- The frequency and severity of cyberattacks are rising dramatically. Last year, the number of global incidents reported to the FBI’s Internet Crime Complaint center increased 81% relative to pre-pandemic levels.1.
- With data volumes expected to grow exponentially in the coming years, fortifying cyber defenses is a key priority for businesses and governments alike.
- The annual cost of cyberattacks is expected to reach $10.5 trillion by 2025, As a result, we think cybersecurity companies have the potential to experience consistent outsized revenue growth, even in an economic downturn.
- Megatrend ETFs can help investors access cybersecurity stocks across the theme’s value chain, including both hardware and software companies.
By Jeff Spiegel
Evolving threats could be a boon for cybersecurity investments
Cybercriminals are finding more work-from-home opportunities too
New digital infrastructure and lasting work-from-home arrangements are bringing data proliferation to new extremes, with cyberattacks accelerating in tow. Cybersecurity companies are taking center-stage as businesses and governments strive to stay a step ahead.
In 2021, global volumes of new data grew 92% from 2019’s pre-pandemic levels, while instances of cyberattacks rose dramatically. 2 Cybercriminals are taking advantage of more and increasingly diverse infection vectors. In 2021, the number of published common software and hardware vulnerabilities broke the annual record for the fifth year running. 3
Four types of cyberattacks comprise the bulk of malicious activity:
- Ransomware attacks block access to data and/or publish it unless a ransom is paid. These attacks are getting increasingly sophisticated, not only demanding ransom from organizations, but also from employees and customers, in what is called triple extortion. Last year, the world’s largest meat supplier was forced to pay $11 million in ransom, the result of just one attack. 4
- Business email compromise ((BEC)) attacks entail impersonating organization email addresses or gaining actual access to organizational email accounts. These attacks steal data directly, harvest credentials, and/or trick email recipients into providing private network access via malware attachments or malicious links.
- Distributed denial-of-service (DDoS) attacks overwhelm servers with traffic. Generally, cybercriminals conduct these attacks to inhibit operations and inflict reputational damage, rather than for immediate monetary gain.
- Intrusion and access attacks broadly include attacks where cybercriminals access networks, servers, and other IT systems without authorization.
Successfully fending off and combatting cyberattacks requires a two-pronged approach: (1) limiting vulnerabilities to reduce infection vectors, and (2) strengthening responses to active threats.
A range of cybersecurity software, hardware, and services are crucial to these efforts, and should experience heightened sales as cyberthreats materialize: 5
- Network security solutions protect network infrastructure from unauthorized access, wrongful use, and theft.
- Endpoint and user security solutions defend devices like computers and phones from cyberattacks, limiting inherent vulnerabilities and ensuring secure usage by users.
- Information security solutions protect data from modification, disruption, destruction, and inspection.
Notably and often overlooked, hardware cybersecurity solutions are essential to fending off attacks. While today’s digitalization means much of computing occurs in the cloud, most of our digital activity starts and ends with hardware, from data centers and servers to the computers we use to access them. Protecting these endpoints requires building security features into their design and complementing them with dedicated hardware security products. To this end, biometric scanners are becoming an important hardware tool used to improve access security. The global biometric system market is expected to grow from $42.9 billion to $82.9 billion by 2027, at a compound annual growth rate ((CAGR)) of 14.1%. 6
Global cybersecurity spending continues to grow as heightened digitalization presents new targets for cybercriminals
Gartner, 2021
Chart Description: Column chart showing global sales across various cybersecurity segments in 2020 and 2021. The chart illustrates how cybersecurity spending directs many billions of dollars across various segments annually, and that this total is continuing to grow.
With annual volumes of new data on pace to reach 2.3x their 2021 levels by 2025 and the annual cost of cyberattacks expected to reach $10.5 trillion in the same year, cybersecurity spending must accelerate in lockstep, and then some. 7,8
Companies are ramping up cybersecurity spending as attacks mount
Avoiding the lose-lose situation
Digital transformation is permeating all facets of business, making the private sector ever-more susceptible to cybercrime. Businesses experienced 31% more cyberattacks, on average, in 2021 versus 2020. 9
For the private sector, cyberattacks can result in catastrophic economic losses and irreparable damage to intangible assets like intellectual property and goodwill. Ransomware attacks, which grew 66% in 2021, pose significant risk in this regard. 10 Companies facing such attacks must select from two losing options: paying out sizeable ransoms or forfeiting proprietary or customer data. Last year, on average, affected companies spent over $800,000 per ransom payment and $1.4 million to remediate the economic and intangible impacts of an attack. 11
Business email compromise ((BEC)) attacks are potentially even more problematic. While chronically underreported, BEC attacks inflict the most financial damage. 12 They are primarily conducted through phishing, an incredibly difficult tactic to defend against with every employee representing a vulnerability. BEC attacks open doors for additional cybercrimes, including ransomware, server intrusion, and encrypted threats.
In 2021, 82% of companies increased their cybersecurity budget. 13 And, moving forward, 69% of companies expect to increase their budgets in 2022. 14
Companies are significantly increasing their cybersecurity budgets to combat the rising threat of cyberattacks
PwC, "2022 Global Digital Trust Insights," 2022.
