As cybersecurity threats continue to rise, ESG-focused investors should take note.
- Worldwide IT security spending continues to grow as businesses seek to avoid the reputational and other risks associated with increasingly sophisticated cyberattacks.
- The cybersecurity industry is fragmented and fast-changing, and represents a challenging area for public equity investors to gain direct exposure.
- Thorough analysis of a security’s environmental, social and governance (ESG) profile is critical in order to highlight potential cybersecurity risks as well as the mitigation steps a company may have taken.
Within the vast panorama of social factors that are considered as part of environmental, social and governance (ESG) analysis sits cybersecurity: headline-grabbing and potentially ruinous for the reputation of companies that have chosen to ignore it. Society increasingly treats cybersecurity as a ‘black box’ of technology, with security experts viewed as wizards dealing in the dark arts of data encryption. The sector’s credentials are attractive: worldwide IT security spending is expected to total $120bn in 2020 and grow at c.10% per annum to reach $158bn in 2023 according to a recent Jefferies report, representing double the growth rate of total IT spending. It is enough to read about the high-profile travails of companies such as Equifax, Twitter and Marriott, not to mention the purported Russian interference in the US election process in 2016, to appreciate that the stakes are high when hackers are lurking in the shadows.
US hotel chain Marriott suffered severe damage to its brand in 2018 when hackers breached its reservation system and stole the personal data of up to 500 million guests. A year earlier, vulnerability in website software at credit bureau Equifax led to the resignation of two senior officers, although the origin of the breach remained murky and to this day has never been found. Social network Twitter saw the accounts of prominent public figures compromised, while less sensational but equally concerning was the attack on dozens of universities and charities across the UK, US and Canada. Brands and reputations which have taken years to forge can be tarnished in the blink of an eye.
Despite the appealing growth profile of the cybersecurity industry, it is challenging to gain direct investment exposure to this relatively new sub-sector in public equity markets. Returns have been mixed, and many investors have preferred to take a ‘basket’ approach. Private-equity firms have traditionally snapped up the most attractive companies, with cybersecurity start-ups vying to meet the threats and challenges of today’s cybersecurity landscape. Funding and deals hit record highs in 2019, with 564 venture capital deals alone.
Annual global cybersecurity deals and financing 2015-2019
Ripe for consolidation
The industry is fragmented and ripe for consolidation. Barriers to entry are low in achieving very sophisticated high-end capabilities, with even teenagers working out of their parents’ basements able to apply their skills with global effects. Moreover, the fast-changing nature of the industry means that a competitive advantage is hardly ever sustainable, and companies inevitably end up fighting yesterday’s battles.
The traditional hub-and-spoke model in cybersecurity is changing. Previously a company’s security capabilities, computing power and sensitive data all resided in a data centre, but the increasing adoption of cloud-based solutions has led to decreased reliance on on-premises installation. Indeed, the companies that capitalise on this trend, within the spectrum of specialisms encompassing the world of cybersecurity, are likely to emerge as winners. Technology goliaths have historically acquired and integrated these mousetraps into their technology stack, although it remains to be seen how core cybersecurity is to their product suites over time.
Microsoft is a case in point. Two years ago, it announced that it would invest $1bn into its cybersecurity ecosystem. During the same year it pledged to invest a further $5bn over the next five years. The attraction for the company was to reduce the need for third-party software, thereby strengthening its position vis-à-vis its rivals, as well as tethering non-PC devices more tightly to its software. The sheer size and growth potential of the appetising security solutions market justified its significant investment and has turned it into a force to be reckoned with in this area. This ability to capitalise on growing trends and global challenges typifies the kind of companies that are likely to thrive in the context of a world that it fast-changing.
Sophisticated and ingenious
The Covid-19 pandemic has accelerated trends that would usually take years to be adopted. The ‘new normal’ of remote working has taken away the visibility and control that organisations previously relied on to secure their data, accounts and applications. Cyberattacks come in a variety of guises and are increasingly ingenious, making use of sophisticated techniques such as artificial intelligence with the aim of capturing user credentials and leading users to accidentally download malware. These threats affect a broad range of businesses and sectors and, while the short-term headlines have been dominated by the ravages of the pandemic, a coordinated cyberattack could have the potential to immobilise a society ever more addicted to technology, and is an important risk worth featuring prominently in any corporate risk log.
Given the relative dearth of ‘pure-play’ opportunities offering attractive liquidity profiles, perhaps the most pertinent way to view the theme of cybersecurity is as a risk that can affect and undermine businesses in any sector, including IT platforms themselves. However thriving and well-insulated a company may be against an economic slowdown or competitive pressures, the threat of a cyberattack is ever present (mitigated to varying degrees by judicious investment at the corporate level), with the potential to unravel years of consumer trust and brand equity. We believe a thorough analysis of a security’s ESG profile is therefore critical in order to highlight potential cybersecurity risks as well as the mitigation steps a company may have taken.
 Deep Dive into Security 101: Distilling the Murky Waters of Enterprise Security, Jefferies, 27 July 2020
These opinions should not be construed as investment or other advice and are subject to change. This material is for information purposes only. This is not investment research or a research recommendation for regulatory purposes. Any reference to a specific security, country or sector should not be construed as a recommendation to buy or sell investments in those securities, countries or sectors.