Mason Stevens
7 Mar, 2022

Our lifestyles have continued to become increasingly digitised over the years, where we’ve been able to use the internet to improve our professional lives (through working from home and meeting remotely), and our social lives (through social networks like Facebook and Twitter).

Smartphones have played larger and larger roles in our day to day lives, both mentally and now even physically, where we have the capacity to replace carrying around a wallet through storing debit/credit cards, drivers licenses and transport cards (like Opal and Myki) within our phones.

Whilst this has made for a more convenient and efficient existence, there are serious risks which have emerged as a result of the greater exchange, storage and centralisation of data – with cybersecurity now becoming a vital concern in the lives of individuals, businesses and governments.

Russian Invasion Stokes Cyberwar Fears

Throughout Russia’s recent invasion of Ukraine, its applicability to modern warfare has been constantly discussed, where many continue to be afraid of Russia’s cyber warfare capabilities in light of their successful cyberattack on Ukrainian power grids in 2015, and their deployment of the “NotPetya” malware in 2017 which caused billions in damages for businesses primarily within Ukraine, but also globally.

Whilst cyberattacks were detected and halted in the hours prior to the invasion of Ukraine, the cyberwar many expected has yet to eventuate, where there were expectations for Russia to potentially disable infrastructure surrounding communications, power, and water.

Instead, Ukrainians have been granted unfettered access to the internet, where their own government has been able to mobilise and motivate its civilians, and receive global support through extensive social media exposure – the conflict may have transpired in a much more negative manner if nationwide internet access had been disrupted.

Markets have acknowledged this increased importance of cybersecurity given geopolitical volatility – where cybersecurity shares have outperformed their software peers in recent months and have so far offered an enclave of relative safety for growth investors.

Chart 1: 1-Month Performance of Cybersecurity ETF’s (green, red) and the iShares Software ETF (blue)

Source: Bloomberg, as at 4/3/22

Whilst geopolitical tensions may have been the inspiration behind this note, we will instead focus on the individual/corporate applications of the technology within this note, where last years Colonial Pipeline ransomware attack highlighted the vulnerabilities many companies may have.

Large amounts of capital will continue to flow into the industry as a result of events such as this, with a 2021 Deloitte survey revealing that almost 75% of companies who made more than USD$30bn in revenue, said they’d spend more than $100m on cybersecurity this year.

Owing to the ever-evolving nature of the industry – these expenses won’t be one off capital expenditures, but instead will be recurring expenses, offering attractive investment propositions within the cybersecurity industry.

Why Has Cybersecurity Become More Important?

Cybersecurity has become increasingly more important due to the growing numbers and enhanced sophistication of malicious actors.

These malicious actors have been drawn to the greater addressable opportunity set, where more value has been transferred online (through the digitisation of assets) and into more complex systems (where there are more critical points of failure).

Systems will only increase in complexity as we demand more service offerings from internet-based companies, inevitability creating more points of failure – 95% of cybersecurity issues can be traced to human error.

Examples of the cost of cybersecurity breaches were put on display through the Colonial Pipeline hack, where hackers employed a ransomware attack, halting the pipeline for 6 days and creating nationwide gas shortages and increases in petrol costs.

The hackers were able to access their system through a former employee’s account, whose company login used the same password on another website, where their user data was leaked.

The breach could have been avoided through implementation of two factor authentication – a basic, but effective form of cybersecurity.

Moreover, as we transition from Web2.0 (read/write), to Web3.0 (read/write/own), a different set of challenges will be posed, where greater decentralisation will enhance security, but also create greater motivation for hackers given the transparency of financial incentives.

Pipelines of Money into Cybersecurity

Now that we’ve established the importance of cybersecurity in the coming years, it’s time to evaluate the investment exposures available.

A few weeks ago, we evaluated SaaS (Software as a Service) businesses, and the coupon like value of their recurring revenue streams.

Most cybersecurity exposures operate under SaaS models, and as such, are likely to maintain robust and consistent cash flows given the stickiness and essential nature of their services.

For example, if we rewind back to the start of the COVID-19 pandemic where businesses were forced to cut expenses, cybersecurity would be one of the last items on the chopping block – if they cut these services, they would either have to bring cybersecurity inhouse (stretching resources at a time where employees were being let go), or increase business risk further through having no cybersecurity at all.

Given the industry currently sits within a niche, is growing rapidly, and has a swathe of M&A activity, ETF’s offer the best vehicle for many investors wishing to gain exposure.

Different cybersecurity ETF’s will primarily differ on the weighting they apply to each security – given the relatively small universe of available securities.

The BetaShares Global Cybersecurity ETF (ASX:HACK) offers an AUD denominated exposure, where weightings are determined by levels of trading volume.

The Global X Cybersecurity ETF (NASDAQ:BUG) is market cap weighted, where holdings are limited only to those companies who receive greater than 50% of their revenues from cybersecurity related services.

Chart 2: 2y Performance of HACK and BUG

Source: Bloomberg, as at 4/3/22

Time to Buy Security?

Whilst cybersecurity stocks have been under pressure in recent months as a result of their lofty multiples, the fundamental picture for the industry is as strong as ever.

Geopolitical tensions have reinvigorated the conversation surrounding the potential impacts of cyberwarfare, and notable events such as the Colonial Pipeline and SolarWinds hacks have revealed the importance of robust cybersecurity measures to corporates around the world.

As we enter the Web3.0 era, cybersecurity will only become more important, and will have to evolve in line with the changing risk landscape.

As individuals, we should also seek to be more aware of cybersecurity risks through creating more complex passwords, using two-factor authentication where possible, and using different passwords across accounts (password managers like LastPass can assist in creating randomised passwords, keeping your passwords stored, and secured safely behind two-factor authentication).

The views expressed in this article are the views of the stated author as at the date published and are subject to change based on markets and other conditions. Past performance is not a reliable indicator of future performance. Mason Stevens is only providing general advice in providing this information. You should consider this information, along with all your other investments and strategies when assessing the appropriateness of the information to your individual circumstances. Mason Stevens and its associates and their respective directors and other staff each declare that they may hold interests in securities and/or earn fees or other benefits from transactions arising as a result of information contained in this article.