Cover Story: Scoping out the cybersecurity theme

This article first appeared in Personal Wealth, The Edge Malaysia Weekly, on July 10, 2017 - July 16, 2017.
-A +A

The surging prices of cybersecurity stocks and exchange-traded funds over the past year have attracted investor attention. Industry professionals look at the opportunities and risks offered by this technology sub-sector.

Cybersecurity has become an investment theme following the rise of cyberattacks around the world. Investors are betting that businesses will increase their cybersecurity expenditure to secure their data and intellectual property and that this will benefit companies that provide such products and services.  

James Butterfill, executive director at ETF Securities, says the growing cybersecurity expenditure is due to the fact that cybercrime is becoming one of the biggest global threats and corporations and governments have become more aware of the need for cybersecurity in recent years. 

“Last year, the number of cybercrimes went up, causing US$3 trillion in losses globally, which is about 4% of the global gross domestic product. Cybercrimes are really becoming a serious financial problem,” says Butterfill. ETF Securities is an asset management firm with a focus on exchange-traded funds (ETFs).

ETFs that track the stocks of companies involved in cybersecurity have attracted investor interest. They include ETFS ISE Cyber Security GO UCITS ETF (USPY), PureFunds ISE Cyber Security ETF (HACK) and First Trust Nasdaq Cybersecurity ETF (CIBR). USPY is listed on the London Stock Exchange and Deutsche Boerse. HACK is listed on the New York Stock Exchange (NYSE) and CIBR trades on the Nasdaq.  

All three ETFs have seen a healthy increase in assets under management (AUM) since the beginning of this year. Butterfill says USPY’s assets doubled to US$260 million (RM1.1 billion) in the first half of this year. “It is one of our fastest-growing funds.”

According to financial data research platform YCharts, HACK’s AUM rose 71% to US$1.1 billion while CIBR’s assets grew 33% to US$21.9 million during the period.

The performance of the three funds has been commendable. Based on net asset value (NAV), USPY, HACK and CIBR saw a year-to-date return of 7.12%, 14.44% and 11.99% respectively (as at June 28) while their 12-month returns were 30.43%, 34.72% and 32.9%.

All three ETFs were launched in recent years. HACK was listed in November 2014 while CIBR and USPY began trading in June and August 2015 respectively.

Palo Alto Networks, FireEye and Trend Micro are among the cybersecurity stocks that have seen a price surge in the last 12 months. These counters are held by USPY, HACK and CIBR.

Palo Alto provides network security solutions such as firewalls to prevent cyberattacks and data leakage. More than 85 of the Fortune 100 rely on the company to enhance their cybersecurity. Its stock surged 13% in May after the company’s third-quarter revenue exceeded analyst estimates. As at June 3, 18 out of 32 research analysts had a “strong buy” call on the stock.  

Internet security company FireEye provides malware protection systems and network threat prevention solutions. It also offers web, email and file security as well as malware analysis. Driven by the company’s cost-cutting efforts and new business models, its share price has shot up more than 40% in the past quarter, overtaking competitors such as Palo Alto. However, some analysts are cautious about the stock, saying that the company has yet to clearly demonstrate revenue growth drivers. As at June 3, 15 out of 22 analysts recommended holding the stock while six had a “strong buy” call.

Trend Micro develops and markets anti-virus and internet security software. Its products are sold worldwide. For the 12 months ended July 4, its share price had risen about 60%. Last month, the company introduced a US$100 million corporate fund that focuses on start-ups in the Internet of Things (IoT) space. According to the Financial Times, six analysts had an “outperform” recommendation on the stock, which is listed on the Tokyo Stock Exchange, while three analysts had ‘hold’ calls as at June 30. 

Industry experts weigh in Cybersecurity is part of the technology sector. The nascent sub-sector is relatively small, but it is projected to expand in the next few years. 

Butterfill, who is also head of research and investment strategy at ETF Securities, says the price-earnings ratio (PER) of companies in the US cybersecurity industry is about 35 times as at June 14. This is higher than the 25 times of the broader technology sector in the US.

