Affected market: The manufacture of computers and other information processing equipment
The OFT’s decision on reference under section 33 given on 30 March 2006. Full text of decision published 21 April 2006.
Please note that square brackets indicate figures or text which have been omitted or replaced with a range for reasons of commercial confidentiality.
Safenet Inc (Safenet) is an American company whose shares are publicly traded on the US Nasdaq Exchange. Safenet is the parent company of the Safenet group. It develops, markets, sells and supports hardware and software information security products and services. Safenet's UK turnover for 2005 was approximately £4 million.
NCipher plc (nCipher) is a UK-listed company. nCipher is the holding company of the nCipher group which is active world-wide. It develops internet security products, technologies and services. nCipher's UK turnover for 2005 amounted to £3.5 million with a world-wide turnover of £17.4m.
On 8 February 2006, Safenet announced its intention to purchase the entire issued share capital of nCipher for £86.1m. The offer was later recommended by the Board to the Shareholders. The transaction is subject to the provisions of the City Code on Takeovers and Mergers.
The transaction was notified to the OFT on 8 February and the administrative deadline expires on 5 April 2006.
As a result of this transaction Safenet and nCipher will cease to be distinct. The OFT believes that the share of supply test in section 23 of the Enterprise Act 2002 is met with regard to hardware security modules (HSMs) and, therefore, it is or may be the case that a relevant merger situation will be created.
The parties overlap in the supply of HSMs to companies. An HSM comprises
tamper resistant computer hardware protecting software which manages the
encryption and decryption of data. An HSM enables the secure exchange of
information in order to protect the privacy of confidential information
and guarantee the authenticity of electronic communications. The main
characteristics of HSMs are a high level of encryption (FIPS 140-2 level
3, see [Note 1]) and a fast processing speed.
The parties argue that the relevant product scope encompasses all hardware and software encryption devices because of demand and supply-side substitutability. However virtually all customers and competitors stated that there is no substitute for HSMs and that products such as smart cards, pin pads and USB (see [Note 2]) tokens are not directly comparable. Third parties suggested this was principally because HSMs have higher processing power, a higher level of security, functionality and a greater flexibility in key management and user interface.
Third parties suggest that stand-alone HSMs (HSMs that plug into a USB port of a server) and integrated HSMs (which are integrated into the server prior to sale or are able to be inserted into a clients existing server) may not compete with one another. However the parties suggested that while the price of a stand alone HSM was significantly higher than that of an integrated HSM, this was to account for the fact that a stand alone HSM could be used for a number of computers while an integrated HSM could only be used for one computer. The parties also stated that in terms of functionality (processing speed, encryption level and tamper resistance) these products were comparable and that there was competition between the two products.
Third parties also argue that the product scope could be further segmented between PKI (Public Key Infrastructure) HSMs and Payments HSMs. To date PKI HSMs have been used to allow the secure flow of information between members of the same organisation or over the internet and are mainly used in internet commerce operations. Payments HSMs have been used to allow the secure flow of information in financial transactions and are mostly used by banks and financial organisations.
On the demand side, the parties consider that it is not unusual for demand for each of PKI HSMs and financial HSMs to be analysed separately, but that some customers used both types of HSM. In particular the parties point to the fact that PKI applications are starting to be used in what has traditionally been the Payments sector such that financial customers use both PKI and Payments applications. However third parties have indicated that while a PKI HSM may be used in the same sector as Payments HSMs it will be used for a different purpose than a Payments HSM, for example, internet banking may use a PKI HSM while for back office banking information flows, a Payments HSM may still be used.
The parties contend that while suppliers had historically focussed on either the PKI or Payments sector applications, the growing demand for PKI HSMs, given the development of internet commerce, means that suppliers who traditionally supplied Payments HSMs were now supplying PKI HSMs. However, no evidence was provided to suggest this may have significantly affected the parties’ sales.
The parties' internal documents treated the PKI and Payments sectors separately and included estimates of share of supply in each. Customers and competitors also viewed these as separate sectors.
In any event, the OFT focussed its analysis in this case on the supply of HSMs, as it was not necessary to come to a view on whether the sector could be considered any more narrowly, (for example distinguishing between PKI and Payments HSMs) given the concerns which were raised in the HSM sector as a whole.
The parties make sales across a number of countries throughout the world suggesting that the market is global. In support of this view, the parties submit that it is not necessary to have a physical presence in a country to be able to win contracts for supplies of HSMs. However certain customers do appear to hold some preferences for national HSM suppliers. None the less, the parties claim that aside from government contracts the standards required are similar in most developed countries. Additionally there appear not to be any regulatory barriers for commercial HSMs. It is also noted that 80 per cent of nCipher’s sales are made in markets outside the UK.
On the basis of the evidence presented, the OFT considers that the geographic scope is wider than national, if not global.
Customers and competitors stated that the parties are the leading suppliers of HSMs. The parties have high combined shares of supply [40-60] per cent in the overall HSM sector and very high combined shares of supply between [70-90] per cent (see [Note 3]) in the PKI sector. Customers and competitors alike told us that there were few competitors other than the parties in the PKI sector with competitors holding very small shares of supply compared with each of the parties. Internal documents from the parties supported this view (see [Note 4]). The parties argued that their shares of supply fluctuate over time, and that these high shares were therefore not representative of their true position. However they did not provide any evidence to substantiate this argument.
