Newsroom

CyberArk Signs Definitive Agreement to Acquire Machine Identity Management Leader Venafi from Thoma Bravo

mai 20, 2024

Sets New Standard for End-to-End Machine Identity Security

Provides Significant Top-Line Growth Synergies and Expected to be Immediately Accretive to Margins

Expands CyberArk’s Total Addressable Market with Complementary Machine Identity Solutions

NEWTON, Mass. and PETACH TIKVA, Israel – May 20, 2024 – CyberArk (NASDAQ: CYBR), the identity security company, today announced it has signed a definitive agreement to acquire Venafi, a leader in machine identity management, from Thoma Bravo. This acquisition will combine Venafi’s best-in-class machine identity management capabilities with CyberArk’s leading identity security capabilities to establish a unified platform for end-to-end machine identity security at enterprise scale.

Digital transformation and ongoing cloud migration have led to an exponential increase in the number of machine identities, such as workloads, code, applications, IoT devices and containers. The number of machines is rapidly outpacing the growth in their human counterparts, with more than 40 machine identities for every human identity. Left unprotected, they serve as a lucrative hunting ground for cybercriminals. These machine identities need to be discovered, managed, secured and automated to keep their connections and communications safe. This is made more complex by shorter certificate lifecycles, from 398 to 90 days, and the need to be quantum ready.

According to Forrester¹, “Historically, enterprises have taken less interest in managing machine identities compared with human identities, in part because machine identities present different requirements and more complicated lifecycle challenges. However, the exponential growth of machine identities, both for devices and cloud workloads, has brought attention and urgency to improving machine identity management to reduce the risks stemming from this expanded threat surface. Machine identity growth will outpace human identities, necessitating advanced and automated approaches to effectively manage machine identities and associated risks.”

The combination of Venafi’s certificate lifecycle management, private Public Key Infrastructure (PKI), IoT identity management and cryptographic code signing, with CyberArk’s secrets management capabilities will enable organizations to protect against misuse and compromise of machine identities, vastly improve security, and stop costly outages. Having a breadth and depth of options for machine identity security all in one solution – that can be deployed as SaaS or hybrid – will enable faster risk mitigation for organizations of all sizes looking to secure modern cloud environments.

As an innovative leader in PKI and certificate management with a robust presence in modern cloud environments, Venafi offers complementary solutions that expand CyberArk’s total addressable market (TAM) by nearly $10 billion to approximately $60 billion.

“This acquisition marks a pivotal milestone for CyberArk, enabling us to further our vision to secure every identity – human and machine – with the right level of privilege controls,” said Matt Cohen, Chief Executive Officer, CyberArk. “By combining forces with Venafi, we are expanding our abilities to secure machine identities in a cloud-first, GenAI, post-quantum world. Our integrated technologies, capabilities and expertise will address the needs of global enterprises and empower Chief Information Security Officers to defend against increasingly sophisticated attacks that leverage human and machine identities as part of the attack chain. Venafi brings world-class talent who shares CyberArk’s customer-centric, people-first culture and a security-first mindset. We are thrilled to work with the Venafi team to capitalize on the tremendous growth opportunity in the identity security market.”

“It has been a pleasure to work with the Venafi team, leveraging our operational expertise to further cement Venafi as a leading force in machine identity management,” said Chip Virnig, a Partner at Thoma Bravo. “Over the course of our investment, Venafi has accelerated SaaS growth, expanded margins, and successfully created a best-in-class SaaS offering, setting the stage for continued innovation. We believe CyberArk is a great partner for Venafi and that the scaled end-to-end machine identity security platform created by this strategic combination will deliver significant value to shareholders.”

Details Regarding the Proposed Acquisition
CyberArk intends to acquire Venafi for an enterprise value of approximately $1.54 billion in a combination of cash and CyberArk shares (approximately $1 billion in cash and approximately $540 million in shares). The Boards of Directors of both CyberArk and Venafi have each approved the transaction.

The transaction is expected to close in the second half of 2024, subject to required regulatory approvals, clearances and other customary closing conditions. Other details include:

  • Venafi is expected to add approximately $150 million annual recurring revenue (ARR).
  • Venafi brings a strong business model with 95% in recurring revenue, including SaaS and Term Based License Revenue.
  • The transaction is expected to be accretive to margins immediately2, with significant revenue synergies through cross-sell, up-sell and geographic expansion.
  • Venafi brings complementary capabilities to protect machine identities and expands the Total Addressable Market (TAM) from $50 billion to $60 billion.

¹The Forrester Tech Tide™: Identity And Access Management (IAM), Q1 2023 by Andras Cser, Geoff Cairns with Merritt Maxim, Hailey DiCicco, Peggy Dostie, February 8, 2023

2Expected to be accretive to non-GAAP margins

Advisors
Morgan Stanley & Co. LLC is serving as exclusive financial advisor to CyberArk and Latham & Watkins LLP is serving as legal counsel to CyberArk. Piper Sandler is serving as exclusive financial advisor to Thoma Bravo and Kirkland & Ellis LLP is serving as legal counsel to Thoma Bravo.

