over the last decade, from around 70 companies in 2010 to over 172 companies at the start of 2020. The main drivers for this growth have been a steep increase in the number of newly founded cyber security companies, as well as companies from abroad establishing the HQ in the Netherlands.
Bolstered by the strong market momentum, several cyber security “hubs” have emerged across the country, with The Hague and Amsterdam leading the way. Amsterdam’s international transport link and embedment in the global startup ecosystem naturally attract entrepreneurs. In contrast, The Hague had to promote its position in the local cyber security ecosystem by establishing “The Hague Security Delta” which implemented successfully different initiatives, such as developing the Hague Security Campus and hosting international conferences (e.g. the UK — NL Cyber & Fintech Summit). Finally Groningen is also beating the drums and set up initiatives such as Cybersecurity Noord-Nederland together with amongst others educational institutions.
However, despite this positive market activity, our research suggests that the number of newly founded Dutch cyber security companies has declined since 2015. This outcome is quite surprising and alarming at the same time. The market, as well as the ecosystem, has been growing and maturing over time so the expectation was that the number of newly founded companies should have increased. There are several possible explanations for this finding: companies increasingly remain longer in stealth mode, a higher proportion of Dutch talent establish or join a startup abroad (such as the UK which evolved as an European cyber security hub) which negatively affects the limited local talent pool and there is a lack of many Dutch cyber security success stories/exits. The latter one is really important for the ecosystem in the long term due to two reasons: the pay-it-forward principle could be applied and the attractiveness of the local market will be increased (positive impact on funding, exit & talent). The founders and other key employees of a successful company could provide young entrepreneurs guidance and support in their journey by sharing their knowledge, expertise and network. Furthermore, it can enable the founders and other key employees of such companies the opportunity to start a new venture in the future (separately or jointly) and thereby increasing the number of newly founded companies.
During the last five years, the majority of funding rounds consisted of Seed rounds (34 rounds since 2015), with a limited number of venture and growth deals. On the one hand, the prominence of seed funding across this period is to be expected, in the light that most of Dutch cyber security companies were recently founded. These companies will now or have already entered the venture capital market to raise the next funding round. On the other hand, the low number of later-stage deals may suggest that Dutch cyber security companies experience difficulties in raising capital beyond the Series A / Series B stage. This could partly be explained by the low number of local (dedicated) cyber security investors that have the specific knowledge, expertise and network in-house to support companies in their growth by providing specialistic expertise that is needed in the market to succeed and/or limited fund size to lead or to follow-on in the next funding rounds. As an example; Dutch Security TechFund was launched early 2019 and invested (probably under the radar) up to now in seven companies. This could be a signal that the Dutch cyber security sector is starting up slow. Most funding rounds across the last five years have been directed towards identity and access management solutions (32% of deals), cloud & data security together with public safety (each 18% of deals) and threat intelligence (approximately 14% of deals). Notable, threat intelligence companies have been raising the largest rounds (average deal value of € 6.33M) with an average deal value of approximately 4.5x larger than the identity & access management rounds. The reasons for this is that while identity & access management companies (such as SonicBee & Tykn) and public safety companies have mainly been raising Seed rounds, the threat intelligence companies (such as EclecticIQ) have been raising more advanced rounds with larger deal sizes and higher valuations. In other words, the threat intelligence market seems to be matured while the next trends are in identity & access management, public safety and operational technology security. You better be prepared to receive their pitch decks!
In terms of investor profiles, participation by corporate venture capital (CVC) funds in early stage rounds have been limited in the last five years. While GMG Ventures invested in Deeptrace’s 2018 seed round, CVC participation mainly arises at the early growth stage. For instance, KPN Ventures participating in EclecticIQ’s €5M Series A round in 2017 and in Cybersprint’s €2M Series A round in 2018 and Rabobank providing €1.5M growth funding to Cybersprint in 2020. The participation of financial VC’s was limited in the last five years, while hopefully the strong market momentum and initiation of the Dutch Security TechFund will change this in the near future. The role of accelerators in the wave of Seed deals is also worth highlighting with StartupBootcamp (Quiver; MultiSense), YesDelft! (Ubiqu) and Rockstart (Tykn) contributing to the market momentum.
Finally, despite the minor proportion of later venture rounds, a clear consolidation of the Dutch cyber security market can be observed over the past five years with several notable acquisitions. KPN has been an active acquirer with acquisitions of QSightIT and DearBytes in respectively 2016 and 2017. Dutch Security TechFund started a buy-and-built platform in managed security services by acquiring Felton and merging it with other companies. Other notable M&A transactions include Thales Group’s 4.9B € acquisition of Gemalto in 2017 and Orange’s 515M € acquisition of SecureLink in 2019.
Looking onwards, the prominence of Seed rounds over the past five years suggests an incoming wave of next funding rounds with a higher average deal size as a consequence. As mentioned briefly previously, our findings suggest that this wave of later stage financing will be focused on identity & access management companies and public safety companies. The focus on identity & management (at least in the short to medium term) and data security might be further compounded by the increase in remote working, the growth of e-commerce and the increasing reliance on digital banking services resulting from the COVID-19 crisis.
In light of this incoming rise in later stage venture capital rounds, we also expect greater participation of corporate venture capital funds in these rounds in the upcoming few years, as well as further market consolidation in the form of M&A. Since cyber security is not only a national issue it also may be expected that European venture capitalist will co-invest together in order to create European cyber security companies, with relevance for each country separately.
The key concern will be the observation that it seems that newly founded companies declined in the last couple of years. This will have an impact in the near future. We hope that this report will open a dialogue with a broader crowd in order to find answers and to eventually strengthen our local cyber security ecosystem. Alone we cannot make the difference, but together we can create a digitally safer world!
This article is also published on Medium.
In case you have any questions regarding the market developments, data or activity within KPN Ventures, feel free to comment or ask questions by sending us an e-mail at firstname.lastname@example.org .
For more information, you can sign up for our newsletter via this link.