As cybersecurity threats continue to rise, ESG-focused investors should take note.

  • Worldwide IT security spending continues to grow as businesses seek to avoid the reputational and other risks associated with increasingly sophisticated cyberattacks.
  • The cybersecurity industry is fragmented and fast-changing, and represents a challenging area for public equity investors to gain direct exposure.
  • Thorough analysis of a security’s environmental, social and governance (ESG) profile is critical in order to highlight potential cybersecurity risks as well as the mitigation steps a company may have taken.

Within the vast panorama of social factors that are considered as part of environmental, social and governance (ESG) analysis sits cybersecurity: headline-grabbing and potentially ruinous for the reputation of companies that have chosen to ignore it. Society increasingly treats cybersecurity as a ‘black box’ of technology, with security experts viewed as wizards dealing in the dark arts of data encryption. The sector’s credentials are attractive: worldwide IT security spending is expected to total $120bn in 2020 and grow at c.10% per annum to reach $158bn in 2023 according to a recent Jefferies report, representing double the growth rate of total IT spending.[1] It is enough to read about the high-profile travails of companies such as Equifax, Twitter and Marriott, not to mention the purported Russian interference in the US election process in 2016, to appreciate that the stakes are high when hackers are lurking in the shadows.

US hotel chain Marriott suffered severe damage to its brand in 2018 when hackers breached its reservation system and stole the personal data of up to 500 million guests. A year earlier, vulnerability in website software at credit bureau Equifax led to the resignation of two senior officers, although the origin of the breach remained murky and to this day has never been found. Social network Twitter saw the accounts of prominent public figures compromised, while less sensational but equally concerning was the attack on dozens of universities and charities across the UK, US and Canada. Brands and reputations which have taken years to forge can be tarnished in the blink of an eye.

Despite the appealing growth profile of the cybersecurity industry, it is challenging to gain direct investment exposure to this relatively new sub-sector in public equity markets. Returns have been mixed, and many investors have preferred to take a ‘basket’ approach. Private-equity firms have traditionally snapped up the most attractive companies, with cybersecurity start-ups vying to meet the threats and challenges of today’s cybersecurity landscape. Funding and deals hit record highs in 2019, with 564 venture capital deals alone.

Annual global cybersecurity deals and financing 2015-2019

Source: 2020 Cyber Defenders, CB Insights, 2020

Ripe for consolidation

The industry is fragmented and ripe for consolidation. Barriers to entry are low in achieving very sophisticated high-end capabilities, with even teenagers working out of their parents’ basements able to apply their skills with global effects. Moreover, the fast-changing nature of the industry means that a competitive advantage is hardly ever sustainable, and companies inevitably end up fighting yesterday’s battles.

The traditional hub-and-spoke model in cybersecurity is changing. Previously a company’s security capabilities, computing power and sensitive data all resided in a data centre, but the increasing adoption of cloud-based solutions has led to decreased reliance on on-premises installation. Indeed, the companies that capitalise on this trend, within the spectrum of specialisms encompassing the world of cybersecurity, are likely to emerge as winners. Technology goliaths have historically acquired and integrated these mousetraps into their technology stack, although it remains to be seen how core cybersecurity is to their product suites over time.

Microsoft is a case in point. Two years ago, it announced that it would invest $1bn into its cybersecurity ecosystem. During the same year it pledged to invest a further $5bn over the next five years. The attraction for the company was to reduce the need for third-party software, thereby strengthening its position vis-à-vis its rivals, as well as tethering non-PC devices more tightly to its software. The sheer size and growth potential of the appetising security solutions market justified its significant investment and has turned it into a force to be reckoned with in this area. This ability to capitalise on growing trends and global challenges typifies the kind of companies that are likely to thrive in the context of a world that it fast-changing.

Sophisticated and ingenious

The Covid-19 pandemic has accelerated trends that would usually take years to be adopted. The ‘new normal’ of remote working has taken away the visibility and control that organisations previously relied on to secure their data, accounts and applications. Cyberattacks come in a variety of guises and are increasingly ingenious, making use of sophisticated techniques such as artificial intelligence with the aim of capturing user credentials and leading users to accidentally download malware. These threats affect a broad range of businesses and sectors and, while the short-term headlines have been dominated by the ravages of the pandemic, a coordinated cyberattack could have the potential to immobilise a society ever more addicted to technology, and is an important risk worth featuring prominently in any corporate risk log.  

Given the relative dearth of ‘pure-play’ opportunities offering attractive liquidity profiles, perhaps the most pertinent way to view the theme of cybersecurity is as a risk that can affect and undermine businesses in any sector, including IT platforms themselves. However thriving and well-insulated a company may be against an economic slowdown or competitive pressures, the threat of a cyberattack is ever present (mitigated to varying degrees by judicious investment at the corporate level), with the potential to unravel years of consumer trust and brand equity. A thorough analysis of a security’s ESG profile can highlight such a risk as well as the mitigation steps taken by companies, and can enable us, as thoughtful investors and fiduciaries of our clients’ capital, to embed such considerations in our bottom-up analysis.

[1] Deep Dive into Security 101: Distilling the Murky Waters of Enterprise Security, Jefferies, 27 July 2020


Catherine Doyle

Catherine Doyle

Investment specialist


Your email address will not be published.

Newton does not capture and store any personal information about an individual who accesses this blog, except where he or she volunteers such information, whether via email, an electronic form or other means. Where personal information is supplied, it will be used only in relation to this blog, and will not be collected or stored for any other purpose. Comments submitted via the blog are moderated, and, as a result, there may be a delay before they are posted.

This is a financial promotion. These opinions should not be construed as investment or other advice and are subject to change. This material is for information purposes only. This material is for professional investors only. Any reference to a specific security, country or sector should not be construed as a recommendation to buy or sell investments in those securities, countries or sectors.

Important information

This material is for Australian wholesale clients only and is not intended for distribution to, nor should it be relied upon by, retail clients. This information has not been prepared to take into account the investment objectives, financial objectives or particular needs of any particular person. Before making an investment decision you should carefully consider, with or without the assistance of a financial adviser, whether such an investment strategy is appropriate in light of your particular investment needs, objectives and financial circumstances.

Newton Investment Management Limited is exempt from the requirement to hold an Australian financial services licence in respect of the financial services it provides to wholesale clients in Australia and is authorised and regulated by the Financial Conduct Authority of the UK under UK laws, which differ from Australian laws.

Newton Investment Management Limited (Newton) is authorised and regulated in the UK by the Financial Conduct Authority (FCA), 12 Endeavour Square, London, E20 1JN. Newton is providing financial services to wholesale clients in Australia in reliance on ASIC Corporations (Repeal and Transitional) Instrument 2016/396, a copy of which is on the website of the Australian Securities and Investments Commission, The instrument exempts entities that are authorised and regulated in the UK by the FCA, such as Newton, from the need to hold an Australian financial services license under the Corporations Act 2001 for certain financial services provided to Australian wholesale clients on certain conditions. Financial services provided by Newton are regulated by the FCA under the laws and regulatory requirements of the United Kingdom, which are different to the laws applying in Australia.

Explore topics