alphaspirit - Fotolia
When Australian bank Westpac Group wanted to improve its data security by deploying quantum encryption, the financial firm decided against just buying a product. Instead, the 13-million-customer banking group invested in a company.
In June, QuintessenceLabs (QLabs), which provides quantum encryption and key management technology, announced a strategic partnership with Westpac Group. The undisclosed investment will give Westpac an 11% stake in the Australian security company, with the option to increase its ownership to 16%. Westpac's direct investment in QLabs and its quantum encryption technologies marked a rare occurrence for the banking industry.
Such strategic investments benefit both the startup and the investing firm, says Vikram Sharma, founder and CEO of QLabs. Westpac gains the benefits of having some of its engineering team work with QLabs' developers plus the ability to nudge product development in a direction better suited to the banking industry. QLabs, which grew out of research on quantum encryption at Australian National University, gains more insights into the financial industry's needs for its products and access to capital to fund its international expansion.
"Enterprises and banks see strategic investments as a good way to tap into innovative, unfettered thinking as well as the agility-in-response needed to address some big picture problems," Sharma says.
Hot market for financial capital
Investments in cybersecurity startups are taking off. Driven by CEO and board-level demand for promising technology aimed at protecting corporate networks and sensitive data, financial and venture-capital firms are pouring money into dozens of cybersecurity companies each year. In 2014, venture-capital firms completed 56 deals worth a hefty $1.2 billion, according to investment tracking firm CB Insights. In 2015, the industry is on track to pay out a similar amount, albeit in a smaller number of deals. (See: "Smart Money Investment Deals and Dollars in Cybersecurity.")
While most such investments are aimed at turning a profit for venture-capital firms -- chasing after the $1 billion payoff of so-called "unicorn" initial public offerings (IPOs) -- many companies are investing in cybersecurity startups not just for monetary dividends, but to reap the early benefits of working with new technology and to direct product development.
Such investments represent yet another step for financial institutions, whose VC arms in the last two years have emerged as key players in early stage cybersecurity funding. Citi Ventures, the corporate VC of Citigroup, is among the investors in vArmour, a distributed security system for virtual data centers. Norwest Venture Partners (Wells Fargo is its sole limited partner) participated in the early funding of FireEye, investing $22 million before the threat prevention company's 2013 IPO. The Wells Fargo VC has also funded SecurAlert, an Israeli cloud-based threat management company, and Shape Security, a Web security platform to counter botnets.
Vikram SharmaFounder and CEO, QuintessenceLabs
With 46% of financial institutions rating cybersecurity attacks in 2015 as the biggest threat to their businesses -- nearly double the 24% a year earlier, according to a study issued by financial-infrastructure provider Depository, Trust and Clearing Corp. (DTCC) -- investing in the firms developing technology to address the frequency and sophistication of these attacks allows financial services firms to promote cybersecurity innovation.
The stakes are higher for Westpac. With a direct investment in QLabs, the banking group may consider marketing its quantum encryption and key management technology to other financial institutions and industries.
"Protection of customer information and sensitive commercial data is an industry-wide priority," Westpac Group's CIO Dave Curran noted in June when the QLabs deal was first announced. "This investment signals Westpac is stepping up its proactive, strategic approach to building our security capabilities now and in the future."
Beyond the beta customer
Yet it's not just financial firms. Corporate VCs are funding innovative cybersecurity startups, a move that may lessen the sponsors' need for research and development. In May, Lockheed Martin went from beta customer to co-owner when the defense giant invested $25 million in Cybereason, an Israeli company, founded in 2012, that is focused on threat intelligence and real-time tracking of attacks. Last year, commercial and industrial-control system maker Siemens announced an investment in CyActive, also an Israeli company, which aims to use predictive cybersecurity technology based on "bio algorithms" to lock down the industrial-control networks run by customers of Siemens and other vendors. "We see broad potential across major industries and are particularly excited by its approach to securing industrial and utilities assets," said Ralf Schnell, CEO of the venture capital unit of Siemens, when the deal was announced.
Most companies are satisfied with buying a technology or becoming a beta customer of an early-stage cybersecurity startup. But when the right product or service is not available, or a promising technology startup cannot dedicate resources to a company's business case, it may be time for an investment. By moving beyond being a beta customer and taking an ownership role, companies can take a promising startup and make its products fit their business models.
Problem solving for money
Such deals can help a startup focus on the customer as well. In 2010, researchers from Virginia Polytechnic Institute and State University, commonly known as Virginia Tech, teamed up with industry veterans to create PFP Cybersecurity, a company in Washington, D.C., that aims to secure devices in the supply chain using power fingerprinting analysis.
PFP Cybersecurity is currently considering a handful of strategic-investment offers, according to Steven Chen, CEO and co-founder. In each case, the potential investor has a security problem that needs solving, and they are trying to find the right startup to create the product or service to address it, says Chen, who is also a principal in investment firm Blu Venture Investors.
Startups have to agree to support the goals of the investor, however. "By taking the money, you're committing to putting resources toward the joint project," Chen says. "They are funding the collaboration, so you have to spend part of investment toward solving their problem."
A cybersecurity startup's windfall from strategic investments is the easiest to quantify, since the growing firm garners an influx of cash, yet the benefits go beyond cash flow. For Nok Nok Labs Inc., signing strategic agreements with DoCoMo Capital from Japan, Thundersoft from China and DaouKiwoom Group in South Korea opened up doors to international markets for the two-factor authentication firm, according to CEO Phillip Dunkelberger. In other investments, Nok Nok Labs, whose S3 Authentication Suite is based on Fast Identity Online protocols, works with other product or service companies to tightly integrate their technologies. "Each relationship has its unique benefits," Dunkelberger says.
For the information-security teams at the companies investing in startups and new technologies, the benefits are not as straightforward. For Westpac, the QLabs deal gave it access to the complex technology of quantum encryption and key distribution, but more importantly, access to the expertise of the technology firm's engineers.
"They want to ensure that they have the best quality security technology and best practices from around the world," Sharma says. "Working with us is a useful complement to the bank's security team."
Standing out in a crowded market
With fewer venture-capital deals in 2015 accounting for nearly the same cash volume, it is clear there is more money chasing fewer startup companies. "There is a lot more financing activity now then there was five years ago," says Matthew Wong, research analyst, CB Insights. "We are in a boom cycle, and that is bearing out in these growth rounds. There is a much larger opportunity with cybersecurity for investors."
While there appears to be increasing interest in non-traditional investment firms funding startups, the trend in strategic cybersecurity investments is not easily quantified. While cloud, mobile and identity management are hot areas, according to CB Insights, investors seeking the most in-demand startups need to differentiate themselves. Venture capital investors that bring potential joint ventures and customer experience to the table could be more attractive to startups, convincing them to accept a deal.
In the end, however, strategic investors have a key differentiator, because they are a partner who is as interested in the technology as the potential exit value of the startup, according to PFP Cybersecurity's Chen.
"The strategic investors do not nickel and dime your valuation, because they are looking at potential relationships and generating revenue for themselves," he says.
About the author
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 18 years. He currently writes for several publications focused on information security issues.
String of cyberattacks shows risk of skimping on security