Plausible Deniability

By Nick Selby and Paul Roberts

Anti malware vendor Sophos, plc has made a bid to purchase Oberursel, Germany-based Utimaco Safeware, A.G., which manufactures encryption, key management and port and device control software for endpoints. The public takeover offer would take Utimaco private at a valuation of €217m ($340m), or €14.75 ($23.17) per share. Sophos has made no secret that it sees data encryption as a key part of its future, as its enterprise customers look for help with problems like accidental data loss and insider threats. The hunger for a data encryption play became especially acute following data encryption deals by two of its large competitors: CheckPoint (which bought Pointsec) and McAfee (which acquired Safeboot).

Sophos told us that it has also signed an agreement with Investcorp Technology Partners for the acquisition of its 24.99% stake in Utimaco. The rest is a cash deal, with HSBC, RBS and TA Associates (Sophos investors) putting up the difference between the $120m in cash Sophos has on hand and the total purchase price of $340m

Utimaco said it expects to get the final offer in writing within a few weeks and will comment on it then, but that there have been initial conversations regarding the potential takeover and limited due diligence by Sophos. That sounds chilly, but German securities regulations make it so. The German process of taking Utimaco private is complex, or at any rate different from that of similar deals in the UK and US. Utimaco, which we infer is looking positively on the deal, must wait until a final written offer is published by Sophos until it comments – a process we believe will take until sometime in August. The whole deal, barring regulatory or shareholder hurdles which we do not anticipate to be much of an issue, would close by October. Deutsche Bank acted as advisers to Sophos. Utimaco did not use an adviser for the deal but has engaged Jeffries Broadview for the fairness opinion.

Takeover or not, the two companies have entered into a reseller agreement in which Sophos will resell Utimaco’s SafeGuard Enterprise product and both companies will refer each others’ technologies.

What’s going on here? Sophos has made no secret that it sees data encryption as a key part of its future, as its enterprise customers look for help with problems like accidental data loss and insider threats. The hunger for a data encryption play became especially acute following data encryption deals by two of its large competitors: CheckPoint (which bought Pointsect) and McAfee (which acquired Safeboot).

When we last spoke with Utimaco (earlier in July), the company found strange position: a profitable firm with solid backing from its investors (most recently $60m in private equity investment from Investcorp). Nevertheless it was in the unenviable position of having its two largest competitors sold off to larger firms. The company said it was expanding its core businesses and adding to its technology, both with in-house organic development as well as licensing technologies from partners – most crucially anti-data-leakage (ADL) from Trend Micro (Provilla) and port and device control (PDC) from Safend. Utimaco suggested, at that time, that it was on the prowl, maybe for ADL or data classification technology. Obviously, the Sophos offer changes that roadmap.

This is an audacious and smart deal for both companies. We have written of Uti’s desire to expand inorganically in the field of anti data leakage, but also of Sophos’ desire to take what it considers to be the next obvious step to add real inorganic growth to what has been a very successful story over the past few years: endpoint encryption that is transparent to the user and easy to centrally manage. From what we know of both firms, the technologies and engineering cultures is complimentary. The deal then positions Sophos to gain geographical strongholds in Scandinavia, Germany and elsewhere in central Europe – Utimaco’s traditional footholds – and boost Uti’s penetration into Asia and North America – Sophos’ North American bookings were $77m for FY 2008, which ended March 31, up 28% year-on-year. We love this deal and look on it as a win for both companies.

Geographically, Sophos strengthens its already strong hand in the European endpoint security market. The company has long been a leading player in the UK. The US is now its fastest growing market, and Asia is doing well, too. Utimaco’s strength is in continental Europe, especially Scandanavia, giving Sophos a boost there. Pointsec is also a strong player in the EU encryption market, but CheckPoint’s acquisition has now required it to focus its attention globally.

From a technology standpoint, we think Sophos gets top-shelf key management technology and transparent-to-users encryption for devices throughout the enterprise, complimenting its endpoint threat detection and policy-based access control wares. (Albeit at a price).

We wondered openly how Sophos inability to get its IPO to market would affect its acquisition strategy. This deal suggests that that inconvenience has prompted the company to get creative. That could benefit it in the long run and give Sophos a nice add-on to its portfolio that will sweeten the IPO offer when that happens — probably sometime in 2009.

We’ll be doing a full deal analysis in our TechDealmaker Service later today.