Conference Call Information
In conjunction with this announcement, CyberArk will host a conference call on Monday, May 20, 2024 at 8:30 a.m. Eastern Time (ET) to discuss the proposed acquisition of Venafi. To access this call, dial +1 (646) 968-2525 (U.S.) or +1 (888) 596-4144 (international). The conference ID is 2727264. Additionally, a live webcast of the conference call will be available via the “Investor Relations” section of the company’s website at www.cyberark.com.

Following the conference call, a replay will be available for one week at +1 (800) 770-2030 (U.S.) or +(609) 800-9909 (international). The replay pass code is 2727264. An archived webcast of the conference call will also be available in the “Investor Relations” section of the company’s website at www.cyberark.com.

About CyberArk
CyberArk (NASDAQ: CYBR) is the global leader in identity security. Centered on intelligent privilege controls, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud environments and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets. To learn more about CyberArk, visit https://www.cyberark.com, read the CyberArk blogs or follow on LinkedInXFacebook or YouTube.

About Venafi
Venafi is a cybersecurity market leader and the category creator of machine identity management, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, SSH, code signing, mobile and IoT. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise—on premises, mobile, virtual, cloud and IoT—at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

About Thoma Bravo
Thoma Bravo is one of the largest software-focused investors in the world, with over US$138 billion in assets under management as of December 31, 2023. Through its private equity, growth equity and credit strategies, the firm invests in growth-oriented, innovative companies operating in the software and technology sectors. Leveraging Thoma Bravo’s deep sector knowledge and strategic and operational expertise, the firm collaborates with its portfolio companies to implement operating best practices and drive growth initiatives. Over the past 20+ years, the firm has acquired or invested in more than 465 companies representing approximately US$260 billion in enterprise value (including control and non-control investments). The firm has offices in Chicago, London, Miami, New York and San Francisco. For more information, visit Thoma Bravo’s website at thomabravo.com.

Cautionary Language Concerning Forward-Looking Statements
This release contains forward-looking statements, which express the current beliefs and expectations of CyberArk’s (the “Company”) management. In some cases, forward-looking statements may be identified by terminology such as “believe,” “may,” “estimate,” “continue,” “anticipate,” “intend,” “should,” “plan,” “expect,” “predict,” “potential” or the negative of these terms or other similar expressions. Such statements involve a number of known and unknown risks and uncertainties that could cause the Company’s future results, levels of activity, performance or achievements to differ materially from the results, levels of activity, performance or achievements expressed or implied by such forward-looking statements. Important factors that could cause or contribute to such differences include risks relating to: the ability of the parties to consummate the proposed transaction on a timely manner or at all; the satisfaction of the conditions precedent to consummation of the proposed transaction, including the ability to secure regulatory approvals on the terms expected, in a timely manner or at all; the potential impact of the announcement of the proposed transaction on the ability of CyberArk or Venafi to retain and hire key personnel and maintain relationships with customers, suppliers and others with whom CyberArk or Venafi do business, or on CyberArk’s or Venafi’s operating results and business generally; disruption of the current plans and operations of CyberArk and Venafi as a result of the proposed transaction or its announcement, including increased risks of cyberattacks; risks that Venafi’s business will not be integrated successfully into CyberArk’s operations; risks relating to CyberArk’s ability to realize anticipated benefits of the combined operations; changes to the drivers of the Company’s growth and its ability to adapt its solutions to IT security market demands; fluctuation in the Company’s quarterly results of operations due to sales cycles and multiple pricing and delivery models; the Company’s ability to sell into existing and new customers and industry verticals; an increase in competition within the Privileged Access Management and Identity Security markets; unanticipated product vulnerabilities or cybersecurity breaches of the Company’s, or the Company’s customers’ or partners’ systems; complications or risks in connection with the Company’s subscription model, including uncertainty regarding renewals from its existing customer base, and retaining sufficient subscription or maintenance and support service renewal rates; risks related to compliance with privacy and data protection laws and regulations; regulatory and geopolitical risks associated with global sales and operations, as well as impacts from the ongoing war between Israel and Hamas and other conflicts in the region, as  our principal executive offices, most of our research and development activities and other significant operations are located in Israel; risks regarding potential negative economic conditions in the global economy or certain regions, including conditions resulting from financial and credit market fluctuations, rising interest rates, bank failures, inflation, and the potential for regional or global recessions; the Company’s ability to hire, train, retain and motivate qualified personnel; reliance on third-party cloud providers for the Company’s operations and SaaS solutions; the Company’s history of incurring net losses and its ability to achieve profitability in the future; risks related to the Company’s ongoing transition to a new Chief Executive Officer; risks related to sales made to government entities; the Company’s ability to find, complete, fully integrate or achieve the expected benefits of strategic acquisitions; the Company’s ability to expand its sales and marketing efforts and expand its channel partnerships across existing and new geographies; changes in regulatory requirements or fluctuations in currency exchange rates; the ability of the Company’s products to help customers achieve and maintain compliance with government regulations or industry standards; risks related to intellectual property claims or the Company’s ability to protect its proprietary technology and intellectual property rights; and other factors discussed under the heading “Risk Factors” in the Company’s most recent annual report on Form 20-F filed with the Securities and Exchange Commission. Forward-looking statements in this release are made pursuant to the safe harbor provisions contained in the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements are made only as of the date hereof, and the Company undertakes no obligation to update or revise the forward-looking statements, whether as a result of new information, future events or otherwise.