|Shares Out. (in M):||98||P/E||0||0|
|Market Cap (in $M):||2,164||P/FCF||0||0|
|Net Debt (in $M):||-93||EBIT||0||0|
|TEV (in $M):||2,071||TEV/EBIT||0||0|
|Borrow Cost:||General Collateral|
Sign up for free guest access to view investment idea with a 45 days delay.
Company: ForgeRock, Inc.
Stock Price: $22.07
Target Price: $14.00 (+$8.07, +37%)
Downside Price: $23.25 (-$1.18, -5%)
Situation: M&A Arb Short
FORG is being acquired by Thoma Bravo (TB) for $23.25, or a 5% gross spread on the current price of $22.07 with the deal announced on 10/11/22. This implies an 87% probability of a deal closing assuming a $14 break price. Spreads were recently as tight as 2% and FORG traded above the bid in mid-December.
Given anti-trust concerns (TB owns two of FORG’s peers) and a recent second request (12/22/22), 87% chance of deal closure is too high. The risk/return on a FORG equity short provides an asymmetric opportunity in the event of a deal break / anti-trust challenge.
FORG is TB’s third identity and access management (IAM) software market acquisition in 2022, and specifically increased TB’s concentration within the CIAM (Customer Identity Access Management) sub-vertical. The transaction follows TB’s acquisition of direct CIAM peer Ping Identity (PING) for $2.8 billion in August 2022 and peer SailPoint Technologies (SAIL) for $6.9 billion in April 2022. Importantly, TB’s PING, SAIL, (potential) FORG as well as public peer Okta, Inc. (OKTA) are all rivals that target Fortune 100 companies.
The entire short thesis rests on how the DOJ defines the sector FORG operates in. If defined narrowly, there is an increased probability of the deal being blocked, if defined broadly (i.e. Microsoft’s IAM product Azure Active Directory product included as a peer as well as others) the deal will be allowed.
Regardless, an upside/downside skew of 8.1x with a 5% downside presents an interesting short opportunity. Recently the spread has been widening since mid-December when FORG traded above the offer price.
How concerning is the anti-trust concern? Anti-trust concern is the driver behind the DOJ’s second request on 12/22/22. To reiterate:
If the DOJ defines the CIAM sector narrowly, as in FORG, PING, SAIL as the dominant CIAM players there is potential for the DOJ to block the deal.
If the DOJ defines the sector broadly, focusing on IAM market share rather than the niche CIAM vertical and includes Microsoft, primarily an IAM product, the DOJ will allow the deal to occur.
Based on recent anti-trust complaints, the DOJ in their industry review is likely to focus on:
Would FORG post-deal that combines it with PING result in a better pricing negotiation position and can be expected to increase prices?
Would the transaction leave customers with reduced producers of CIAM products?
What is the head-to-head competition between PING/SAIL and FORG?
How does the transaction change industry concentration?
Do the TB proposed companies (FORG, PING and SAIL) reduce prices to win business from each other and respond to each other’s competitive initiatives with innovation and better offerings?
PING was acquired by Thoma Bravo Fund XV, L.P., SAIL by the same fund and FORG also by Thoma Bravo Fund XV, L.P.. The same fund is being used to consolidate a very narrow vertical within security software.
Beyond concentration within the CIAM vertical, TB has been an acquisitive cyber security acquirer. With such a large industry concentration that on December 31, 2021, Mimecast Ltd (MIME) rejected a higher offer from Thoma Bravo-backed Proofpoint due to antitrust risks, during the 30-day go-shop period within Permira’s $5.8 billion deal to buy Mimecast.
TB was also subject to the DOJ’s recent review of potentially illegal interlocking directorates in violations of section 8 of the Clayton Act with overlaps in directors of Solarwinds Corp. and Dynatrace, Inc.
On October 11, 2022, FORG received an acquisition offer from Thoma Bravo for $2.3Bn or $23.25 in cash. This represented a ~53% premium to last close; 44% premium to 30d VWAP. Companies guided to close in 1H 2023; most arbs assume a March 2023 close. The transaction represented an 8.7x CY'23 revenue and 11.4x 2Q'22 annual recurring revenue.
Non-deal Standalone Value
Pre-deal FORG was at $16, however this includes the benefit of TB’s deal news leakage, pre-rumors FORG was in the $14-$15 range. Since the deal was announced on 10/10/22, the software security sector is down 10%. In a deal break, FORG is likely to trade inline to peer OKTA, implying a downside of $13.41 per share of 3.8x 2023 sales. A break target of $14 is assumed.
FORG Trading In-line with OKTA in a Deal Break Scenario
Implied Deal Close
In the past few days the gross spread has widened to 5%. In mid-December 2022 the FORG deal was trading above the deal price. Deal probabilities of close / break and the implied price is below:
ForgeRock is a global leader in digital identity, delivers modern identity and access management solutions for consumers, employees and things to simply and safely access the connected world. Using ForgeRock, more than 1,300 organizations around the world orchestrate, manage, and secure the complete lifecycle of identities from dynamic access controls, governance, APIs, and storing authoritative data – consumable in cloud or hybrid environments.
ForgeRock has two main product lines.
ForgeRock Identity Platform:
Self-managed software that can be deployed on-prem or in the public cloud.
ForgeRock Identity Cloud SaaS:
The firm also has a multi-tenant SaaS offering, known as ForgeRock Identity Cloud SaaS. ForgeRock’s ability to create an end-to-end IAM platform is a competitive strength for companies with heterogeneous IT (on-prem and cloud) environments.
