WORKLYN NEWS AND NOTES
7 Do’s and Don’ts to Consider When Selling Your IT Services Company: June 2021
With business valuations at historical peaks, the new administration poised to raise capital gains taxes, and more private equity firms aggressively hunting for recurring revenue from managed services providers, 2021 is shaping up to see the most MSP merger and acquisition activity to date.
All of this activity has some business owners wondering: “Is now the time to sell my IT services business?” Whether you think you’re ready to sell tomorrow or in three years, there are some guidelines worth considering sooner rather than later. Understanding the “do’s and don’ts” below will help prepare your business for a clean, value-maximizing sale, while avoiding the horrors of a broken deal.
Note: this blog post originally appeared on the CompTIA blog in June 2021.
With business valuations at historical peaks, the new administration poised to raise capital gains taxes, and more private equity firms aggressively hunting for recurring revenue from managed services providers, 2021 is shaping up to see the most MSP merger and acquisition activity to date.
All of this activity has some business owners wondering: “Is now the time to sell my IT services business?” Whether you think you’re ready to sell tomorrow or in three years, there are some guidelines worth considering sooner rather than later. Understanding the “do’s and don’ts” below will help prepare your business for a clean, value-maximizing sale, while avoiding the horrors of a broken deal.
We’ve worked with more than 100 cybersecurity and IT services providers in the last 12 months as we work towards building a one-stop-shop security and IT services provider. Based on our discussions with business owners and deep dives into their businesses, we’ve picked out some common themes and shared buyer criteria that may be helpful for various stakeholders in the IT services community to consider as they explore exit opportunities.
DON’T Just Ignore Calls from Brokers and Private Investors
Even if you’ve never really thought about selling your business, set aside a little time—maybe as little as 30 minutes a month—to hear out an interested investor. You don’t need to let them grill you. Rather, you should ask them up front: “what differentiates you as a capital provider.” More importantly, use the conversation to learn how investors will look at and value your business, what makes your business attractive, and what you can improve upon if you want to fetch a higher price when you do decide to exit.
DO Start with the End in Mind
Do you want to cash out entirely and go sit on a beach? If so, engaging with a technology services provider or a private-equity-backed “rollup” that is consolidating a batch of similar smaller firms may be your best option. There’s a higher risk around integration hiccups and culture clash, but that doesn’t matter so much if you no longer have a significant stake in the business.
Some independent “search funds” will also look to buy your business alone, and replace you as CEO, which may be attractive if you want to ensure your customers and employees are treated right. But you have to make sure they have the money to do the deal before you spend too much time with a search fund.
Would you rather take some chips off the table but retain an equity stake to take another bite at the apple? In that case, you want to find an investor that views you as “the platform.” This can be a private equity firm, or an independent sponsor. You’ll get more upside and more operational control as the platform (and often, a higher valuation multiple—good leadership is hard to find!), but you’ve got to trust your investor-partner here and buy into their vision.
DON’T Be Afraid to Have This Conversation Up-Front
It’s critical and it informs everything else—from which potential buyers you’ll spend time with to who (if anyone) you’ll hire to help you run any future sale process.
DO Be Honest About Where Your Business Falls Short
Investors don’t expect you to have a perfect business when they show up on the first day after investing. In fact, that’s often precisely why they are investing—because they have identified key initiatives for improvement or growth levers that have not yet been pulled. By proactively highlighting your weaknesses along with your strengths, you’ll build trust with the potential buyer, thereby speeding up the process, increasing the likelihood of closing a transaction, and smoothing the post-investment integration path. Paradoxically, identified areas for improvement—you can call them out as “avenues for growth acceleration” or something fancy—may even help buyers get comfortable paying more for your business.
DON’T Misrepresent Labor Costs and Gross Margins
We’ve seen some business owners (not always intentionally) juice their gross margins by under-allocating labor as a cost of goods sold for managed services. Experienced buyers will see right through this, and as we just discussed, establishing trust is critical to increasing the likelihood of a quick process and successful acquisition. If buyers sense you’re playing games with labor cost allocations, they’ll wonder where other warts might be hiding.
DO Emphasize Cloud and Security Capabilities and Certifications
Duh. If you’re reading this blog, we probably don’t have to explain this, but buyers will pay an extra turn (or two) on their valuation multiple for in-demand capabilities like cybersecurity and cloud management that enable penetration of growing markets.
DON’T Waste Time Providing Customized Information to Buyers
You have a business to run! You can send the same package to multiple buyers—they won’t be offended, and it doesn’t hurt to make sure that they know that they aren’t the only company you’re considering. Provide the basics needed to get to valuation and structuring conversation. Then, try to have that conversation before you start diverting more resources to the process. Initial calls and relationship building are great but spending too much time on a failed sale process can be distracting and even destructive for resource-constrained business that relies on human talent to succeed.
