Affected market: The manufacture of computers and other information
The OFT’s decision on reference under section 33 given on 30 March
2006. Full text of decision published 21 April 2006.
Please note that square brackets indicate figures or text which have
been omitted or replaced with a range for reasons of commercial
Safenet Inc (Safenet) is an American company whose shares are
publicly traded on the US Nasdaq Exchange. Safenet is the parent company
of the Safenet group. It develops, markets, sells and supports hardware
and software information security products and services. Safenet's UK
turnover for 2005 was approximately £4 million.
NCipher plc (nCipher) is a UK-listed company. nCipher is the holding
company of the nCipher group which is active world-wide. It develops
internet security products, technologies and services. nCipher's UK
turnover for 2005 amounted to £3.5 million with a world-wide turnover of
On 8 February 2006, Safenet announced its intention to purchase the
entire issued share capital of nCipher for £86.1m. The offer was later
recommended by the Board to the Shareholders. The transaction is subject
to the provisions of the City Code on Takeovers and Mergers.
The transaction was notified to the OFT on 8 February and the
administrative deadline expires on 5 April 2006.
As a result of this transaction Safenet and nCipher will cease to be
distinct. The OFT believes that the share of supply test in section 23
of the Enterprise Act 2002 is met with regard to hardware security
modules (HSMs) and, therefore, it is or may be the case that a relevant
merger situation will be created.
The parties overlap in the supply of HSMs to companies. An HSM comprises
tamper resistant computer hardware protecting software which manages the
encryption and decryption of data. An HSM enables the secure exchange of
information in order to protect the privacy of confidential information
and guarantee the authenticity of electronic communications. The main
characteristics of HSMs are a high level of encryption (FIPS 140-2 level
3, see [Note 1]) and a fast processing speed.
The parties argue that the relevant product scope encompasses all
hardware and software encryption devices because of demand and
supply-side substitutability. However virtually all customers and
competitors stated that there is no substitute for HSMs and that
products such as smart cards, pin pads and USB (see [Note 2])
tokens are not directly comparable. Third parties suggested
this was principally because HSMs have higher processing power, a higher
level of security, functionality and a greater flexibility in key
management and user interface.
Third parties suggest that stand-alone HSMs (HSMs that plug into a USB
port of a server) and integrated HSMs (which are integrated into the
server prior to sale or are able to be inserted into a clients existing
server) may not compete with one another. However the parties suggested
that while the price of a stand alone HSM was significantly higher than
that of an integrated HSM, this was to account for the fact that a stand
alone HSM could be used for a number of computers while an integrated
HSM could only be used for one computer. The parties also stated that in
terms of functionality (processing speed, encryption level and tamper
resistance) these products were comparable and that there was
competition between the two products.
Third parties also argue that the product scope could be further
segmented between PKI (Public Key Infrastructure) HSMs and Payments
HSMs. To date PKI HSMs have been used to allow the secure flow of
information between members of the same organisation or over the
internet and are mainly used in internet commerce operations. Payments
HSMs have been used to allow the secure flow of information in financial
transactions and are mostly used by banks and financial organisations.
On the demand side, the parties consider that it is not unusual for
demand for each of PKI HSMs and financial HSMs to be analysed
separately, but that some customers used both types of HSM. In
particular the parties point to the fact that PKI applications are
starting to be used in what has traditionally been the Payments sector
such that financial customers use both PKI and Payments applications.
However third parties have indicated that while a PKI HSM may be used in
the same sector as Payments HSMs it will be used for a different purpose
than a Payments HSM, for example, internet banking may use a PKI HSM
while for back office banking information flows, a Payments HSM may
still be used.
The parties contend that while suppliers had historically focussed on
either the PKI or Payments sector applications, the growing demand for
PKI HSMs, given the development of internet commerce, means that
suppliers who traditionally supplied Payments HSMs were now supplying
PKI HSMs. However, no evidence was provided to suggest this may have
significantly affected the parties’ sales.
The parties' internal documents treated the PKI and Payments sectors
separately and included estimates of share of supply in each. Customers
and competitors also viewed these as separate sectors.
In any event, the OFT focussed its analysis in this case on the supply
of HSMs, as it was not necessary to come to a view on whether the sector
could be considered any more narrowly, (for example distinguishing
between PKI and Payments HSMs) given the concerns which were raised in
the HSM sector as a whole.
The parties make sales across a number of countries throughout the world
suggesting that the market is global. In support of this view, the
parties submit that it is not necessary to have a physical presence in a
country to be able to win contracts for supplies of HSMs. However
certain customers do appear to hold some preferences for national HSM
suppliers. None the less, the parties claim that aside from government
contracts the standards required are similar in most developed
countries. Additionally there appear not to be any regulatory barriers
for commercial HSMs. It is also noted that 80 per cent of nCipher’s
sales are made in markets outside the UK.
On the basis of the evidence presented, the OFT considers that the
geographic scope is wider than national, if not global.
Customers and competitors stated that the parties are the leading
suppliers of HSMs. The parties have high combined shares of supply
[40-60] per cent in the overall HSM sector and very high combined
shares of supply between [70-90] per cent (see [Note 3]) in
the PKI sector. Customers and competitors alike told us that there were
few competitors other than the parties in the PKI sector with
competitors holding very small shares of supply compared with each of
the parties. Internal documents from the parties supported this view
(see [Note 4]). The parties argued that their shares of supply
fluctuate over time, and that these high shares were therefore not
representative of their true position. However they did not provide any
evidence to substantiate this argument.