He says investors who are looking at the cybersecurity investment theme should be looking at growth rather value investing. “Valuations could become a little cheaper after the recent bull market. But there is potential growth going forward, although you are paying a premium for it.”

Some of the companies these ETFs have bought into have extremely high valuations, but others are loss-making. According to Bloomberg, Barracuda Networks Inc, Gigamon Inc and Symantec Corp had a PER of more than 100 times as at June 28 while Palo Alto and FireEye had losses per share of US$2.50 and US$2.29 respectively.

The three cybersecurity ETFs have slightly underperformed the broader US technology sector (see chart) compared with the S&P 500 Information Technology Index, which has generated a return of 38.16%.  

A spokesman for Morningstar, a US-based international investment research and investment management firm, says the ETFs do not carry a Morningstar rating yet as they do not have a track record of at least three years. “It is a small, niche and thematic subset of the technology sector. Investors should understand what the underlying portfolio is and be aware of the fees that the ETFs charge.” 

USPY imposes an annual management fee of 0.75% while HACK and CIBR charge 0.6%. Howie Li, CEO of CANVAS, the provider of USPY, says its fee is higher because the fund was launched in Europe, which has a different costing structure.

Another reason for the higher management fee is the methodology adopted by USPY. Li says the ETF has adopted a two-tier equal weighting methodology, which places a greater emphasis on small caps in the cybersecurity segment.

“This compares with CIBR, which places a greater emphasis on large caps. This is in stark contrast to our view that true value and opportunity lie in the small-cap segment. It is crucial that investors understand what they are paying for. In this case, the choice is between two largely different products,” he tells Personal Wealth. 

Li says USPY and HACK have a “high degree of overlap between their underlying constituents” as they both have a greater focus on small-cap stocks. As CIBR focuses more on large caps, its underlying index has a higher minimum market cap requirement of US$250 million, compared with that of USPY’s at US$100 million, says Li. The net result is that CIBR holds a smaller number of stocks (30) and has a bias towards mid and large caps (72%).

“USPY’s underlying index, meanwhile, has a comparatively smaller weighting on mid and large caps (55%) and places greater emphasis on small caps. The small-cap segment is where high-growth opportunities are likely to exist,” he says. 

Richard Clode, fund manager of Henderson Global Technology Fund, reminds investors to be cautious when investing in cybersecurity stocks. “When we get a spate of high-profile hacks, we normally get a spike in cybersecurity spending as CEOs release a budget for that segment to avoid being the next CEO apologising on TV for breach of data. These growth rates tend to be unsustainable, but are extrapolated by analysts and investors. This can make spending patterns lumpy and investors may end up investing in volatile stocks.

“Also, given the paucity of pure plays in the space and high investor interest in the area as it is an easily understood theme, the valuations tend to be high. Our fund has minimal pure-play exposure today and we would highlight our investments in cloud infrastructure such as Amazon and Alibaba instead (see accompanying story).”


More investments in the future

Global market intelligence firm IDC forecasts that by 2019, some “70% of major multinational corporations with roots in the US and Europe will face significant cybersecurity attacks aimed at disrupting the distribution of commodities”.

As cybercrimes occur more and more frequently, businesses are increasing their investment in cybersecurity. “It has definitely increased. However, it must be noted that it differs from one industry to another,” says Nigel Tan, business development executive at IBM Security Asia-Pacific.

“The investments depend on how exposed they are to data breaches or if they have been victims of cyberattacks. Also, companies that operate in countries with cybersecurity regulations [such as the US] have to invest more in this area.”

Technology giant IBM established its cybersecurity business unit in 2011. Even though the unit is not the company’s biggest contributor, it helped generate US$2 billion (RM8.6 billion) in revenue last year. The business has seen double-digit growth in the past few years.

Companies that have huge exposure to data breaches include banks and financial institutions, which store huge amounts of private data and are heavily regulated by governments. The financial industry is expected to be the top spender in cybersecurity going forward. Other huge spenders include multinational corporations and large organisations in every sector, says Tan.

