Hacked! Cybersecurity stocks fight back

At face value, the odds of being hacked are much higher than a few years ago. What are the risks, and where are the returns for investors?
Damien Klassen

Nucleus Wealth

There have been several high-profile hacks recently, and share prices can plummet in response. Examples include Medibank, Optus, Latitude, and even tech darling Canva. And most of these hacks were before technology advances gifted scammers AI tools to make it harder to detect scams. Cryptocurrencies now provide an efficient way for scammers to get paid efficiently. Many of the perpetrators are based in Russia, and given Ukraine war sanctions, there is little incentive for the Russian government to limit scammer activity. At face value, the risks are much higher than a few years ago. What does it mean for investors, and which companies are involved in cybersecurity?

The main hacker methods

There are basically three main methods that companies should worry about:

  1. Ransomware: hackers breach a company's computers and lock files or access. Then, they demand ransom for the company to regain access.
  2. Data breaches: hackers breach a company's main database. Then, they demand ransom or threaten to release the data.
  3. Business email compromise: hackers breach a key staff member's email. Then, they send out doctored invoices, changing details to a different hacked bank account.

Have we normalised hacks?

Recent high-profile hacks have caused share prices to drop significantly, but the losses tend not to last. Are investors now inured to the issue?

Possibly. We took the view that the Medibank hack was not going to be a permanent issue, and the share price so far has agreed. I would hazard an opinion that while the first hack is no longer as much of an issue, the second may well be. For example, multiple hacks of Lastpass have severely dented its prospects.

Also, if a competitor to someone who got hacked gets hacked, look out. For example, after Medibank was hacked, you can be sure that every other medical insurer triple-checked their own security. A breach now would suggest deeper problems.

Cybersecurity risks have been democratised.

The bad news for investors? The risks have been democratised. Every company is now a target; the question is how much of a target.

Business-to-consumer companies are most at risk from data breaches. But business-to-business companies are also at risk from ransomware or business email compromise.

Service companies have more to lose. Do I want to trust a continually hacked supplier? Commodity companies and basic product suppliers do face direct financial risk. But they are less likely to face the same negative shock from loss of reputation.

Who is at risk from cybersecurity issues?

We had Patrick Gray, from Risky Business, on the Nucleus investment insights podcast last week, who highlighted major issues. Hospitals are a favourite. Life-threatening consequences from being offline and relatively small IT budgets have made them a target. Lawyers are another favourite. Very sensitive data, reputation is paramount, and are typically small businesses with limited IT budgets. Patrick was surprised we have yet to see a major hack among superannuation funds. They have large amounts of money and smaller IT departments.

Interestingly, Patrick highlighted the large banks as companies with a lower risk profile. Yes, banks have a lot at risk. However, he notes that banks have always effectively been security companies, and their processes are among the best in Australia.

We ran through the warning signs, and creating a pre-emptive warning list is tough. Spending on IT is not a good measure; it can sometimes signal inefficiency! Robust procedures in place for resetting passwords, issuing new SIM cards, and disabling multi-factor authentication are guides from security experts. But none of those can be determined as an outside investor looking in.

Does my voice still identify me?

No. It doesn't. AI can already generate convincing voice and video. As a result, it is becoming increasingly difficult to know what is real and what is fake. Expect to hear stories of parents talking to a convincing-sounding child and being asked to send money to get them out of a bind.

Patrick's list of the best technology to prevent being hacked includes passkeys and hardware security.

Which cybersecurity companies can you invest in?

There are a lot. In our Direct Index products, we allow clients to "tilt" their portfolios towards cyber security. That gives those investors the top eight (by market cap) security-focused companies.

At one end of the scale, you have massive companies with security divisions that are large relative to the security sector but a relatively small part of the actual companies. i.e. you get some exposure, but realistically, the effect of security earnings on the company's overall results is going to be outweighed by other factors. Microsoft, Broadcom and Cisco all fit this bill.

Then, a range of companies that focus on software products in the "security as a service space". Stocks like Zscaler, Palo Alto Networks, Fortinet or Crowdstrike. These companies tend to provide things like web and mobile security, firewall as a service, breach detection, and threat management.

Companies that work largely on delivering content, helping to prevent denial of service attacks, include Akamai Technologies.

Finally, there is extensive revenue for consulting firms. Many consultants (EY, KPMG, PwC etc) are unlisted, but someone like Booz Allen Hamilton can give you exposure.

Stocks in the sector tend to be expensive. Dividends are rare. You need to look at this sector primarily as a growth play. Most companies have little debt, and tend to generate reasonable cashflow. The expectation is that these stocks will grow revenues relatively quickly, but that costs will be restrained, resulting in strong earnings per share growth.

Check Point, Akamai and Booz Allen Hamilton look cheaper than peers. But there are reasons. Check Point is largely seen as lagging on the technology. Akamai is seen more as an infrastructure play. Booz Allen Hamilton is a consulting firm, with different growth expectations and a very different business model.

The track record of revenue growth is really strong for most companies in the sector. Profit not so much. The question is whether the market is now large enough that the cost increases will slow and profits will start to flow. That seems like a reasonable assumption, but time will tell.  

........
The information on this blog contains general information and does not take into account your personal objectives, financial situation or needs. Past performance is not an indication of future performance. Damien Klassen is an authorised representative of Nucleus Wealth Management, a Corporate Authorised Representative of Nucleus Advice Pty Ltd - AFSL 515796.

Damien Klassen
Head of Investment
Nucleus Wealth

Damien runs asset allocation and global stock portfolios for Nucleus Super, Nucleus Ethical and Nucleus Wealth. His 25 year+ career includes Global Quant at Schroders, Strategy at Wilson HTM & co-founder of Aegis.

I would like to

Only to be used for sending genuine email enquiries to the Contributor. Livewire Markets Pty Ltd reserves its right to take any legal or other appropriate action in relation to misuse of this service.

Personal Information Collection Statement
Your personal information will be passed to the Contributor and/or its authorised service provider to assist the Contributor to contact you about your investment enquiry. They are required not to use your information for any other purpose. Our privacy policy explains how we store personal information and how you may access, correct or complain about the handling of personal information.

Comments

Sign In or Join Free to comment