Cybersecurity funds are poised for greater growth as companies invest heavily in new technology and high-profile cyberattacks proliferate.
While two of the most prominent cybersecurity-focused exchange-traded funds have underperformed the broader market so far this year, they enjoyed a couple bumps in the wake of major cyberattacks, like the Exchange Server hack at Microsoft Corp. in March. Other major attacks included the Colonial Pipeline Co. breach in May and the attack compromising a large swath of T-Mobile US Inc. customers in August.
"The more negative the news, the more positive that is for the value of a cyber investment. Instability tends to drive investment in improving stability," said Scott Crawford, a cybersecurity analyst and director at 451 Research.
The First Trust Exchange-Traded Fund II - First Trust NASDAQ Cybersecurity ETF and BetaShares Global Cybersecurity ETF, are each up roughly 16% year-to-date through Sept. 22, slightly underperforming the broader market and information technology ETF Vanguard World Fund - Vanguard Information Technology ETF.
While the bumps around breach disclosures moved the ETFs a few percentage points, many of these event-related spikes tend to be overbaked, driven by headline hype more than sound investment theses, Crawford said. "There's a fair amount of ambulance chasing in cybersecurity, and particularly in cybersecurity as an investment."
But there is also a shift among investors to view cybersecurity stocks as more of a long-term play. Cybersecurity is critical to enterprises and governments, and investors understand that it is a stable business in this regard. The sector previously saw a market boom a few years ago, but investors are only beginning to realize that the current pace of demand may still be insufficient as enterprises grapple with the security needs of digital transformation, William Blair Securities analyst Jonathan Ho said.
"Security is a defensive sector and a growth sector," Ho said in an interview.
"I think organizations are going to realize that they need to invest a relatively larger portion of their IT budgets on cybersecurity," said Erik Suppiger, an equity research analyst covering IT infrastructure and cybersecurity at JMP Securities. "In terms of the spending cycle, I think we're still early."
Earlier this year, 18% of surveyed midlevel and senior IT professionals told 451 Research that their organization planned to increase its total information security budget by 50% to 200% in 2021 versus 2020; and 68% planned an increase between 1% and 50%. The report, 451 Research's "Voice of the Enterprise: Information Security, Budgets & Outlook," found that only 8% of respondents planned any kind of decrease.
While equities might jump briefly in reaction to major breaches, the shift in enterprise budgets is both more gradual and sustained these days, Ho said, adding that the days of "blank-check spending," when a CEO or IT leader in a company would order a massive increase in spending when a peer company was hacked, are over.
"We're not seeing a dramatic spike in buying from our companies [following an attack]. We're just seeing healthy demand trends," Ho said.
Suppiger agreed, noting that companies aim now to be proactive in protecting their data rather than reactionary. "The reality is these days, I don't think there are many organizations that don't think that they're under attack."
Into the cloud
However, some cybersecurity firms stand to see greater growth than others as demand shifts with enterprise priorities and new technologies, said Pedro Palandrani, a tech analyst at research company Global X ETFs, a New York-based exchanged-traded fund provider.
A newer generation of cloud-based security vendors is attracting more attention with their more financially efficient product offerings. For example, cloud-based products that are driven by artificial intelligence and offered on a subscription basis are becoming increasingly common among next-generation cybersecurity companies, Palandrani said, and the asset-light revenue model for these services is much more reliable than previous billing models.
"These are essentially software-as-a-service solutions," Palandrani said, pointing to CrowdStrike Holdings Inc., which has managed to consistently grow its revenue from existing clients by roughly 120% year-over-year in recent quarters. The tech analyst sees "a lot of upselling opportunities, a lot of upgrades as these companies introduce better and new services. And again, that's without adding the growth that is coming from new customers."
The steady flow of new cybersecurity solutions to meet the growing and evolving demand has led to a considerable amount of fragmentation in the industry, with new companies offering new niche products to solve new problems.
"You have companies leading in network security," Palandrani said. "You have companies leading in internet security. You have others protecting your endpoints, your cloud security, your identity as well, messaging with e-mail. ... Having cybersecurity solutions that really focus on that identity access management space is increasingly important. So there are many different applications of cybersecurity solutions."
That fragmentation has allowed various cybersecurity companies to outperform, even as cybersecurity ETFs tracked with broader markets. Ho pointed to Palo Alto Networks Inc., which has grown rapidly through M&A, having acquired 13 companies in the three years from 2018 to 2020, according to 451 Research data. Investors have rewarded Palo Alto for its strategy, launching the stock over 300% since the beginning of 2018, well beyond any major cybersecurity ETF.
"They've grown through both through M&A an internal innovation. I don't think they get enough credit for their internal innovation," Ho said.
451 Research is part of S&P Global Market Intelligence.