Please note that tax, investment, pension and ISA rules can change and the information and any views contained in this article may now be inaccurate.
Fighting cyber attacks: Invest in the world's digital defenders
In 1983’s War Games, a young Matthew Broderick unwittingly hacks into military central computer while searching for video games and almost inadvertently starts World War III. While the prospect of cybercriminals and cyberterrorism can make thrilling TV and films, the real life threat is far more worrying, and for many, scary.
About a week before Russian troops invaded Ukrainian territory, the first Russian cyber attack of the Russian/Ukraine conflict was launched. Called NotPetya, it attacked around 70 Ukrainian government sites, among them the National Security and Defence Council.
‘Analysis of the NotPetya suggests that it likely targeted Ukraine using a piece of tax preparation software as the initial vector for infecting businesses operating there,’ said Tom Record and Tom Morris, co-managers of the Majedie Global Equity Fund (BN31TC5).
Though the attacks have not yet caused major damage, experts in the cybersecurity world know very well what Russian capabilities are. In June 2017, the Ukrainian government announced that a virus had penetrated ministry computers and caused them to stop working. All the signs pointed to Russia.
That virus was the forerunner to NotPetya, simply called Petya, and it was used to attack the postal service, the system for monitoring radiation at the Chernobyl nuclear plant, banks, and the country’s largest telephone company.
In the US president Biden recently warned (21 Mar) that US businesses need to be prepared for Russian cyber attacks. For investors, where there is fear there tend to be opportunities and cybersecurity is an investment niche jam-packed with potential for years to come. In this feature we will try to explain how big this investment space already is, why cyber crime and warfare will become an increasingly dangerous threat, look at some of the key industry stocks, and offer several options for investors wanting to position their portfolios to take advantage of the vast value creation potential.
Many UK investors will have read of Darktrace (DARK), emerging as one of the world’s most innovative cybersecurity companies, or Avast (AVST) a consumer anti-virus kit supplier in the process of being bought by US peer NortonLifelock. The UK’s Sophos will also be a fairly familiar name, listed in the UK until its 2020 take private deal.
Yet these UK cybersecurity firms are dwarfed by the largely US-based industry giants. If you know something of Check Point Software, Palo Alto Networks, Fortinet, Trend Micro and CrowdStrike you may be in the minority, yet these are among the global leaders in the cybersecurity industry, while the likes of Okta, Mimecast, Zscaler, CyberArk and Rapid7 are fast establishing themselves.
For reference, Fortinet was the biggest single contributor to the performance of Smithson’s (SSON) 18.9% net asset growth in 2021. Specialising in firewall appliances and security software, the shares have been strong ever since the SolarWinds hacking attack was discovered in December 2020, after which many corporate technology departments made clear their intention to increase spending on cybersecurity.
‘This has been reflected in the growth of Fortinet’s revenue, which at 33% in the last reported quarter, was the fastest since 2016, and has resulted in the share price increasing by more than 140% during the year,’ said the investment trust’s manager Simon Barnard.
Okta, Crowdstrike and Zscaler are holdings in the Allianz Technology Trust (ATT), one of the UK’s most popular tech funds with informed retail investors.
WHY CYBERSECURITY IS GROWING FAST
The creation of the internet has removed borders, has globalised businesses, moved experiences and assets from the physical to the virtual world and underwritten massive growth in productivity.
But it has also brought the unwelcome rise of cyber crime, a multi-billion-dollar industry that impacts individuals, companies and institutions. The growth of cybercrime activity and adjacent cybersecurity investment over the last few decades was already substantial, but a post-Covid world puts the digital market front and centre.
‘The Covid-induced remote working trend and related spikes in internet traffic have materially increased the cyber-attack surface,’ say analysts at Canaccord Genuity.
According to data compiled by Statista, about $9.52 billion of revenue will be generated by the UK cybersecurity market this year, rising to $13.58 billion by 2026, implying 9.3% compound annual growth. Yet this is relatively small beer compared to the US.
Across the pond the cybersecurity market was valued at $156.5 billion in 2019, with more than half of the money spent on services, the rest from supplying unique software solutions and increasingly clever hardware.
By 2027, however, the US cybersecurity market is expected to growth to $326.4 billion, according to forecasts by Grand View Research, representing a compound annual growth rate of 10%.
Cyber attacks come in many forms, from thefts to ransomware to pure destruction, a nightmare for victims at the time, incidents can also be wake-up calls for companies to really get on top of their IT systems.
Yet this is a fast-moving landscape where new threats emerge a quickly as the industry can plug gaps, meaning that new cyber exploit are always just around the corner. ‘Threats have become even more complex, and companies and governments have had to significantly step up their defence efforts,’ say Majedie Global Equity’s Record and Morris.
‘In our view most are still not doing enough, with human nature partly to blame - people tend to overvalue the physical world and undervalue the virtual one, even though the distinction between the two is getting blurrier by the day.’
Illustrating their point, in 2017 Danish shipping giant Maersk saw most of its IT systems completely shut down at the hands of the NotPetya attack, a piece of malware (the catchier name for malicious software) named after a satellite in the James Bond film Goldeneye. ‘Employees were locked out of 49,000 laptops, 1,200 of the company’s global applications were inaccessible, and more than half of its servers were inoperable,’ explain Record and Morris of Majedie Global Equity.