ForgeRock estimates their global total addressable market (TAM) to be $71 billion – Consumer Identity (CIAM, $41 billion) Workforce Identity ($27 billion) and IoT ($3 billion).
The entire Identity and Access Management Market Share (IAM) can be broken into verticals:
Taking a deeper dive into the two main verticals:
Workforce identity access management:
Provides the right access to the right people at the right time, while preventing unauthorized access.
Systems are designed to manage and protect internal, employee identities. The IAM system controls what employees can & cannot do within corporate networks, making sure that the organization’s systems are not accessible to anyone external.
Internal IAM is driven by the Human Resources team and the number of identities doesn’t usually fluctuate rapidly – adding or removing employees is a difference of few hundred per day in even the largest global organizations.
Employees and their access credentials, as well as appropriate authorizations, are controlled internally according to position/job description/project memberships.
When an employee’s role changes, the HR system and the provisioning engine will see that the information is passed on to the relevant internal systems.
Customer Identity Access Management (CIAM)
Focused on external users instead of employees.
Designed to manage and protect external identities, such as customers, citizens, partners, contractors, APIs or things (IoT) – and is therefore optimized for very different use cases.
At the core of CIAM are the customer identities, specifically how you capture and manage digital identities securely, and then how you control customer access to your applications and services. CIAM is about knowing who your customer is and making their lives as easy and convenient as possible, while improving security and privacy, when they move through services and the company captures privacy-enabled profile data.
Features include as-a-service capabilities like SSO (Single Sign-On), customer registration, multi-factor authentication (MFA), access management and authorization, identity directories, and identity data governance and privacy/consent controls
Externally, outsourced & tiered management makes much more sense. It enables an organisation to attach (authorise) access privileges to their customers, or even to authorise access to an individual to represent a company, saving a lot of time and effort – and therefore money.
The number of users (hopefully) grows rapidly and the need to effectively manage these identities is crucial. For a customer-facing service, it is not enough to know who is accessing your online services, but also in which role/capacity they are entering, or which organization they represent.
IAM vs CIAM Differences
In a typical IAM solution, there is usually only one Identity Provider, within CIAM you will have multiple identity providers from social logins to strong authentication, e.g. from financial institutions or government entities.
Offers features in consent management and privacy personalization, IAM tools typically do not.
IAM and CIM Landscape
Possible DOJ questions answered
Would FORG post-deal be in a better pricing negotiation position and can be expected to increase prices? What is the head-to-head competition between PING and FORG?
Yes - PING and FORG competed directly and consolidation will give pricing power to TB. Now removed from PING’s current website but available here, PING competed directly with FORG.
Do they reduce prices to win business from each other and respond to each other’s competitive initiatives with innovation and better offerings?
Yes - This was acknowledged by the CEO of ForgeRock noted in an interview in 2022 that “Fortune 100 companies compared us to Okta and to Ping Identity.”
Would the transaction leave customers with only two significant producers of CIAM products?
Mixed, a combination of FORG and PING would remove two leaders of the CIAM sector as defined by Overall Leadership – KuppingerCole. The Overall Leadership rating is a combined view of the three Leadership categories, i.e., Product Leadership, Innovation Leadership, and Market Leadership. If TB is able to close the FORG deal, TB would control FORG and PING while OKTA acquired Auth0 in March 2021 for $6.5bn.
Gartner's 2022 Magic Quadrant for Access Management - Gartner’s magic quadrant has four leaders, with TB potentially controlling two of the four market leaders leaving Microsoft and OKTA remaining.
How the transaction change industry’s concentration?
The key issue with the TB FORG transaction how the market is defined.
Deal Approval Case
Morgan Stanley (MS) in a November 28, 2022 report supported deal approval with TB’s combined entities (SailPoint, Ping,ForgeRock) representing <10% of the IAM market with no concentration issues.
In addition MS argues that the concern of three combined entities (FORG, PING, SAIL) and OKTA as the only viable options for large companies is incorrect. MS cites a SaaS transition for SAIL, PING and FORG that would allow more competition from OKTA and Microsoft Azure Active Directory. Furthermore, MS claims that Microsoft and OKTA have improved capabilities for larger companies with more viable offerings.
There are a few concerns with the arguments from MS that the DOJ may discover in their review:
Market share / Competition - Is Microsoft Azure Active Directory a true competitor?
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service that lets users sign in and access resources.
Azure AD targeted at a very specific use case tightly integrated with Microsoft ecosystem and not the most capable or flexible.
Azure AD is cumbersome and not user friendly.
For example, Microsoft provides a set of tools to enable SSO via their Azure AD cloud service: Active Directory Federation Services (AD FS), Azure AD Connect (previously known as DirSync), Password Sync, Passthrough authentication, and Microsoft Identity Manager (previously Forefront Identity Manager). These tools require deploying, configuring, and managing significant server resources. Each service requires individual configuration and integration with the Azure AD cloud service.
ForgeRock and peers allows vendor diversification.
ForgeRock’s products are easily integrated within Azure AD. ForgeRock is part of the Microsoft Intelligent Security Association (MISA) that provides integrations designed to strengthen the security posture of users and devices in Microsoft environments.
There’s a case that Azure at its core is an IAM not a CIAM.
With a limited offering compared to peers, such as OKTA demonstrated here.