Rumors abound that AT&T may be looking for a buyer for its cybersecurity business; here are my thoughts on why that may be true. AT&T—a holding entity for telecom, media, and technology services—is a public company (NYSE: T) founded in 1885. It currently has 160,700 employees. Its 12-month revenue ending on June 30, 2023, was US$121.44 billion. By comparison, they generated US$143.05 billion in 2020.
The company, number 30 on the Fortune 500 list, created a stand-alone cybersecurity business one year after acquiring Alien Vault in 2018 for US$600 million and rolling in its managed security and consulting business. This analyst estimates AT&T’s cybersecurity business employs 850 and generates US$225 million annual recurring revenue or 0.1875% of AT&T’s overall business.
AT&T’s cybersecurity business offers a robust portfolio of products and services, including cybersecurity consulting, endpoint security, network security, managed security services, and threat detection and response portfolio. Its cybersecurity business focuses predominantly on the U.S. market, as AT&T generates less than 4% of its revenue internationally. Its cybersecurity business is generally well-regarded by over 2,000 customers and has won several awards. However, its overall rank in the cybersecurity vendor stack isn’t even in the top 50 by revenue.
In March 2022, on the precipice of closing its Warner Media transaction with Discovery, Inc., AT&T announced an updated investment strategy focusing on 5G and fiber technologies, focusing on the DNA of its core products and services. Its cybersecurity business was not mentioned in its strategic business or growth plans.
AT&T will generate US$20 billion in free cash flow in 2023, so it can afford to hang on to its cybersecurity business. However, it is unlikely to invest the billions required to make it a player in the cybersecurity market. AT&T is unlikely to want to maintain the status quo with any of its businesses, especially when it holds US$143.2 billion in debt on its balance sheet. AT&T has been raising cash, as evidenced by its sale of a 30% stake in DirecTV to private equity firm TPG for US$1.8 billion and receiving US$40.4 billion in cash from its sale of Warner Media.
In February, Reuters News reported that AT&T retained Barclays Plc to determine market interest and solicit potential bids for its cybersecurity business. TPG could be a buyer of this business as AT&T has an existing relationship, and TPG has past and active investments in other cybersecurity companies, including Delinia, McAfee, Onfido, and Tanium. TPG could acquire AT&T’s cybersecurity business to merge with its Forcepoint US$2.45 billion investment (October 2, 2023), where there is little overlap, many synergies, and a need to build its commercial business back up.
In today’s cybersecurity investment climate, I see a seven-times multiple or a $1.6 billion valuation of AT&T’s business—well within TPG’s investment thesis. I wouldn’t discount an interesting foreign cybersecurity company like ATOS’ Eviden spinoff to find investors to fund an acquisition as it tries to rebuild its business and make a bigger mark in the U.S. market. One thing has become clear: scale is everything, and size matters to survive in the cybersecurity market. A private equity firm acquisition also makes sense where certain core portfolio components can be shed to companies needing services or products, but not both.
Finding buyers will be slow as more nimble and advanced cybersecurity solutions enter the market, so deciding to buy legacy or emergent tech weighs heavy on investors’ minds. Whether this deal happens tomorrow or next year, this analyst believes it is the logical course for AT&T to sell its cybersecurity business.
To learn more about cybersecurity vendors, stay tuned to my blog. Contact me here to share which cybersecurity vendors you want me to profile. If you want to learn about emerging vendors, check out my 2023 Black Hat conference and exhibition and my recent report, Black Hat 2023: Insights From Startup City.