Chart Description: Column chart showing the share of companies increasing or decreasing their cybersecurity budgets in 2022, across a range of options. The chart illustrates how companies are significantly increasing their budgets for cybersecurity.
Increased cyberattacks should drive continued cybersecurity sales growth. We expect companies to focus on limiting infection vectors by spending more on network security software and hardware related to firewalls, VPNs, network segmentation, workload security, and anti-virus/malware software, as well as on endpoint and user security solutions like identity and access management, email gateways, encryption, and web security. Of note, network hardware that includes next generation firewall technology, network segmentation, intrusion prevention, and secure web gateways could generate meaningful net new revenues for cybersecurity companies. Information security software and hardware should also see significant business spending, including solutions for application and cloud security, cryptography, physical IT infrastructure, and incident response.
But as prolific as digitization has been in the past five years, many major sectors of the global economy from manufacturing to health care to education are only first embracing digital business; 15 as they do, they could significantly grow the pie for both existing and new cybersecurity solutions, becoming a significant new driver of cybersecurity sales.
Government efforts to fight cybercrime could potentially benefit cybersecurity stocks
The (cyber)space race is on
A recent surge of cyberattacks on countries and governments is vaulting cybersecurity to the forefront of public sector priorities and spending.
Governments rely on networks and other IT infrastructure to transmit sensitive information in the regular course of operations. Public infrastructure is also becoming more digital. Technology like data centers and cellular and broadband networks are now seen as key infrastructure components; meanwhile, traditional components like oil and gas pipelines, electric grids, and water utilities become vulnerable as they increasingly rely on software and networks.
Cyberattacks can halt government operations, compromise sensitive data, and disrupt public services. Last year, for example, ransomware deployed against a major fuel pipeline in the U.S. cut east coast states off from key energy resources for an entire week, disrupting supply chains through its impact on industrial activity and transportation. Separately, an attack on a Florida water utility provider purposefully increased the level of harmful chemicals in a town’s water supply. 16
As a result, U.S. President Biden issued a far-reaching executive order in 2021 to modernize federal cyber defenses, making cybersecurity a rare area where the President can direct spending increases without worrying about Congressional gridlock. Even in recent spending approved by Congress, the Infrastructure Investment and Jobs Act, bipartisan support is leading to an additional $2 billion in cybersecurity spending. 17 In Europe, the EU recently made progress toward setting up a cybersecurity emergency response fund to counter large-scale cyberattacks. 18 And we expect public sector cybersecurity spending to direct funds to cybersecurity companies worldwide in the immediate and long term, benefitting cybersecurity stocks.
Cybersecurity investments could offer resilience to economic challenges
A digital port in the storm
Cybersecurity investments could offer resilience in a difficult macro-environment, despite the weakness growth-tilting sectors have been experiencing.
Cybersecurity is today an essential operational expense rather than a discretionary line item that can be cut when times are tough. In fact, a recent Morgan Stanley survey found that security software is the least likely IT expense to be pared back by executives if the economy worsens. 19 So, while economic challenges may result in decreased revenues for many technology companies, cybersecurity providers will likely continue to grow as businesses and governments seek to protect themselves.
Inflation introduces an additional dynamic that underscores cybersecurity companies’ resilience. Like most software today, cybersecurity applications are mostly cloud- and subscription-based, generating recurring revenues from online use rather than one-time unit sales. This model makes it easy for software companies to adjust pricing based on economic conditions like inflation. In some subscription-based businesses, price increases risk customer attrition; however, we do not see this as a concern for cybersecurity spending. Necessity is a powerful force, which, in this case, should enable prices to rise in line with inflation.
How to invest in cybersecurity stocks
Spoiler alert: software alone isn’t enough
Investors looking for exposure to cybersecurity via public equities may want to consider looking at ETFs invested in companies that generate a majority of their revenues from cybersecurity hardware, software, and products across:
- Cybersecurity software and services: Software related to network access and security, enterprise security management, home and office security, as well as services related to government and defense IT security and cybersecurity consulting.
- Cybersecurity hardware: Equipment related to on-premises network security, network access and management, as well as wirelines. We note that many cybersecurity ETFs exclude this key area, because, even in the cloud computing era, digitalization is underpinned by hardware, which has its own vulnerabilities and is therefore an essential component of cybersecurity.
Conclusion
News of cyberattacks and their impact are dominating headlines and bringing heightened focus to cybersecurity investments. As public and private sector digitalization continues, cyberattacks could become more frequent and detrimental to businesses, countries, and economies. As a result, we expect cybersecurity spending to increase at an accelerated clip, regardless of economic conditions, offering possible growth potential for cybersecurity ETFs.
------
© 2022 BlackRock, Inc. All rights reserved.
1 Federal Bureau of Investigation, “Internet Crime Report 2021,” 2022.
2 RedGate, IDC “What’s the real story behind the explosive growth of data?”, September 2021.
3 National Vulnerability Database, “CVSS Severity Distribution Over Time,” 2022.
4 Fortune, “There’s a huge surge in hackers holding data for ransom, and experts want everyone to take these steps,” February 2022.
