Published on Jul 11, 2023
DOJ is leaning toward suing to block Thoma Bravo’s planned buyout of cybersecurity software maker ForgeRock (FORG), sources said, raising questions about whether the private equity firm will bow out as the buyer in the $2.3 billion deal.
Following an eight-month review, DOJ continues to fear that the deal would result in Thoma Bravo dominating the market for software run on a large corporate customer’s premises that regulates people’s access to the company’s computer network, the sources said.
DOJ is expected to make its final decision within the next several weeks, sources said, but lingering concerns at such a late stage in the department’s review indicate that a lawsuit is likely.
Beyond the question of a DOJ legal challenge is whether Thoma Bravo would defend the deal at trial. A clause in the companies’ merger agreement caps at around $140 million Thoma Bravo’s financial penalty for breaching its obligation to fight a lawsuit in court. The penalty for walking away decreases substantially for Thoma Bravo if it does so early next year.
Under the agreement, ForgeRock also has the option of abandoning the deal in October.
The department doesn’t appear to be assuming that Thoma Bravo or ForgeRock would take advantage of those clauses just yet. DOJ staff has been actively engaging with corporate customers of identity and access management software as part of its review of the deal, a source said. Department staff also has deposed executives of the merging parties, sources said.
In a statement, a spokesperson for Thoma Bravo defended the deal. “The acquisition of ForgeRock would have a positive impact on its enterprise customers, which happen to be some of the largest corporations in the world by increasing competition for products and services and providing those customers with more choice,” the spokesperson said, adding that the software marketplace in which ForgeRock competes is “very competitive.”
The deal would create a better rival to software makers such as Okta and Microsoft, the spokesperson said.
A ForgeRock spokesperson also described as “very competitive” this slice of the cybersecurity market.
“We are committed to closing the proposed transaction between ForgeRock and Thoma Bravo as soon as possible,” the spokesperson said.
DOJ declined to comment.
A suit would give DOJ antitrust chief Jonathan Kanter an opportunity to act on his skeptical views about private equity buyers such as Thoma Bravo and their “roll-up” mergers in which they amass market power with series of acquisitions in one sector.
The draft of the new merger guidelines, which will likely be released this month, is expected to directly address the administration’s concerns about private equity’s merger activity.
To the deal’s detractors, Thoma Bravo’s bid for ForgeRock, announced in October 2022, is a prime example of a private-equity roll-up, coming on the heels of the company acquiring ForgeRock rival Ping Identity as well as SailPoint, a software company known for simplifying employee access to networks.
With a suit looking likely, Thoma Bravo will have to decide if it will fight DOJ in court. The company effectively has an escape clause in the merger agreement, although it’s not immediately apparent in reading the document. If Thoma Bravo exited the deal now, which isn’t likely, its obligations would be capped at $140 million plus reimbursement and legal fees.
If it waits until January, it would only have to pay the reimbursement and legal fees.
These clauses not only give Thoma Bravo ways to abandon the deal but also leverage in negotiating with ForgeRock any extension the parties decide is necessary because of a trial.
Market leaders. DOJ concerns revolve around Thoma Bravo’s growing presence in a vital niche of cybersecurity, sources said. Some industry participants agreed with the department’s assessment that Thoma Bravo would gain power to dictate prices to customers if it acquires more assets such as ForgeRock within the identity and access management software sector.
In on-premises network access software, ForgeRock and Ping are the market leaders, said a bank IT executive who requested anonymity.
Ping and ForgeRock’s technology is “overlapping so much, [I] am baffled why Thoma Bravo wants to acquire both – logically one of them should go away if they decide to make it more efficient,” the IT executive said.
That could prove a problem for some corporate customers, particularly those in regulated industries such as finance, that prefer software run on their premises rather than delivered from the cloud so they can comply more easily with government rules and better ensure data security.
The executive added that industry participants in the financial sector have expressed concerns in private about the deal slowing innovation and giving Thoma Bravo market power. Although large customers have some degree of leverage in negotiations with software makers, it might be more difficult for small to midsize businesses to fight off price increases, the IT executive said.
A second IT executive said that he has seen price hikes after Thoma Bravo deals in the identity and access management (IAM) industry. However, the executive, who requested anonymity, said he didn’t know whether Thoma Bravo was simply responding to general inflationary pressures or was “milking” the market for profit.
Alternatives. While rivals to ForgeRock and Ping offer IAM software operated on premises, these companies aren’t keeping pace with the two market leaders’ investment, industry participants said.
Software from the likes of Oracle, IBM and Broadcom’s CA Technologies is “not really improving at a pace of [the] IAM market, hence making their products less [attractive] when compared to ForgeRock, SailPoint and Ping,” said an IT professional working at a large media and entertainment company.
But one major rival, Microsoft, said it plans to strengthen its offerings in the IAM space. In late May, Microsoft unveiled a new customer identity access management platform: Microsoft Entra External ID, which is in previews.
“Many customers like me are considering” at least taking a look at Entra and similar products, said an IT executive for a large industrial technology enterprise.
Entra has the potential to compete directly for ForgeRock’s customers, some industry sources said. However, it may work better with other Microsoft software than rivals’ products, which could limit its appeal, two other sources said.
Different niches. Many large companies employ a variety of IAM software for different niches within their organization. That allows software from rivals to co-exist within a company’s network.
Industry participants and consultants said that while ForgeRock and Ping offer software products whose features overlap somewhat, they have different strengths. ForgeRock is a leader in customer identity access management (CIAM), and Ping is better known for software that guarantees security while allowing employees to sign in once to the corporate network.
In consolidating the market, Thoma Bravo is responding to many customers’ desire to purchase software from fewer vendors, an industry analyst said.
“One thing every IT user requests is one tool for everything – whether it’s practical, whether it’s a good tool, whether it’s a good price,” said David Asekoff, a senior business analyst and project manager at Broadridge Financial Solutions, a fintech provider. “That’s the dream.”
For this reason, Microsoft Entra could be a force to be reckoned with as companies seek to simplify their software management by shrinking the stack of vendors they work with, said the IT executive for the large industrial enterprise.
But the market’s consolidation has drawbacks, industry participants said, giving Thoma Bravo the power to raise prices – or act in ways that has given private equity a bad reputation with U.S. antitrust enforcers.
Would Thoma Bravo post-merger be tempted to “strip one company and move all the software and some of the staff to another one of the products,” Asekoff wondered. “Are they in it to make it better and [for] long-term profit, or is it going to be a short-term thing?”