As cybersecurity threats continue to rise, ESG-focused investors should take note.

  • Worldwide IT security spending continues to grow as businesses seek to avoid the reputational and other risks associated with increasingly sophisticated cyberattacks.
  • The cybersecurity industry is fragmented and fast-changing, and represents a challenging area for public equity investors to gain direct exposure.
  • We believe thorough analysis of a security’s environmental, social and governance (ESG) profile is critical in order to highlight potential cybersecurity risks as well as the mitigation steps a company may have taken.


Within the vast panorama of social factors that are considered as part of environmental, social and governance (ESG) analysis sits cybersecurity: headline-grabbing and potentially ruinous for the reputation of companies that have chosen to ignore it. Society increasingly treats cybersecurity as a ‘black box’ of technology, with security experts viewed as wizards dealing in the dark arts of data encryption. The sector’s credentials are attractive: worldwide IT security spending is expected to total $120bn in 2020 and grow at c.10% per annum to reach $158bn in 2023 according to a recent Jefferies report, representing double the growth rate of total IT spending.[1] It is enough to read about the high-profile travails of global brands, not to mention the purported Russian interference in the US election process in 2016, to appreciate that the stakes are high when hackers are lurking in the shadows.

A major hotel chain suffered severe damage to its brand in 2018 when hackers breached its reservation system and stole the personal data of millions of guests. A year earlier, vulnerability in website software at a credit bureau led to the resignation of senior officers, although the origin of the breach remained murky and to this day has never been found. Social networking sites have seen the accounts of prominent public figures compromised, while less sensational but equally concerning was the attack on dozens of universities and charities across the US, Canada and the UK. Brands and reputations which have taken years to forge can be tarnished in the blink of an eye.

Despite the appealing growth profile of the cybersecurity industry, it is challenging to gain direct investment exposure to this relatively new sub-sector in public equity markets. Returns have been mixed, and many investors have preferred to take a ‘basket’ approach. Private-equity firms have traditionally snapped up the most attractive companies, with cybersecurity start-ups vying to meet the threats and challenges of today’s cybersecurity landscape. Funding and deals hit record highs in 2019, with 564 venture capital deals alone.

Annual Global Cybersecurity Deals and Financing 2015-2019

Source: 2020 Cyber Defenders, CB Insights, 2020

Ripe for Consolidation

The industry is fragmented and ripe for consolidation. Barriers to entry are low in achieving very sophisticated high-end capabilities, with even teenagers working out of their parents’ basements able to apply their skills with global effects. Moreover, the fast-changing nature of the industry means that a competitive advantage is hardly ever sustainable, and companies inevitably end up fighting yesterday’s battles.

The traditional hub-and-spoke model in cybersecurity is changing. Previously a company’s security capabilities, computing power and sensitive data all resided in a data center, but the increasing adoption of cloud-based solutions has led to decreased reliance on on-premises installation. Indeed, the companies that capitalize on this trend, within the spectrum of specialisms encompassing the world of cybersecurity, are likely to emerge as winners. Technology goliaths have historically acquired and integrated these mousetraps into their technology stack, although it remains to be seen how core cybersecurity is to their product suites over time.

Microsoft is a case in point. Two years ago, it announced that it would invest $1bn into its cybersecurity ecosystem. During the same year it pledged to invest a further $5bn over the next five years. The attraction for the company was to reduce the need for third-party software, thereby strengthening its position vis-à-vis its rivals, as well as tethering non-PC devices more tightly to its software. The sheer size and growth potential of the appetizing security solutions market justified its significant investment and has turned it into a force to be reckoned with in this area. This ability to capitalize on growing trends and global challenges typifies the kind of companies that are likely to thrive in the context of a world that it fast-changing.

Sophisticated and Ingenious

The Covid-19 pandemic has accelerated trends that would usually take years to be adopted. The ‘new normal’ of remote working has taken away the visibility and control that organizations previously relied on to secure their data, accounts and applications. Cyberattacks come in a variety of guises and are increasingly ingenious, making use of sophisticated techniques such as artificial intelligence with the aim of capturing user credentials and leading users to accidentally download malware. These threats affect a broad range of businesses and sectors and, while the short-term headlines have been dominated by the ravages of the pandemic, a coordinated cyberattack could have the potential to immobilize a society ever more addicted to technology, and is an important risk worth featuring prominently in any corporate risk log.  

Given the relative dearth of ‘pure-play’ opportunities offering attractive liquidity profiles, perhaps the most pertinent way to view the theme of cybersecurity is as a risk that can affect and undermine businesses in any sector, including IT platforms themselves. However thriving and well-insulated a company may be against an economic slowdown or competitive pressures, the threat of a cyberattack is ever present (mitigated to varying degrees by judicious investment at the corporate level), with the potential to unravel years of consumer trust and brand equity. A thorough analysis of a security’s ESG profile can highlight such a risk as well as the mitigation steps taken by companies, and can enable us, as thoughtful investors and fiduciaries of our clients’ capital, to embed such considerations in our bottom-up analysis.


[1] Deep Dive into Security 101: Distilling the Murky Waters of Enterprise Security, Jefferies, July 27, 2020

Any reference to a specific security, country or sector should not be construed as a recommendation to buy or sell this security, country or sector. Please note that strategy holdings and positioning are subject to change without notice. The securities shown are accurate as of June 30, 2020 and were selected based on being top-ten holdings in one or more of our investment strategies. The specific securities identified are not representative of all of the securities purchased, sold or recommended for advisory clients, and actual holdings may vary by client. It should not be assumed that an investment in the securities identified was or will be profitable.

Important information

This is a financial promotion. Issued by Newton Investment Management Limited, The Bank of New York Mellon Centre, 160 Queen Victoria Street, London, EC4V 4LA. Newton Investment Management Limited is authorized and regulated by the Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN and is a subsidiary of The Bank of New York Mellon Corporation. 'Newton' and/or 'Newton Investment Management' brand refers to Newton Investment Management Limited. Newton is registered in England No. 01371973. VAT registration number GB: 577 7181 95. Newton is registered with the SEC as an investment adviser under the Investment Advisers Act of 1940. Newton's investment business is described in Form ADV, Part 1 and 2, which can be obtained from the SEC.gov website or obtained upon request. Material in this publication is for general information only. The opinions expressed in this document are those of Newton and should not be construed as investment advice or recommendations for any purchase or sale of any specific security or commodity. Certain information contained herein is based on outside sources believed to be reliable, but its accuracy is not guaranteed. You should consult your advisor to determine whether any particular investment strategy is appropriate. This material is for institutional investors only.

Personnel of certain of our BNY Mellon affiliates may act as: (i) registered representatives of BNY Mellon Securities Corporation (in its capacity as a registered broker-dealer) to offer securities, (ii) officers of the Bank of New York Mellon (a New York chartered bank) to offer bank-maintained collective investment funds, and (iii) Associated Persons of BNY Mellon Securities Corporation (in its capacity as a registered investment adviser) to offer separately managed accounts managed by BNY Mellon Investment Management firms, including Newton and (iv) representatives of Newton Americas, a Division of BNY Mellon Securities Corporation, U.S. Distributor of Newton Investment Management Limited.

Unless you are notified to the contrary, the products and services mentioned are not insured by the FDIC (or by any governmental entity) and are not guaranteed by or obligations of The Bank of New York or any of its affiliates. The Bank of New York assumes no responsibility for the accuracy or completeness of the above data and disclaims all expressed or implied warranties in connection therewith. © 2020 The Bank of New York Company, Inc. All rights reserved.