The cyber attack also hit communications, including phones and email, severely hampering any kind of coordinated response. Maersk’s head of technology summed it up as ‘100% destruction of anything based on Microsoft that was attached to the network.’
The incident forced Maersk to rethink its whole approach to IT and prompted it to invest in more efficient and secure systems. The company made an astonishing recovery from the assault and shared everything it learned as it went along with all the other companies who had been affected, including WPP (WPP), Reckitt Benckiser (RB.) and Mondelez.
Even the most sophisticated software tools may not be able to eliminate all vulnerabilities but they can hobble the hackers and choke many threats, helping to protect against the worst outcomes.
‘We expect the cat-and-mouse game between organisations, consumers and the cybercriminals who covet their data to intensify this year,’ say analysts at Global X, a New York-based thematic ETF provider.
‘The latest concern is a vulnerability in internet software known as Log4j that could jeopardise hundreds of millions of systems globally,’ say Global X analysts Pedro Palandrani and Alec Lucas. This threat follows multiple high-profile breaches in 2021, including the ransomware attack that compromised Colonial Pipeline’s fuel distribution across the eastern US.
Ransomware is a type of virus that freezes IT systems, with the hackers demanding cash (a ransom) to unlock the virtual handcuffs.
Cyber events like these continue to grow more frequent and costly, especially attacks on critical infrastructure and supply chains, and the threat will only get more acute as the global economy continues to digitalise and put sensitive data at risk.
‘As a result, we expect heightened awareness of and expenditure on cybersecurity solutions to create long-term tailwinds for the cybersecurity investment theme,’ say Palandrani and Lucas.
By Gartner’s estimate, spending on data protection and risk management could increase 11% from 2021 to $172 billion this year.
President Biden earmarked an extra $1.7 billion of spending to modernise federal cybersecurity capabilities, standardize response strategies to cyberattacks, and increase information sharing requirements for government contractors. This could rise to $7 billion of additional investment to improve the country’s cybersecurity infrastructure.
‘In our view, recent financial commitments to thwart cybercriminals can form tailwinds for cybersecurity companies in 2022 and strengthen the long-term investment case for the cybersecurity theme overall,’ conclude Global X’s Palandrani and Lucas.
HOW INVESTORS CAN GET IN ON THE THEME
Cybersecurity is a booming industry with hundreds of companies scrambling to protect us from having intellectual property, health records, financial information, and other vital data compromised.
Among the companies that are benefiting from the surge in cybersecurity spending include those building firewalls, secure servers, routers, antivirus software, and malware detection tools. Firms that specialize in consulting and solving related security problems are also getting plenty of interest.
Beyond these fast-growing areas, cybersecurity companies are increasingly looking at consolidation. Typically, cybersecurity providers specialise in specific verticals, forcing customers to secure their data using a patchwork of different providers.
As Allianz Technology’s manager Walter Price points out, this offers organisations a ‘layered defence’ that helps offset the risk that a weakness is discovered to be exploited in any one software provider or tool kit.
That said, prominent cybersecurity providers remain engaged in a strategy of vertical integration, and often the fastest way to expand products and expertise is to buy a peer.
Noteworthy activity in 2021, for example, included CrowdStrike’s $352 million acquisition of Humio, and Rapid7’s $335 million acquisition of IntSights, allowing the companies involved to field more integrated product offerings.
This is also a hot area for the big Cloud providers. In early March 2022 Alphabet made a massive move into the cybersecurity space after agreeing a $5.4 billion deal to buy Nasdaq-listed specialist Mandiant Security, beating out Microsoft in a hotly contested battle, according to analysts.
It will make Google Security a clear number two against Microsoft’s Azure Sentinel, according to Megabuyte analysts. ‘This is a clear shot across the bow from Alphabet to Microsoft which has, with its Azure Sentinel offering, dominated the hyperscale Cloud security space for several years now,’ said Indraneel Arampatta of Megabuyte.
‘The deal illustrates the importance of cyber security and the price that you have to pay for it,’ said Stifel analyst George O’Connor. Alphabet is paying 8.2-times Mandiant’s expected sales this year.
This surge in consolidation activity is likely to continue in 2022 and beyond.
Picking individual stocks is one option for investors but funds are also a great way into the space. The UK market is blessed with cybersecurity-themed ETFs.
Curated by experienced and proven investment teams, these thematic portfolios offer exposure to a broad range of developers and companies invested in cybersecurity, providing investors with easy and relatively inexpensive ways to access 30, 40 and often more leading cybersecurity names in a single fund, so you can benefit from both takeover targets and the industry consolidators.
Among the UK-listed cybersecurity ETFs are Global X Cybersecurity (BUG) and L&G Cyber Security (ISPY). The former has an ongoing charge of 0.5% and the latter 0.75%. Relatively high for ETFs, which reflects their higher complexity and niche focus. Both offer exposure to all the big US names in the space. A cheaper option is iShares Digital Security (LOCK) which has an ongoing charge of 0.4% and tracks a similar basket of names.
Disclaimer: The author Steven Frazer has investments in Smithson and Allianz Technology Trust referenced in this article.