5 Cisco, “What Is Information Security?”, 2022.
6 Markets and Markets, “Biometric System Market by Authentication Type (Single Factor, Fingerprint, Iris, Face, Voice; Multi-factor), Type (Contact-based, Contactless, Hybrid), Offering Type, Mobility, Vertical & Region (2022-2027),” March 2022.
7 RedGate, IDC “What’s the real story behind the explosive growth of data?”, September 2021.
8 McKinsey & Company, “Cybersecurity trends: Looking over the horizon,” March 2022.
9 SonicWall, “2022 SonicWall Cyberthreat Report,” 2022.
10 Ibid.
11 Ibid.
12 Ibid.
13 Ibid.
14 PwC, “2022 Global Digital Trust Insights Survey,” 2022.
16 Vox, “How a major oil pipeline got held for ransom,” June 2021.
17 The White House, “Executive Order on Improving the Nation’s Cybersecurity,” May 2021.
18 Reuters, “EU countries call for cybersecurity emergency response fund -document,” March 8, 2021.
19 AlphaWise, Morgan Stanley Research, CIO Survey, 2022.
Carefully consider the Funds' investment objectives, risk factors, and charges and expenses before investing. This and other information can be found in the Funds' prospectuses or, if available, the summary prospectuses, which may be obtained by visiting the iShares Fund and BlackRock Fund prospectus pages. Read the prospectus carefully before investing.
Investing involves risk, including possible loss of principal.
Technology companies may be subject to severe competition and product obsolescence.
International investing involves risks, including risks related to foreign currency, limited liquidity, less government regulation and the possibility of substantial volatility due to adverse political, economic or other developments. These risks often are heightened for investments in emerging/ developing markets or in concentrations of single countries.
Funds that concentrate investments in specific industries, sectors, markets or asset classes may underperform or be more volatile than other industries, sectors, markets or asset classes and than the general securities market.
This material represents an assessment of the market environment as of the date indicated; is subject to change; and is not intended to be a forecast of future events or a guarantee of future results. This information should not be relied upon by the reader as research or investment advice regarding the funds or any issuer or security in particular.
The strategies discussed are strictly for illustrative and educational purposes and are not a recommendation, offer or solicitation to buy or sell any securities or to adopt any investment strategy. There is no guarantee that any strategies discussed will be effective.
The information presented does not take into consideration commissions, tax implications, or other transactions costs, which may significantly affect the economic consequences of a given strategy or investment decision.
This material contains general information only and does not take into account an individual's financial circumstances. This information should not be relied upon as a primary basis for an investment decision. Rather, an assessment should be made as to whether the information is appropriate in individual circumstances and consideration should be given to talking to a financial professional before making an investment decision.
The information provided is not intended to be tax advice. Investors should be urged to consult their tax professionals or financial professionals for more information regarding their specific tax situations.
The Funds are distributed by BlackRock Investments, LLC (together with its affiliates, "BlackRock").
The iShares Funds are not sponsored, endorsed, issued, sold or promoted by Bloomberg, BlackRock Index Services, LLC, Cohen & Steers, European Public Real Estate Association (“EPRA®”), FTSE International Limited (“FTSE”), ICE Data Indices, LLC, NSE Indices Ltd, JPMorgan, JPX Group, London Stock Exchange Group (“LSEG”), MSCI Inc., Markit Indices Limited, Morningstar, Inc., Nasdaq, Inc., National Association of Real Estate Investment Trusts (“NAREIT”), Nikkei, Inc., Russell or S&P Dow Jones Indices LLC or STOXX Ltd. None of these companies make any representation regarding the advisability of investing in the Funds. With the exception of BlackRock Index Services, LLC, which is an affiliate, BlackRock Investments, LLC is not affiliated with the companies listed above.
Neither FTSE, LSEG, nor NAREIT makes any warranty regarding the FTSE Nareit Equity REITS Index, FTSE Nareit All Residential Capped Index or FTSE Nareit All Mortgage Capped Index. Neither FTSE, EPRA, LSEG, nor NAREIT makes any warranty regarding the FTSE EPRA Nareit Developed ex-U.S. Index or FTSE EPRA Nareit Global REITs Index. “FTSE®” is a trademark of London Stock Exchange Group companies and is used by FTSE under license.
© 2022 BlackRock, Inc. All rights reserved. BLACKROCK, BLACKROCK SOLUTIONS, BUILD ON BLACKROCK, ALADDIN, iSHARES, iBONDS, FACTORSELECT, iTHINKING, iSHARES CONNECT, FUND FRENZY, LIFEPATH, SO WHAT DO I DO WITH MY MONEY, INVESTING FOR A NEW WORLD, BUILT FOR THESE TIMES, the iShares Core Graphic, CoRI and the CoRI logo are trademarks of BlackRock, Inc., or its subsidiaries in the United States and elsewhere. All other marks are the property of their respective owners.
iCRMH0822U/S-2313186
This post originally appeared on the iShares Market Insights.
Editor's Note: The summary bullets for this article were chosen by Seeking Alpha editors.
For further details see:
Cybersecurity ETFs Could Benefit From Massive Cyber Defense Spending