Worklyn’s Post-Pandemic Predictions: March 2021
While the battle against COVID is not yet won, the arrival of spring and the increasing availability of vaccines for all who want them allow us to start looking ahead to the post-pandemic world for IT and cybersecurity services providers.Is remote work here to stay? Will the breakneck pace of cloud transformation continue to accelerate? What about the slew of ransomware attacks afflicting businesses small and large? What’s next for MSPs and MSSPs, and how will M&A dynamics in this industry evolve? Check out Worklyn’s Top Five Predictions for IT and Cybersecurity services in the post-pandemic world below for our thoughts:
Five predictions for cybersecurity and IT services in the post-pandemic world
While the battle against COVID is not yet won, the arrival of spring and the increasing availability of vaccines for all who want them allow us to start looking ahead to the post-pandemic world for IT and cybersecurity services providers.Is remote work here to stay? Will the breakneck pace of cloud transformation continue to accelerate? What about the slew of ransomware attacks afflicting businesses small and large? What’s next for MSPs and MSSPs, and how will M&A dynamics in this industry evolve? Check out Worklyn’s Top Five Predictions for IT and Cybersecurity services in the post-pandemic world below for our thoughts:
(1) Cloud migration continues, as WFH and Zero Trust become the “new normal”: Even as the pandemic begins to wane and some businesses migrate their workforces back to the office (yes, real estate people, we know you’ve been back in the office since last summer), spending on secure cloud migration will continue to grow. Security product companies like ZScaler that offer a modern, zero-trust network access replacement for traditional VPN will continue to reap the benefits. Many companies will embrace more flexible, optional work-from-home policies to enhance productivity, while looking to shore up and secure newly-created cloud environments. As a result, customer demand for zero-trust network architectures will increase, and third party providers, whether they call themselves system integrators, MSPs, or MSSPs, will need to take a consultative approach to help customers move critical data and functionality to the cloud, embrace zero-trust policies, and implement an entire new universe of technologies that require consistent re-authentication and continuous authorization for employees and partners seeking to access critical data stores. A new class of MS(S)P will emerge that is dedicated to helping customers migrate to and manage zero-trust cloud IT architecture.
(2) Ransomware rages on, with increased focus on data exfiltration: Unfortunately, criminals have embraced working from home too. Ransomware will get worse before it gets better. According to BitDefender, ransomware attacks increased by over 700% from 2019 to 2020. 2021 will be another record year for the number of ransomware attacks, and the average cost of ransomware will continue to increase (though it won’t double again as it did from 2018 to 2019) in 2021, making this year, again, the new high watermark for ransomware. Increasingly, ransomware gangs and hackers will seek to extort victims with the threat of publishing data, recognizing that in this era of online outrage and information overload, consumer-facing companies have a massive interest in protecting their brand and preventing data leakage. Even if a breached company has done all the right things to implement robust backup and data recovery systems, the threat of data exfiltration and publishing will push some to pay out ransoms.
(3)Marketplaces reshaping the channel for MSPs: Online marketplaces have revolutionized B2C commerce (see: Amazon, Shopify), and are beginning to take hold in B2B sales environments as the pace of business digitization and technology innovation accelerates. Online marketplaces thrive with lots of (fragmented) end-customers scattered around the market and these end-users are adept enough to procure and adopt solutions from home. Given its fragmentation – there are between 20,000 and 40,000 MSPs operating in the US alone – and the technology-forward nature of many MSP business owners, few markets are riper for transformation to marketplace-based procurement than MSP-land. The suppliers (e.g. technology vendors that sell tools to/through MSPs) will also be motivated to shift toward marketplace-based sales models, as developed marketplaces enable increased capital efficiency via reductions in longer-term sales and marketing spend. Both resellers and vendors are investing in marketplace buildouts -- not surprising given that investors clearly attach high valuations to so-called “platform” businesses. AppDirect recently raised $185M for a B2B technology service provider marketplace touted as Shopify for customers in need of recurring digital services, Microsoft has rolled out its Azure marketplace for qualified MSPs, and the leading MSP-focused cybersecurity vendors are also getting in on the act; in February, SentinelOne opened its “Singularity XDR Marketplace,” an open application ecosystem that enables customer and partner security teams to integrate new and third party security tools (like Netskope, Recorded Future, and Splunk) into their Singularity XDR platform without coding or scripting. In 2021 and beyond, technology vendors focused on selling to/through the MSP channel will seize marketshare and expand margins by building out user-friendly marketplaces. And MSPs will be better off for it. But the largest opportunity is beyond the reaches of the “big four” (Connectwise, SolarWinds, Datto, and Kaseya) and any single MSP-focused vendor. Unsurprisingly given the complexity of “the channel,” no leader has emerged in creating a true marketplace for MSPs, but we expect that eventually, a startup unaffiliated with any single technology vendor will rise to unicorn valuation status by building a marketplace connecting MSPs and with the latest technology tools.
