Update: Following a slew of rumors, storage giant EMC Corp. confirmed late Thursday that it will acquire RSA Security Inc. for just under $2.1 billion in cash, or approximately $28.00 per share.
Numerous vendors were reportedly in the bidding for RSA Security Inc. amid speculation of an impending buyout. It was believed the identity and access management vendor had a wrenching choice to make: sell while its value may be at its peak, or stay the course and gamble that a growth strategy dependant on acquisitions can succeed.
The New York Times initially
In a statement, EMC CEO Joe Tucci said business can't secure what they can't manage, and the acquisition is intended to help customers not only manage data, but also manage access to data.
"Bringing RSA into the fold provides EMC with industry-leading identity and access management technologies and best-in-class encryption and key management software to help EMC deliver information lifecycle management securely," Tucci said.
The acquisition is expected to close late in the third quarter or early in the fourth quarter, subject to standard closing conditions and regulatory approvals. Once completed, RSA will operate as EMC's information security division and will remain in Bedford, Mass. RSA CEO Art Coviello will become an executive vice president of EMC and president of the division.
In its report, the Times named Hopkinton, Mass.-based EMC as a top candidate to buy RSA, but others suggested a wide range of potential suitors, including Symantec Corp., BMC Software Inc., Cisco Systems Inc. and Citrix Systems Inc.
A token for your thoughts
Much of RSA's success has been credited to its popular portfolio of SecurID multifactor authentication tokens and its BSafe line of encryption and privacy products. John Pescatore, vice president with Stamford, Conn.-based research firm Gartner Inc., said the SecurID line has been a long-time cash cow, but those days may be numbered.
He said increasing competition in the authentication market and cheaper ways to do what SecurID does suggest that RSA's subscription renewals could soon dip, hurting its profits.
"They're so dependant on the SecurID product for revenue," Pescatore said. "They have been trying to diversify more, or be a company that isn't so focused, since early 2005."
That diversification effort has included its recent acquisitions of antifraud and multifactor authentication vendors Cyota for $145 million and PassMark Security for $45 million, but Todd Weller, a financial analyst with Stifel, Nicolaus & Co., Inc. in St. Louis, said RSA has largely failed to use those and its other acquisitions to drive growth.
"When you look at a product like ClearTrust, that hasn't done squat," Weller said, referencing the identity management product RSA acquired in 2001 as part of its purchase of Securant Technologies Inc. "Go back to 1996 or 1997, with smart cards and PKI, [Security Dynamics] thought they were going to get a royalty from every device that had encryption, but it became commoditized. So now, if you're RSA, can you really do something to drive the business beyond that?"
That's why, Weller said, it was hardly far-fetched to see RSA selling itself to a vendor such as EMC when RSA's value may be at its zenith. He said even before word leaked about the acquisition, investors largely inflated the company's stock price due to projected future revenue growth in its consumer-oriented security business.
"There's a lot of buzz around online banking and the FFIEC guidelines, with all the banks having to [implement] something by year's end," Weller said. But even if RSA can capitalize on that demand, he said, it was unlikely to generate enough revenue from its new initiatives to justify a sustained stock price in excess of $20 per share.
Pescatore noted that RSA has struggled to successfully integrate its past acquisitions, resulting in a profit structure that relies heavily on SecurID and its other older product lines. Generally speaking, he said, Coviello and the RSA management team have "never really hit a home run" with an acquisition.
EMC wins out
Though some saw EMC as the leading candidate to buy RSA prior to the deal's official announcement, Pescatore said the combination doesn't make sense.
"EMC is a storage company; they have nothing to do with remote access," he said, adding that the vendors also sell their products to different groups within most corporate IT departments.
However, Weller suggested that an EMC-RSA combination may not be as odd as it seems. He noted synergies between data storage and access control, but such a deal may not prove wise; many have had a difficult time comprehending the storage-security synergies that drove Symantec's acquisition of storage vendor Veritas last year.
Ken Allen, a Maryland-based investment analyst with T. Rowe Price, called RSA an attractive asset for EMC because it's done a solid job of realizing profit margin expansion. He said RSA had been on pace to reach a 20% operating margin in a few years, up from its current 14%.
"EMC has had success buying things that weren't necessarily obvious as they built up the software portfolio," Allen said. "Documentum and VMware weren't initially obvious technology fits, but have been good growth engines for them,"
In an industry where vendors come and go relatively quickly, RSA has been an information security mainstay for decades. Its name was derived from the first letter of the last names of each of its founders: Ron Rivest, Adi Shamir and Len Adleman. In the 1970s the former Massachusetts Institute of Technology students invented what became a widely used form of public key cryptography, enabling secure electronic data communication without each party needing access to a shared secret key.
The current company was formed in 1996 when Security Dynamics acquired RSA Data Security. Since then RSA has grown through other acquisitions, such as its 2001 purchases of smart card firm 3-G International Inc. and Securant Technologies, plus the recent Cyota and PassMark acquisitions.
RSA is a leader in the cryptography and authentication markets. Its RSA Security Conference has grown over the years to become the security industry's premiere gathering. The company has a market value of approximately $1.46 billion, but following the news its stock price rose nearly 20% to $22.93 per share at press time. Trading of RSA's shares was halted Thursday morning once news surfaced about a potential acquisition.
Prior to the announcement, Pescatore said that it's more than likely that RSA will be bought out by someone, especially since it took the unusual step of acknowledging that at least one acquisition offer was on the table. "The vast majority of times when something like this hits, there usually is an acquisition," he said. '"It rarely seems to go away."
Jonathan Penn, principal analyst with Cambridge, Mass.-based Forrester Research, said that the bottom line is RSA likely recognized the writing on the wall, namely that it's becoming increasingly difficult for large security vendors to remain competitive when they participate in just a select few market niches.
"Security is becoming something that's being embedded in the infrastructure," Penn said. "We're seeing that from big players like Cisco, Microsoft, HP, CA and IBM. These aren't traditional security vendors like RSA, but once you get to a certain size, you see a market gets folded into what the big vendors do."
However, Weller said that even if RSA chosen to reject EMC's offer, it could have remained viable on its own. He said many industry observers fail to recognize that vendors in different segments of the security market can fair quite differently from year to year, and that there's no reason to believe RSA's business is in dire straits.
"It's not like RSA is directly competing with Symantec, Check Point and Cisco," Weller said. "It could be fine on its own."