Customers and competitors indicated that the parties are each others' closest competitors in terms of product, brand and reputation. Some customers have also claimed that there are no other competitors with a similar product, or security reputation who could act as a sufficient constraint on the parties such as to prevent them from having the ability to raise prices after the merger. The parties’ internal documents supported this view (see [Note 5]).
The parties provided limited bidding data. The information provided indicated that the parties put in competing bids against each other in [40-60] percent of the bids for the supply of HSMs. Of these bids, the parties were consistently the final two suppliers from which customers chose. The bidding data therefore demonstrated that the parties had regularly been short-listed against one another in the past few years and were often the final choice. While the parties maintain that other suppliers also bid for these contracts, they were unable to establish the identity of rival bidders.
Some customers claimed that at present they are able to play the parties off against one other in order to gain more competitive prices. Post-merger it is not apparent that there will be sufficient competition in the market to constrain the merged entity from raising prices above the level that they would have been absent the merger. In addition, some third parties argue that post-merger, innovation (currently driven by competition between the parties) will be lost.
The parties do not dispute that they are each others’ closest competitors and at present have high shares particularly in the PKI sector; however they argue that this is a dynamic market where innovation plays a key role. They claim that the PKI sector is growing and that post-merger the parties will be constrained by expansion of existing competitors and entry by new competitors. The parties were unable to provide any estimates of the quantity of sales (either by value or by volume) which they expected to lose to existing/new competition post-merger.
As an example of entry by new competitors, the parties pointed to entry by [ ] into the HSM market approximately five years ago and its recent aggressive marketing of a PKI HSM. In relation to the entry by [ ] into the PKI sector, the parties provided internal documents (emails) discussing the effect this product might have on their sales. In relation to [ ] entry into the HSM sector approximately five years ago the parties were unable to provide any evidence of there being any effect of this entry on their sales. Nor were the parties able to provide any examples of any other competitor entry in the HSM sector significantly affecting their sales or their shares of supply.
Third parties argue that barriers to new entry are high and this is supported by the fact that there appears not be have been any significant new entry on the HSM market in the past five years.
As regards barriers to expansion, the parties pointed to the development by [ ] (a significant supplier of HSMs in the Payments sector, but a smaller player in the PKI sector) of its [ ]. The parties provided emails evidencing internal discussions on how to make sure sales were maintained in the face of the threat from these new products. However, again, no evidence of significant loss of sales was provided.
The parties also argue that [ ] and [ ] could easily expand and would be able to overcome any reputational difficulty that may exist. However there is no evidence to show that expansion by [ ] or [ ] could lead to a likely or timely change in the conditions of competition in the HSMs sector.
In addition, demand side switching appears difficult. The parties confirmed that approximately [60-80] per cent of the parties’ sales are from repeat business. Third parties stated that once an HSM had been supplied to a customer, the cost to that customer of switching supplier for that application in terms of exposure to security breaches is high. Therefore a reasonable opportunity for customers to switch supplier often only occurs at the outset of a new project. Customers have confirmed that when they consider who to supply them for a new project, security reputation is an important factor they consider when assessing alternative suppliers. The parties have supported the view that switching is problematic.
The parties argued that because such a large proportion of their revenues comes from repeat business, the merged entity would be constrained in its actions for fear of losing such repeat business. Safenet also argued that [70-90] per cent of its customers spend the same amount on other Safenet products as they do on HSMs. Therefore this would act as a significant constraint on the merged entity. However the parties produced figures showing that no customer represented more than [5-15] per cent of each of the parties business. It therefore appears doubtful that customers can exert significant countervailing buyer power.
We are not therefore persuaded that the competitive constraints suggested by the parties are sufficient to negate the loss of competitive pressure which may be expected to result from the merger.
On the basis of the evidence provided to the OFT, it appears that post merger there may be a loss of close competition between the parties. The OFT considers this loss of competition will not be offset by constraints either from current competitors; customers; expansion by existing competitors or new entry in the future. On the basis of the evidence presented, the OFT considers that it may therefore be the case that the merger may lead to prices being higher than they might be without such competition between the parties and there may also be a reduction in the incentive to innovate.
Consequently, the OFT believes that it is or may be the case that the merger may be expected to result in a substantial lessening of competition within a market or markets in the United Kingdom.
This merger will therefore be referred to the Competition Commission under section 33(1) of the Act.
FIPS 140-2 is a validation given by the American organisation National Institute of Standards and Technology (NIST). Levels 1-4 are the usual measures of security used by the industry. HSMs typically have level 3/4 validation.
USB (Universal Serial Bus) is an interface between a computer and add-on devices which allows hardware to be added to a computer without having to open the computer up.
The parties stated that it is difficult to accurately estimate shares of supply for HSMs as they are often sold as components in an IT system and there does not appear to be any industry wide market research data available. Competitors supported this view.
In particular see [Safenet internal document].
See [Safenet internal document].