Investing in cybersecurity: its importance and the challenges that lie ahead
November 27, 2020
An interview with Augustin Blanchard and Quentin Bernard of Ace Capital Partners
Investing in Cybersecurity: Interview with Augustin Blanchard and Quentin Bernard of Ace Capital Partners
Augustin Blanchard and Quentin Besnard are Partners at Ace Capital Partners, a private equity investment fund, focusing for one of its strategy on venture/growth equity investments in technology and cybersecurity companies. Augustin has worked in Paris, New York, and Germany mostly as M&A and Financing advisor to start-ups and technology companies.
Quentin has a demonstrated engineering experience and previously worked at the French Ministry of Armed Forces and NATO as technical expert and program manager for cybersecurity topics.
With these backgrounds in banking and cybersecurity, they each bring a deep and complementary expertise to Ace Management’s cybersecurity investment strategy.
Can you introduce Ace Capital Partners and explain what it invests in?
Augustin: Ace Capital Partners is a private equity investment fund founded in 1995 as an offshoot of the French Ministry of Defense.
Since 2018, Ace Capital Partners is a subsidiary of Tikehau Capital, an alternative asset management and investment group. Ace has two fund families and two investment strategies: one is on the Aerospace & Defense industry, and the other is oriented towards trusted technologies, called Brienne III. This is the fund with which Ace invested in TrustInSoft. It is a venture/growth equity fund that invests as minority investor in financing rounds that range from 5 to 35 million euros, always as lead investor.
Through our Brienne III fund, Ace has invested in a variety of cybersecurity startups. Our investment team benefits from deep expertise in cybersecurity, thanks also to our agreement with the French Ministry of the Armed Forces where many experts in different fields of cybersecurity can pinpoint strengths and weaknesses of the technologies we are digging into as investors. We also have another agreement with the French National Cybersecurity Agency (ANSSI). We rely on them for their expertise to complement our competences and we regularly coordinate with this network of experts.
Ace Capital Partners has invested in a variety of startups engaged in cybersecurity solutions. Why this industry in particular?
Quentin: We have chosen the cybersecurity industry for a variety of reasons. Firstly, it is an exponentially growing market due to the increasing digitalization in all areas, including industries that were not previously digitalized and who now need cybersecurity solutions to protect themselves and their clients.
Secondly, there is a need for European solutions to emerge. The cybersecurity sector is an under-capitalized market in France and in Europe. There are many more investment funds in performing cybersecurity ecosystems such as in the United States and Israel, and we think one of the reasons for the lack of performing European providers in this field is that Europe lacks funds like our Brienne III. This is why we are mainly targeting the European market: a majority of investment in France, and the rest in Western Europe.
Brienne III has achieved a first closing at 80 million euros and fundraising continues with a goal for a second closing towards the end of this year. This first closing alone makes Brienne III the largest continental European fund dedicated to this sector.
Venture capital funds are not always sector-oriented or verticalized funds, as investment strategies are often not limited to a sector, but rather to investment criteria. But since we specialize in cybersecurity and trusted technologies, this gives us the know-how to select the right companies in this area.
With the Brienne III fund we have an opportunity to help organize the cybersecurity sector and we would like to contribute to this objective in France and Europe. We invest primarily in innovative scale ups to finance their organic growth but also in more mature cybersecurity companies to finance their build-up strategy. The idea is to create European champions in cybersecurity.
As we have seen for the last 2 years, we are happy to be in a market where we have a lot of investment targets and few competitors. With these first two years of market feedback, we can confirm that building this fund dedicated to cybersecurity was a good strategy from an investor’s perspective.
What drives your decision to invest in a cybersecurity solution company? What must they do to stand out?
Augustin: On top of a large addressable market, an outstanding management team is at the core of our assessment of the potential success of a company. Also required is superior technology, coupled with growing revenue streams. Top line growth is key in valuing venture stage companies. Ultimately they must fit into our investment criteria of being able to absorb in at least €5 million (and up to €30/35 million) in funding, and use it to fuel growth in the company. In such cases, growth is needs to reach yearly rates of more than 100% before and after our investment.
