IT Services Roundtable Summary Note

Introduction

In the second instalment of this series, we held a roundtable with institutional investors, IT services businesses and other sector representatives to discuss the current M&A market sentiment and regulatory issues affecting the sector.

Market Climate / M&A Outlook

Overview

The beginning of the year was positive with bullish M&A activity in the IT services sector. However, growth is now facing some headwinds. There are fewer willing buyers in the market, although some transformative deals remain on the horizon and available assets continue to demand premium valuations. IT suppliers appear to be hungry for deals. It is anticipated that 2026 may be quieter before the market picks up again.

The market has continued to evolve from on-premises solutions, to cloud-based solutions, and now to artificial intelligence, but margins continue to be squeezed. Security companies in particular are expensive to acquire. A key challenge is artificial intelligence, as customers are hesitant to commit to procurement while the technology landscape is shifting so rapidly. The general market sentiment is one of caution.

There is currently a data centre boom, although significant challenges exist in the UK. Only recently, ChatGPT-maker OpenAI paused a multi-billion pound UK data centre project (Stargate UK) aimed at boosting its AI infrastructure, citing concerns about high energy costs and regulation. Big data centres consume considerable energy and water, and there is a question mark over whether the UK can support the critical data centre infrastructure needed. Lead times for building data centres are becoming challenging given hyperscaler demands.

Managing IT back-up remains a core IT services activity, given the volume of data being generated, and there will be a growing focus on cyber recovery protection. Customers are informed on data retention but costs can spiral if data management is not properly addressed. There is a shift for managed service providers towards digital transformation consulting, which represents a new world and will require a focus on change management.

Artificial Intelligence

Managed service providers are not currently being acquired for their artificial intelligence capabilities. Instead, they are selling the services of artificial intelligence providers and developing security around this. This will involve data analytics and will require the right tools to interrogate the data. This may represent an additional margin opportunity for managed service providers.

There is a clear trend that industry actors want to use artificial intelligence but do not yet know how to integrate it into their businesses. There is pent-up demand for artificial intelligence, but businesses do not know how to buy or contract for it. This leads to challenging situations where companies have the technology but do not know how to use it effectively.

There is a lot of opportunity with data management, and managed service providers will need to advise on using artificial intelligence in a secure way, with adequate training. Particularly with sensitive customer data, customers may need specialist consultancy advice on data protection and cyber security.

Cyber Insurance

Cyber insurance is currently a buyer’s market and premiums are reducing. The market is growing, and while the number of claims is increasing, there are more insurer participants coming into the market. Insurers are able to take more risks. Over the last three years, prices have decreased by approximately 70%.

The costs of insurance vary from business to business. For smaller firms, this may be around £1,000 per year, but larger firms vary. It is difficult for underwriters to insure managed service providers where there are several hundred clients with different needs, and some of the largest insurance firms refuse to insure managed service providers altogether.

Insurance is a revenue stream that managed service providers could take advantage of, which could be used to grow organically. A significant risk is supply chain management, and managed service providers should seek to limit sub-contracting and consider how best to manage procurement. Managed service providers need to be dynamic and could use artificial intelligence to manage this. A current trend is customers wanting to divest their risk by using multiple managed service providers.

Customer and provider responsibilities

We talked about allocation of risk in managed services contracts. It is important to note that managed service providers provide a secure environment for their customers but they cannot access the data. This data is open to threat by attack if the customers do not protect it. The cyber attack needs to get through the customer’s firewall. The managed service provider’s system sits outside of this, but they can build a resilient box. The customer’s perception of who is responsible is not always correct, as they often consider it is the managed service provider. It is the responsibility of the customer if there is a data attack.

Another risk being observed is managed service providers not wanting to incur legal costs. This means many contracts with customers are of poor quality.

Regulation

The Cyber Security and Resilience Bill will bring circa 900-1,200 managed service providers within scope, with a wide definition of managed service providers, so they will have duties of notification. The regulation seeks to address the complexity of the landscape and is aimed at assisting managed service providers to understand their obligations and the allocation of responsibility. The bill will create a single pathway of reporting, with the allocation of responsibility being a question of fact.

The bill aims to significantly reduce the likelihood of harm from cyberattacks by expanding regulatory scope, tightening reporting requirements, and strengthening supply chain security. The legislation is designed to address a growing number of nationally significant incidents. The bill strengthens reporting by mandating a 24-hour initial notification and a 72-hour full report for significant incidents.

The bill designates Ofcom as a key regulator for the operational security of data centres and The Information Commissioner for data breaches and managed service providers and enhances its role in telecom security reporting. It mandates faster incident reporting with a 24-hour initial notice and expands the regulators’ powers to issue heavy fines. The bill targets whether there is a systemic issue or the problem is a one-off, and the aim is to seek knowledge from managed service providers, data centres and critical suppliers, rather than to punish them.

Managed service providers will take on roles as whistleblowers. Reportable incidents will cover incidents capable of having a significant impact, even if the event has not occurred, and incidents affecting confidentiality, authenticity, integrity or availability. There will be an interesting interplay with cyber security insurance, and any breach identified in connection with reporting to the regulators will most likely need to be notified to the insurer under the relevant policy.