Customers and competitors indicated that the parties are each others'
closest competitors in terms of product, brand and reputation. Some
customers have also claimed that there are no other competitors with a
similar product, or security reputation who could act as a sufficient
constraint on the parties such as to prevent them from having the
ability to raise prices after the merger. The parties’ internal
documents supported this view (see [Note 5]).
The parties provided limited bidding data. The information provided
indicated that the parties put in competing bids against each other in
[40-60] percent of the bids for the supply of HSMs. Of these bids, the
parties were consistently the final two suppliers from which customers
chose. The bidding data therefore demonstrated that the parties had
regularly been short-listed against one another in the past few years
and were often the final choice. While the parties maintain that other
suppliers also bid for these contracts, they were unable to establish
the identity of rival bidders.
Some customers claimed that at present they are able to play the parties
off against one other in order to gain more competitive prices.
Post-merger it is not apparent that there will be sufficient competition
in the market to constrain the merged entity from raising prices above
the level that they would have been absent the merger. In addition, some
third parties argue that post-merger, innovation (currently driven by
competition between the parties) will be lost.
The parties do not dispute that they are each others’ closest
competitors and at present have high shares particularly in the PKI
sector; however they argue that this is a dynamic market where
innovation plays a key role. They claim that the PKI sector is growing
and that post-merger the parties will be constrained by expansion of
existing competitors and entry by new competitors. The parties were
unable to provide any estimates of the quantity of sales (either by
value or by volume) which they expected to lose to existing/new
As an example of entry by new competitors, the parties pointed to entry
by [ ] into the HSM market approximately five years ago and its recent
aggressive marketing of a PKI HSM. In relation to the entry by [ ]
into the PKI sector, the parties provided internal documents (emails)
discussing the effect this product might have on their sales. In
relation to [ ] entry into the HSM sector approximately five years ago
the parties were unable to provide any evidence of there being any
effect of this entry on their sales. Nor were the parties able to
provide any examples of any other competitor entry in the HSM sector
significantly affecting their sales or their shares of supply.
Third parties argue that barriers to new entry are high and this is
supported by the fact that there appears not be have been any
significant new entry on the HSM market in the past five years.
As regards barriers to expansion, the parties pointed to the development
by [ ] (a significant supplier of HSMs in the Payments sector, but a
smaller player in the PKI sector) of its [ ]. The parties provided
emails evidencing internal discussions on how to make sure sales were
maintained in the face of the threat from these new products. However,
again, no evidence of significant loss of sales was provided.
The parties also argue that [ ] and [ ] could easily expand and
would be able to overcome any reputational difficulty that may exist.
However there is no evidence to show that expansion by [ ] or [ ]
could lead to a likely or timely change in the conditions of competition
in the HSMs sector.
In addition, demand side switching appears difficult. The parties
confirmed that approximately [60-80] per cent of the parties’ sales
are from repeat business. Third parties stated that once an HSM had been
supplied to a customer, the cost to that customer of switching supplier
for that application in terms of exposure to security breaches is high.
Therefore a reasonable opportunity for customers to switch supplier
often only occurs at the outset of a new project. Customers have
confirmed that when they consider who to supply them for a new project,
security reputation is an important factor they consider when assessing
alternative suppliers. The parties have supported the view that
switching is problematic.
The parties argued that because such a large proportion of their
revenues comes from repeat business, the merged entity would be
constrained in its actions for fear of losing such repeat business.
Safenet also argued that [70-90] per cent of its customers spend the
same amount on other Safenet products as they do on HSMs. Therefore this
would act as a significant constraint on the merged entity. However the
parties produced figures showing that no customer represented more than
[5-15] per cent of each of the parties business. It therefore appears
doubtful that customers can exert significant countervailing buyer
We are not therefore persuaded that the competitive constraints
suggested by the parties are sufficient to negate the loss of
competitive pressure which may be expected to result from the merger.
On the basis of the evidence provided to the OFT, it appears that post
merger there may be a loss of close competition between the parties. The
OFT considers this loss of competition will not be offset by constraints
either from current competitors; customers; expansion by existing
competitors or new entry in the future. On the basis of the evidence
presented, the OFT considers that it may therefore be the case that the
merger may lead to prices being higher than they might be without such
competition between the parties and there may also be a reduction in the
incentive to innovate.
Consequently, the OFT believes that it is or may be the case that the
merger may be expected to result in a substantial lessening of
competition within a market or markets in the United Kingdom.
This merger will therefore be referred to the Competition Commission
under section 33(1) of the Act.
FIPS 140-2 is a validation given by the American organisation
National Institute of Standards and Technology (NIST). Levels 1-4 are
the usual measures of security used by the industry. HSMs typically have
level 3/4 validation.
USB (Universal Serial Bus) is an interface between a computer and
add-on devices which allows hardware to be added to a computer without
having to open the computer up.
The parties stated that it is difficult to accurately estimate shares
of supply for HSMs as they are often sold as components in an IT system
and there does not appear to be any industry wide market research data
available. Competitors supported this view.
In particular see [Safenet internal document].
See [Safenet internal document].