(4) MSSPs migrate away from SIEM, race to MDR: As traditional network perimeters evaporate and both customers and providers embrace zero trust network architectures and enhanced identity management to prevent cyber attacks, managed security services providers (MSSPs) will continue to shift their offerings toward managed detection and response. And while customers in less technology-forward industries will continue to demand firewall management, traditional managed SIEM solutions, once the centerpiece of most fulsome MSSP offerings, are being disrupted.
Bulky, traditionally on-prem SIEM solutions are struggling to hoover up all of the new IT and security data sources being created via digital transformation in a timely and cost-effective manner. Further, many SIEM customers (and managed services partners) are fed up with data-based pricing mechanisms employed by leading vendors like Splunk that make analyzing the many new data sources necessary to achieve proper security monitoring prohibitively expensive. Elastic, long a fan favorite alternative to Splunk in the security operations community, is also causing heartburn for MSSPs of late. The critical “open-source” backbone for many MSSP-created SIEM solutions, recently changed its licensing to prevent AWS from offering a free version of their software, but this may also prevent MSSPs that had built customized managed SIEM solutions on previously-open-source Elastic tools ElasticSearch and Kibana from continuing to offer managed SIEM to end customers. Luckily for MSSPs offering managed SIEM, there is no shortage of analytics vendors primed to disrupt the space. Microsoft rolled out its cloud-native Azure Sentinel SIEM offering in 2019, and already a crop of MSSPs offering managed Azure Sentinel has emerged. Google Chronicle and AWS Security Hub are not far behind with their own offerings, while hot new analytics companies like DataDog are also poised to enter the traditional SIEM market, further disrupting the MSSP vendor supplier landscape.
On the demand side, customers, recognizing the expense of standing up their own SOC and the importance of proactive threat hunting, will continue to shift toward managed detection and response (MDR) solutions that enable them to outsource the entire process of data aggregation, analysis, and threat hunting to focused third-party providers. Winners in the MDR space will differentiate by either focusing on technology integrations (a la Expel) to serve more sophisticated end-customers or by mostly owning their technology stack, while being simple, easy to implement, and customer-service oriented (a la eSentire) to serve MSP partners. Customers struggling with the cost and complexity of managing their own SIEM would do well to consider outsourcing the entire threat detection and response process to a focused MDR provider that can manage their SIEM or replace that functionality.
(5) Transaction valuations diverging for MSPs, MSSPs: Ultimately, we’re in the business of acquisitions, so it wouldn’t be right if we didn’t try to call our own shot here. So what will valuations look like for MSPs and MSSPs over the next 12-18 months?
To know where we’re going, we must know where we’ve been, and as we pointed out in our last blog, the pandemic didn’t put much of a dent in MSP transaction valuations, though there was certainly a lull in dealmaking during Q2 of 2020. We believe 2021 will see more MSP deals than ever, with many business owners rushing to sell before President Biden increases the capital gains tax. But based on the deal processes that we’ve been involved in since 2021, and seller-friendly market dynamics, we believe valuations for MSPs will continue to trend upward: the norm in 2021 will be 5-6x EBITDA multiples for MSPs with $250-$500K in EBITDA and 8-10x EBITDA multiples for MSPs with $4-$5M in EBITDA. Ultimately, it comes down to demand outstripping supply. First of all, there are more private equity suitors than ever, seeking to acquire majority recurring revenue MSP “platforms” with more than $2M of EBITDA. The paucity of truly scaled (more than $5M of EBITDA) MSPs is causing some sponsors to move down market to hunt for smaller game. Secondly, it’s really damn hard for an MSP to scale sales and marketing organically! Like it or not, many traditional MSPs still adhere to a very regional sales model, and PE-backed IT services shops are finding that the easiest way to acquire new customers is to acquire new businesses! This is leading to increased buyer competition even for acquisitions of smaller ($200-$500K EBITDA) MSPs.
For the past five years, MSSPs have been an even hotter commodity than MSPs, and the demand for outsourced security services is only increasing (for many of the reasons stated above). However, we have reason to believe that valuations for MDRs and MSSPs are coming down from their peak. Pre-pandemic, the general consensus was that traditional MSSPs with north of $10M in revenue could expect to command 3-5x revenue valuations. But email security vendor Proofpoint’s thrifty ~$63M acquisition of Intelisecure, a leading provider of in-demand managed DLP solutions, for less than 3x revenue is a harbinger of changing M&A dynamics. Traditional MSSPs are getting squeezed from both sides, as increasingly security-focused MSPs compete for traditional managed firewall, SIEM, and endpoint work, and MDR/XDR providers lure away larger, more sophisticated customers that require more advanced solutions focused on threat detection and response. With few exceptions, private equity sponsors were never really willing to splurge on MSSPs as standalone platforms, and with few remaining strategics willing to pay up for managed network security capabilities, more traditional MSSPs looking to sell will have to accept valuations more in the range of 1.5-2.5x recurring revenue.