While the relentless growth in hacking keeps company executives awake at night, canny investors can generate returns from a global boom in cyber security as bosses defend against the hackers
There are up to 250,000 cyber attacks each day, according to analysis by Bank of America Merrill Lynch (BAML), with approximately 70 per cent of those attacks thought to be going undetected. This wave of assaults may seem unstoppable, yet there are ways to fight back.
The cyber-security business is estimated by BAML to have been worth $75-77 billion in 2015 and is forecast to reach $170 billion by 2020. Getting exposure to the growth those firms may see as concern grows can offer investors, big and small, the chance to get a return from what would otherwise be a very damaging process.
Understanding the risks
Understanding what constitutes a cyber attack – and therefore defence – is paramount if investors are to get a breadth of exposure across the business.
“Most people have a connected device, be it a smartphone, a computer they use personally or at work,” says Andrew Chanin, chief executive of PureFunds, which offers a cyber security exchange-traded fund (ETF). “They are realising they are connected and they see credit card information breached at retail outlets they purchase their goods from, so they are realising this is something that is going to affect them.”
For the firms affected by cyber attacks, the cost of being hacked can relate to direct financial loss, the loss of intellectual property or a loss of business if customers and counterparties quit.
“The average cost of a cyber attack for a US company and listed US companies is up to about $12.7 million,” says Sarbjit Nahal, equity strategist at BAML.
Businesses are not only motivated by losses, the authorities are increasingly taking an interest in how they protect themselves and their customers. MP Andrew Tyrie, chairman of the Treasury Select Committee, delivered an open letter to the head of the UK’s financial regulators in January arguing: “Legal, regulatory, structural and cultural changes are needed to the way that banks manage their cyber risks.”
He observed that co-ordination between supervisory bodies was needed as: “Currently, no one group seems to be directly responsible for developing a full understanding of the risks carried… by individual banks.” Without reform, “the public will remain more exposed than necessary to the risk of bank failure”, he concluded.
Firms that generate a return from increased expenditure on cyber security represent a range of services and technologies, from networks data travels on to anti-virus software on a computer desktop
Spending on IT within banks is increasing considerably as a result; however, with hackers targeting point-of-sale devices in shops and client data stored on websites, every business has to be aware of the risks.
“US corporates have seen their cyber budget grow at twice the rate of traditional IT budgets over the last three years,” says Mr Nahal. “We are now up to cyber accounting for about 6 per cent of IT budgets at across sectors.”
National security is also driving up spending on cyber security, with criminals and foreign government agencies being held responsible for attacks that can cause malicious damage as well as material loss. Threats are not always external or obvious as insiders account for more than 50 per cent of attacks, according to BAML, and as the internet of things enables more devices to become connected online, the array of possible targets has increased exponentially.
“Being hacked caused one of the big auto makers to recall 1.4 million cars,” notes Mr Nahal.
Knowing where to invest
Firms that generate a return from increased expenditure on cyber security represent a range of services and technologies, from networks data travels on to anti-virus software on a computer desktop.
For investors seeking to benefit from any increased revenues they generate, getting the right mix of companies is essential. Typically this exposure can be gained by researching and picking individual stocks or putting money in a fund that holds appropriate investments, either a mutual fund or an exchange-traded fund.
Yves Kramer manages the Pictet-Security Fund for Pictet Asset Management, which invests in firms that cover IT security products, physical security products and security services. He says the fund is one way to gain exposure to cyber security while retaining diversity in the portfolio, which can be advantageous when markets are bad as this can cause niche stocks to see volatile price movements.
“We have between 10 and 12 per cent exposure to cyber security and I am happy we have reduced to that because [cyber security-focused] funds are seeing clients ask for redemptions,” he says. “We don’t perform much better than ETFs when things are great, but for sure when things are bad we do better, so it depends on the sort of risk investors want in their portfolio.”
Investors who want to see more direct exposure can invest in ETFs that track an index of stocks which are specifically selected to represent the cyber security industry. The International Securities Exchange (ISE) has developed the ISE Cyber Security UCITS [undertakings for the collective investment in transferable securities] Index Net Total Return Index, which is used as the benchmark for the PureFunds ETF listed in the US and several European-issued ETFs, says Mark Abssy, senior index and ETF manager at ISE ETF Ventures.
“We worked with ETF Securities and their white-label issuer platform Canvas, and there is a version of the index that is compliant with the UCITS rules,” he says. “I developed that with them and we currently have funds trading in London, Frankfurt, Milan and, more recently, Switzerland.”
PureFunds’ Mr Chanin adds: “The index was developed for a few years by ISE before it was used for an ETF. To determine and make these definitions, ISE had a pool of more than 200 publically traded companies from around the globe which they considered were doing something in cyber security. To determine what should be represented in the basket, companies were then selected which were deriving a very high percentage of the revenue specifically from cyber security-related activities.”
If an investor wants to select individual companies, they will have to conduct the research themselves, manage the investment and ensure the companies are conducting the business the investor wanted to get exposure to.
“Companies could sell off their cyber security-related activities,” says Mr Chanin. “You really have to be your own personal manager and cyber security expert.”
BAML has identified around 50 firms globally that could be seen to have exposure to cyber security of which 15 are classified as being highly correlated with the sector. The opportunities for growth include many technologies that are established, but have not yet been fully deployed. The international nature of the market means criminals will take a cyber strategy from a jurisdiction in which counter-measures have been employed and exploit one which has yet to act. This uneven distribution of cyber security can mean firms with a working model are not necessarily outpaced by new technologies.
“I do think there are a lot of low hanging fruit in this space; the US has not made the same transition in chip and PIN for debit and credit cards we have seen here in Europe,” says Mr Nahal. “You still have 1.3 billion cards that need to be converted around the world. Close to 40 per cent of corporates were applying some sort of encryption strategy in 2015 and that was up from 15 per cent in 2005.”
While cyber attacks remain a growing threat, there are at least effective ways to hit back at the hackers – and make gains on the back of that fight.