Cybersecurity: Threat or opportunity?
The growing danger of cybercriminal activity is a trend that deserves investors’ attention
• Cybersecurity has caught the attention of CEOs
• Data suggests that spending on cybersecurity is growing
• It is difficult to argue for a strong sector bet on cybersecurity
• An innovation drive from companies creates individual investment opportunities
By 2021, the damage inflicted by cybercrime will cost the global economy $6trn (€4.85trn) every year, according to Cybersecurity Ventures, a research and publishing firm focused on cybersecurity. In 2015, the cost was estimated at $3trn per year. The firm forecasts global businesses will spend more than $1trn on cybersecurity products and services from 2017 to 2021. There will be 3.5m jobs to fill in cybersecurity by 2021, up from 1m in 2014.
This data alone would be sufficient to make a case for investment in cybersecurity. The case seems even stronger if we factor in the growing number of reports of high-profile cybersecurity incidents.
Last year’s Equifax data breach, when cybercriminals accessed more than 145m customer accounts over a period of several months, is one of the biggest and most recent cases. WannaCry, a global ransomware attack that occurred last May and affected 200,000 computers in 150 countries, was another huge incident. In April this year, the UK and US governments warned of a cybersecurity threat from Russia. Earlier this year, revelations about Cambridge Analytica’s use of Facebook user data, though not indicating a cyberattack, only served to reinforce a sinister narrative. Cyberspace is growing rapidly and is extremely vulnerable to criminal activity.
This is a strong starting point, but establishing whether there is a reasonable case for investment on the cybersecurity sector, and identifying specific opportunities is, of course, more difficult. Some are indeed sceptical about the potential for cybersecurity as a sector bet.
“Security normally ranks in the top three areas of priority spending for most CFOs [chief financial officers]. You would think cybersecurity is a significant growth area, because it’s high up on the priority list and we all read about large data breaches from companies. And then, paradoxically, you find that actually companies don’t spend that much money on their security,” says James Gautrey, portfolio manager at Schroders. Gautrey is a global sector specialist on technology for Schroders’ global and international equities business.
Gautrey adds: “Investors often come into this space with the idea that this is going to be a huge market one day, and that it must be growing exponentially every year because everyone is so worried about their data. Unfortunately, it just isn’t the case. It is much smaller in size than people think and is probably growing at around 7% to 8% every year.”
The interesting news is that the level at which corporates purchase security seems to be increasing. “Whereas it used to be purchased by an IT manager, it’s now at c-suite level. Some companies might even have a chief security officer. That means the level of the discussion is increasing,” says Gautrey. But this observation is based on anecdotal evidence, he warns, and is hardly enough to create an investment opportunity.
The reality, for Gautrey, is that large, high-profile data breaches have not caused great damage for the businesses involved. “You’ve seen some quite large data breaches over the years at pretty big companies, and to my mind nothing really seems to happen. You hear of these billions of accounts that have been hacked, and yet the services still run along quite nicely and the companies involved don’t go bankrupt,” he says.
Perhaps, therefore, cybercrime is less of a threat, and less of an opportunity, than is often assumed. Nevertheless, there must be individual companies providing cybersecurity systems that can generate good idiosyncratic returns for investors. Where these companies might be found is up to investors to establish.
Jared Carney, founder and CEO of Lightdale, a private equity firm with investments in cybersecurity companies, says: “The most important thing when you’re talking about cybersecurity is to get your definitions right. There are a lot of companies that operate in what seem like traditional and non-tech businesses that are in fact dedicated to cyber security.”
“What we have seen, with the recent data security scandals, is that cybersecurity is a very large universe of problems. But no one has done a good job of describing what I would call the cyber security value chain”, he argues.
Bearing that in mind, investors who believe in the overall investment opportunity can look for companies in different sectors and with different capabilities. Carney mentions electronic recycling as an example of a niche area that is growing owing to the growing threat of cybersecurity. “All your devices, from your mobile phone to your cable TV set top box, have to be disposed in ways that are verifiably secure and do not create a pipeline of breaches,” he points out.
Healthcare is another sector where cybersecurity is a priority, Carney says: “As healthcare providers transfer their processes online, security of medical records and data becomes a major issue. There is a number small-cap and mid-cap companies, both in the US and the UK, providing services to healthcare providers or biotech companies in this area.”
The lesson here is that investing successfully in cybersecurity requires investors to take a broad look at the market. They need to consider companies of different sizes, both listed and non-listed, and located across different countries.
Matt Palmer, chief information security officer at Willis Towers Watson, says: “The cybersecurity sector is changing at a rapid pace. Investors should have a very open outlook on what is happening and look beyond traditional security suppliers. A lot of innovation is taking place within smaller but interesting companies. It’s not sufficient to focus on larger companies.”
Palmer’s expertise is on implementation of innovative cybersecurity management systems. While he does not focus on investment, he has direct contact with suppliers of cybersecurity products. An area of rapid development, according to Palmer, is security of data exchange.
He says: “There are a number of companies innovating in areas like email security. They often apply machine-learning techniques, seeking to help companies identify anomalies fast and avoid false positives.”
Another area of innovation is network monitoring. Palmer adds: “Companies globally tend to have very large monitoring capabilities. Security operations centres usually employ very large numbers of individuals and require very significant amount of investment in technology. Looking for and responding to network anomalies is very time intensive. There is much innovation taking place around big data and using better data management techniques, including machine learning, as part of network monitoring.” In this area, listed companies that do not specialise on cybersecurity, such as IBM, are also playing an important role.
“The cybersecurity sector is changing at a rapid pace. Investors should have a very open outlook on what is happening and look beyond traditional security suppliers”
Growing regulatory activity also creates investment opportunities, according to Palmer. He says: “If you look at legislation such as the European Union’s General Data Protection Regulation (GDPR), or the Cyber Security Regulation of the New York State Department of Financial Services, you can expect that businesses will increasingly focus on understanding what data they have, where they got it from, what rights they have to use it and where it’s going. That’s really a change from just focusing on how a business secures their network.”
“As businesses get to grips with this, I expect to see much more innovative activity around data management. There are plenty of opportunities to use big data and machine-learning techniques to actually understand data organisation processes and to manage data better,” argues Palmer.
As a growing sector, cybersecurity benefits from support from policymakers. Many countries are developing ‘cyber hubs’ in a conscious effort to develop cybersecurity capabilities and support new, innovative businesses. Last year, the UK government made a sizeable investment to develop a cybersecurity hub in London. But such developments are taking place beyond established technology-focused countries like the US and the UK. Israel is, famously, one of the leading countries in cybersecurity. Some businesses are also growing in Eastern Europe.
Governments that are trying to develop cybersecurity businesses may offer opportunities for institutional investors. “Some countries have very sophisticated approaches, others are just starting, but this is an area where government is your friend and potentially your co-investor,” says Carney. Investors may be asked to provide capital at start-up level, but often the companies involved are managed by individuals with deep government expertise.
Carney adds: “The issue is that you are dealing with fairly early-stage companies. But cybersecurity as an investment thesis doesn’t necessarily deserve a large capital commitment in order to get a sizeable return.”