The COVID-19 pandemic was fuel for the economy’s digitisation. Rapid adoption of cloud, multiplication of devices, and increase in data generation ended up straining existing systems, exposing gaps in enterprise defences. Parallelly, cyberattacks saw a broad uptick worldwide. Both factors are now pushing global businesses to ramp up spending on security solutions. Cybersecurity pure-play vendors serving emerging demands across enterprise, consumer, and government use cases are seeing growth accelerate. This presents an opportunity for investors seeking exposure to growth themes amidst the ongoing macro-induced challenges.
The threat of COVID-19 may be receding, but the increased digital activity that the pandemic spurred isn’t. First, hybrid work remains popular and is likely to be standard practice for many businesses. This dynamic enhances the surface area that enterprises must defend, requiring investment in specialized solutions.
Second, the conflict in Ukraine illustrates new threats that companies face. Hacking organisations, hacktivists, and criminal organizations are seen targeting infrastructures of nation states they do not agree with. Businesses are often caught in the middle. Third, we appear to be in the middle of a broad digital transformation where enterprise data and applications are moving to the cloud. Securing this shift of data assets is a priority area of investment.
Fourth, the operational technology running critical infrastructure such as pipelines, dams, electric grids, and the industrial control systems running supply chains and production facilities are being digitised. Securing these nodes presents challenges for governments around the world.
The threat landscape is increasingly dangerous. For the first half of 2022, ransomware attacks grew nearly 52% year-over-year (YoY).1 Ransom-ware-as-a-service attacks from well tracked and notoriously popular hacking organisations such as Conti and LockBit, which caused some of the worst ransomware outages during COVID, grew 500% YoY.2 Other common attacks include distributed denial of service (DDoS), malware, and simple attacks like phishing and social engineering. An average U.S. business can lose $9.4 million in a data breach.3
Cybersecurity businesses may be able to leverage strengthening tailwinds to accelerate growth. Cybersecurity companies grew revenues by approximately 19% year-over-year (YoY) for the most recently reported quarter on an annualised basis, up 680 basis points (bps) sequentially and 1,250 bps year-over-year (YoY).4 In our view, this acceleration is the best evidence of increased enterprise spending.
Looking deeper at the fundamentals of these companies, gross margins for cybersecurity companies remained healthy, averaging more than 70%.5 Earnings before interest and taxes (EBIT) margins at -0.5% showed some contraction because of the current macro-induced hiccups.6 Free cash flow margins were over 20%.7
As the market grows, we believe that leading solution providers positioned as one-stop shops will be able to consolidate more share, boost margins, and grow more efficiently than their competition. Mergers and acquisitions (M&A) activity remains high with leading cybersecurity companies looking to acquire smaller startups and fill gaps in their product portfolios. Palo Alto Networks acquired Apiiro for $600 million in September.8 CrowdStrike acquired Humio for $400M in Nov 2021.9
Most recent cybersecurity acquisitions were completed at a premium to the rest of the technology market. As of June 2022, the median deal multiple for deals announced was at over 9 times revenues, nearly 25% higher than average sales multiple for cybersecurity companies.10
Securing the online operating environment for businesses is a priority for governments around the world. Global businesses lost nearly $6 trillion annually to cybercrime because of lost data, penalties, productivity loss, ransoms, and attacks that led to total business failure.11
The U.S.’ fiscal year 2023 budget increased cybersecurity spending by nearly 10% YoY.12 We believe the U.S. government’s commitment to cybersecurity may be a sign of cyber spending to come as other governments ramp up their defence.
Cybersecurity must evolve in lockstep with broader technology. It is estimated that global security spending will grow ~7% to more than $165 billion in 2022, following ~14% growth in 2021 and nearly 7% in 2020.13,14
Spending is expected to be particularly visible in cloud security, end point security, data security, ID and access management, and infrastructure security, which were brought into focus by computing needs surfaced during the pandemic. Nearly 50% of all cybersecurity spending today goes to custom services, and cloud deployed solutions can also attack this pocket.15
Overall, we expect spending growth rates to likely remain elevated over the next 5 years, boosted by appetite for more scalable cloud-deployed solutions. Meanwhile, cybersecurity stocks are trading down 28% year-to-date as of Nov 10, 2022.16 Given this growth trajectory and pullback, we see attractive potential upside for the theme.
Footnotes
Trend Micro Incorporated. (2022, August 31). Trend Micro warns of 75% surge in ransomware attacks on Linux as systems adoptions soared. https://newsroom.trendmicro.com/2022-08-31-Trend-Micro-Warns-of-75-Surge-in-Ransomware-Attacks-on-Linux-as-Systems-Adoptions-Soared
IBM Security. (2022, August 1). Cost of a data breach 2022: A million-dollar race to detect and respond. IBM. https://www.ibm.com/reports/data-breach
Refers to stocks part of the Indxx Cybersecurity v2 Index. Data derived from FactSet, on November 10, 2022.
Refers to stocks part of the Indxx Cybersecurity v2 Index. Data derived from FactSet, on November 10, 2022.
Refers to stocks part of the Indxx Cybersecurity v2 Index. Data derived from FactSet, on November 10, 2022.
Refers to stocks part of the Indxx Cybersecurity v2 Index. Data derived from FactSet, on November 10, 2022.
Orbach, M. (2022, September 19). Palo Alto Networks on verge of $600 million acquisition of Apiiro. CTech. https://www.calcalistech.com/ctechnews/article/syh51g8wo
(2022, June 6). CrowdStrike introduces humio for falcon, redefining threat hunting with unparalleled scale and speed [Press release]. https://www.crowdstrike.com/press-releases/crowdstrike-introduces-humio-for-falcon/
Williams, J., & Nazir, D. (2022, July 22). Cybersecurity M&A still hot in Q2, but economic uncertainties weight on outlook. S&P Global Market Intelligence. https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/cybersecurity-m-a-still-hot-in-q2-but-economic-uncertainties-weigh-on-outlook-71271067
Tech Xplore. (2022, May 10). Global cost of cybercrime topped $6 trillion in 2021: Defence firm. https://techxplore.com/news/2022-05-global-cybercrime-topped-trillion-defence.html
Jones, D. (2022, March 30). Biden administration’s FY 2023 budget includes 11% increase for cyber. Cybersecurity Dive. https://www.cybersecuritydive.com/news/biden-2023-budget-cybersecurity/621264/
(2021, May 17). Gartner forecasts worldwide security and risk management spending to exceed $150 billion in 2021 [Press release]. https://www.gartner.com/en/newsroom/press-releases/2021-05-17-gartner-forecasts-worldwide-security-and-risk-managem
(2022, October 13). Gartner identifies three factors influencing growth in security spending [Press release]. https://www.gartner.com/en/newsroom/press-releases/2022-10-13-gartner-identifies-three-factors-influencing-growth-i
Measured by the Indxx Cybersecurity v2 Index. Data derived from FactSet, on November 10, 2022
GlossaryThe Indxx Cybersecurity v2 Index is designed to track the performance of companies that operate in the cybersecurity industry.