He adds that US companies have made huge investments in cybersecurity because of the country’s security breach notification law, which requires them to announce any data losses to the public. This provides the companies with a huge incentive to invest in cybersecurity.

Cybersecurity awareness is higher in Europe and Australia than in other parts of the world. This trend is what led IBM to set up its cybersecurity business unit and invest heavily in related technology and expertise. It recently came up with Watson for Cyber Security to tap the growing market.  

According to Tan, there is a shortage of skilled workers in the cybersecurity sector. It is estimated that there will be a shortage of 3.5 million workers by 2021. This is where Watson, a supercomputer that combines artificial intelligence with sophisticated analytical software, comes in.

Tan says a typical cybersecurity analyst goes through 200,000 security events per day, attempting to harness insights from more than 60,000 security blog posts published every month. On top of that, the analyst wastes more than 20,000 hours annually chasing false threats. 

“Despite this, analysts still miss more than 90% of the security information out there. Watson for Cyber Security takes unstructured information and context and turns them into data. It can interpret, learn and process critical security intelligence — originally designed by and for humans — to enable analysts to respond to threats at speeds and scales previously unimagined,” he says.

The emerging threat of cybercrimes going forward is not being overstated and the cybersecurity market will grow, says Tan. “This is especially so as we are moving into the Internet of Things and there will be more and more devices connected online. Cybersecurity is going to be very important.”

Goh Su Gim, senior enterprise cybersecurity solutions consultant at BAE Systems Applied Intelligence, says the trend is happening in Malaysia and investments in cybersecurity will increase. “According to the Malaysian findings of BAE Systems’ 2017 Cyber Defence Monitor, which surveyed both C-suite management and IT decision makers, both groups believed that the number and severity of attacks will increase in the coming years. Some 90% of board respondents and 84% of IT teams predicted an increase in the severity of attacks. Cybersecurity represents the most significant challenge to 71% of C-suite respondents globally compared with 70% in Malaysia.”


Cloud providers could benefit from cybersecurity demand

Richard Clode, fund manager of Henderson Global Technology Fund, says companies that provide cloud computing services could be the beneficiaries of the growing demand for cybersecurity solutions. That is because storing data and information in the cloud is considered to be one of the safest methods out there. 

This perception is mainly due to the huge investments made by cloud service providers to improve security in recent years. “The number one risk to Amazon Web Services, for example, would be a hack. Hence, it spends a serious amount of money on cybersecurity. Consequently, it hires the brightest minds in the industry to improve the security of its cloud services,” says Clode.  

“As a result, companies now view the public cloud as ‘safer’ than their own servers. This is a major U-turn in view of what happened a few years ago when, after some serious hacks, enterprises as well as the US Central Intelligence Agency chose to house data in a public cloud. This was an important milestone.”

He also says cloud service providers could disintermediate some of the spending from cybersecurity firms as more and more businesses store data in the public cloud. “I was at the Alibaba Investor Day and AliCloud was highlighting how it protects 37% of all websites in China and that the scale allows them to see attacks such as WannaCry in their infancy. This gives it time to patch its whole network in advance of such threats going viral, resulting in minimal disruption.”

The Henderson Global Technology Fund is the target fund of TA Global Technology Fund, launched by TA Investment Management Bhd in Malaysia.


Increased Awareness

Major cybercrimes in recent years have increased the awareness of cybersecurity around the world. The most notable was the WannaCry ransomware attack in May, which single-handedly took down the UK’s National Health Service (NHS) — the fifth largest employer in the world. Most of the NHS’ computers were shut down due to the hack and the data could only be recovered by paying the hackers in bitcoin.  

According to news reports, there were several victims in Malaysia as well, which led CyberSecurity Malaysia — an agency under the Ministry of Science, Technology and Innovation — to issue a public warning of the attack. 

A young British security researcher managed to stop WannaCry, but other ransomware have surfaced. Last month, the Petya ransomware struck Ukraine’s major firms, airports and government departments. It then spread across Europe and around the globe, crippling thousands of computers, disrupting ports from Mumbai to Los Angeles and halting production at a chocolate factory in Australia, according to Reuters.