We mainly focus on companies with proven products. Companies that do security consulting activities, do not require fundraising. We are more interested in companies that market products, and particularly B2B software products, because they are easier to scale and may have higher growth potential. Ace Capital Partners hopes to identify future solutions for its portfolio not only in the industrial sector and IoT security, but also solutions that target the security of the mobile phone sector.
In your opinion, what are the upcoming cybersecurity challenges that the world will face in the next 5 years? Are certain industries more at risk than others?
Quentin: Cybersecurity is a dynamic sector that is constantly adapting to potential exploits. One of the cybersecurity challenges that the world will face in the next five years will be to continue to combat the exploitation of companies by cyberattacks. This includes that of ransomware, which makes the headlines today, especially ransomware attacks on big market players. This is called “big game hunting”, that is, cybercriminal organizations who make money by blocking systems with cryptolocker viruses and asking for ransom. In the past, this kind of operation was directed towards small structures or individuals. In the last two years, cybercriminals have realized that it is possible and very lucrative to target big structures that have the resources to pay and who do pay large ransoms. As the activity is profitable, they invest, develop and continue their illegal business.
On the plus side, this has led to increased security efforts on behalf of these big market players, which was not previously the case. Now that it is becoming clear that cyberattacks are not just limited to smaller companies who did not have adequate protection, targeted companies are increasing their level of cybersecurity.
In addition, we are going to have cybersecurity issues in industries that are not, as of today, very tech-savvy and therefore not yet very mature on cybersecurity issues. Yet, they are going to need major protection going forward, because we can’t afford to have hacked autonomous vehicles, for example, which TrustInSoft has already worked on preventing, or hacked connected pacemakers, which would also endanger lives. The challenge lies in achieving a higher level of security in industries that don’t currently have a digital culture. That is why we pay attention to companies that address this type of emerging market, because it seems promising to us, given the cybersecurity challenges that lie ahead.
Today, do you have the perception that the majority of companies are taking risks and threats seriously enough, or is it still a game of trade-offs and risk management? Do you see a recent evolution that companies are giving to cybersecurity?
Augustin: There was a lot of regulation set up with the GDPR for instance but that did not have a great effect on making good progress or compelling the big groups to realize that they are at risk. However, more recently, we have seen an increase in ransomware activity. With the number of victims increasing, perception of the risk is higher together with an increased awareness.
As a result today, in most of the large groups, cyber risk is mentioned at the Executive Committee level, and not only at the Risk Management or IT division levels. And it clearly increases the security level of private companies.
What can businesses do to be ready for these challenges?
Quentin: We know that these cybersecurity challenges exist and are only going to increase with increased digitalization. So the first thing to do is to look at the problem from the top: that is, to set up the governance and organization necessary to manage the cyber risks. With Brienne, we have invested in Egerie software, a cyber-risk analysis tool because we believe that this kind methodology should be the first step for any company who wants to raise its cybersecurity level.
This recovery topic is also very important and driven by cybersecurity insurers. The estimated downtime of a system after a ransomware attack is an important parameter on which to calculate their insurance premium. Since insurers are forced to absorb more and more of the costs related to these attacks, we think that it will be the insurers who will drive decisions regarding some equipment of the groups.
Another thing that businesses can do to face these cybersecurity challenges is to develop their products “securely by design”. This is something that we, at Ace Capital Partners, firmly believe in as a solution for avoiding cyberattacks. TrustInSoft fits in perfectly with this ideology. That is, in fact, many attacks involve exploiting software vulnerabilities. A good way to deal with this problem is to spend a little more time in the development process to secure systems to avoid the never-ending race for patches later, and TrustInSoft has a great solution to help businesses overcome that challenge.