Cybersecurity is one of the most important and dynamic trends in the world today. A survey from Allianz shows it is already the biggest risk businesses face. Add in the fact that technological progress will only increase the importance of cybersecurity, and it is easy to see how an industry built on protecting our data could be supercharged for growth.
However, as discussed below, that doesn’t necessarily make for straightforward investment decisions. On this occasion, we think the best to option is for safety in numbers, opting for a collective rather than a direct holding.
First, let’s take it back a few steps and focus on what we actually mean when we use the term ‘cybersecurity’. Cybersecurity is the practice of protecting systems, networks, and programs from potential digital attacks. These can range from criminals accessing or destroying sensitive information, interrupting business processes, or even extorting money from victims.
Why is it important?
Fifty years ago the internet and social media had yet to be invented, and few people owned a computer, never mind a laptop, phone and tablet. We now routinely use these devices to transmit a range of banking, personal and commercial data every day. The International Data Corporation (IDC) forecast that the amount of data generated will grow around sixfold from 2018 to 2025 – when there will be 175 zettabytes of data generated. To put that in perspective, that’s enough data to fill over 86,000 64GB iPhones every second, for an entire year.
The benefits of this new way of life are clear. Increased connectivity, rapid access to information and online commerce, to name just three. But the transmission and storage of data on such a scale creates an opportunity for criminals.
As you can see from the chart below, the amount of attempted attacks has ballooned. In recent years, organisations ranging from British Airways to the NHS have fallen foul of attacks, with the system governing the US fuel supply the latest to be targeted. Chart 1 below explores data breach trends in the US.
Source: Statista https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/): Annual number of data breaches and exposed record in the US.
Cybercrime is evolving
Like any new industry, change is happening rapidly – and the goalposts are continuously moving. With more connected devices out there, the potential entry points for attacks are growing. New methods to avoid detection are being created, and existing techniques tweaked all the time. Machine learning and artificial intelligence are critical to developing forward thinking attack detection software, though the need to counter these challenges creates opportunity.
Firms are battling to capture market share in an industry that is set to grow at a compound annual growth rate (CAGR) of 10% until 2023 (see Chart 2). That means that in just 2 years’ time, the global market could be worth $248bn.
Source: Statista – https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/): Expected growth of cybersecurity market worldwide.
That market can be divided in two. Protection can be sold to businesses (enterprise market) or individuals (consumer market).
While still at risk of attack, consumers tend to have lower budgets and less need for multiple solutions. McAfee and Norton, two major US cyber firms, recently sold their enterprise businesses to focus on the consumer market. Both boast high quality, subscription-based revenue, as well as the ability to generate large amounts of cash. They trade on non-demanding valuations, which appears to be an added attraction, but that actually reflects the fact each is fairly mature and therefore the growth on offer is likely to be limited.
We also think there are a few risks to owning these stocks. For example, the controlling interest in McAfee has changed owners a number of times. After a spell in private ownership, it re-entered public markets with oodles of debt (leverage will be only marginally reduced by the Enterprise sale) and with private equity names still on the shareholder register. After selling down for the IPO, they could well be looking for a complete exit in the future.
In contrast, the Enterprise segment looks more dynamic, with spending set to increase at a faster rate. Demand is different too, with firms looking to protect a wider range of IT infrastructure. This brings the chance to sell complex solutions and cross-sell products. The chart below shows the percentage split of spending across segments of cyber in 2020.
Source: Hawksmoor Research: Cybersecurity spend by segment (2020).
After a pandemic-ridden 2020 that accelerated the adoption of cloud-based working, it may be surprising to see cloud security at just 0.5% of total spending. There is a huge opportunity here: Gartner forecasts growth of a staggering CAGR of 24.5% to 2023. Data, infrastructure and network security are set for impressive growth too.
Picking a winner… harder than it looks
The growth on offer is clearly attractive for investors. But that same growth means there is likely to be a decent scrap for a seat at the table. Microsoft, for example, has invested heavily in its cloud security offering.
Another reason it is not so simple to pick a winner is that many of those vying to become enterprise providers of choice in the future are still in the land-grabbing phase, and are consequently not particularly profitable. CrowdStrike Holdings (valued at $43bn) is a good example. Last year’s $62m operating profit was its first ever year in the black.
There are more established operators with strong track records, but valuations are quite steep. Based on expected 2021 earnings, Fortinet and Palo Alto shares trade on over 50 times. For context, the S&P 500 trades on 22 times.
Taking the collective route
The strength of the tailwind behind the sector means we think it is an area where lots of value could be created, though it is challenging to pinpoint where. Change is happening rapidly and while some companies will blossom into much more valuable players, others will shrink as their products fall behind. At this stage, it is difficult to pick individual winners.
With an attractive investment theme, yet limited direct equity options, one path to consider is an exchange traded fund (ETF). Access to a diverse portfolio of cyber holdings will ensure expected growth is captured, without taking any unnecessary risks associated with single stocks. There are a range of options in the market, of which our preferred pick is the L&G Cyber Security ETF.
L&G Cyber Security ETF
This product aims to track the performance of a basket of companies that are actively engaged in providing cybersecurity technology and services. These companies are split into one of two subsectors: Infrastructure Providers and Service Providers. The former develop hardware and software for safeguarding internal and external access to files, websites, and networks, whilst the latter provide consulting and secure cyber-based services. This helps capture a wide range of businesses that generate a material proportion of their revenues from the cyber industry.
Whilst not the cheapest on the market, this product offers a good track record and stellar performance. Since inception back in 2015, it has delivered an annualized return of just under 20% (source: Financial Analytics).
Though what really sets this ETF apart from its peers is its portfolio, which is both diverse and consists of modest sized holdings. As at the time of writing it has 55 constituents, of which the top ten holdings account for just 26.8% with the largest position only 3.2%. This compares favourably to peer ETFs where top tens can make up almost half of the portfolio with top holding sizes in the mid to high single-digit range.
With a strong structural tailwind, a well diversified portfolio, and a robust track record, L&G Cyber Security ETF is our chosen pick.
Ben Luck – Investment Analyst
Health Warning/ Disclaimer
This document should not be interpreted as investment advice for which you should consult your independent financial adviser. The information and opinions it contains have been compiled or arrived at from sources believed to be reliable at the time and are given in good faith, but no representation is made as to their accuracy, completeness or correctness. Any opinion expressed, whether in general or both on the performance of individual securities and in a wider economic context, represents the views of Hawksmoor at the time of preparation. They are subject to change. Past performance is not a guide to future performance. Hawksmoor Investment Management Limited (“Hawksmoor”) is authorised and regulated by the Financial Conduct Authority. Hawksmoor Investment Management Limited is registered in England No. 6307442 and its registered office is at 2nd Floor, Stratus House, Emperors Way, Exeter Business Park, Exeter EX1 3QS. HA4324
FOR PROFESSIONAL ADVISERS ONLY AND SHOULD NOT BE RELIED UPON BY RETAIL INVESTORS