January 3, 2023

Amid a Dark Night of Hacks, Cybersecurity Stocks’ Prospects Look Bright

Network breaches are becoming all too common, so the defenders at the ramparts are now a must-have service.

Reported by Larry Light

Art by Pete Ryan

The blight is widespread and growing, alas: pirates who seek to break into IT systems and wreak havoc, to steal information, demand ransom or for the sheer, perverse joy of it.

CommonSpirit Health was hacked in October 2022, the breach affecting 140 hospitals in 21 states and forcing the company to temporarily shut down access to health-care records. Other well-known organization have suffered breaches recently, including New York’s Metropolitan Opera, streaming service FuboTV and IT service provider Rackspace Technology. The problem is growing worse: Cyberattacks increased 28%, globally, in 2022’s third quarter, compared with the year-prior period, according to Check Point Research.

Bad news for anyone with a computer network. Good news for cybersecurity stocks and their investors, right?

Well, not at the moment, amid a bear market, especially for tech names. The iShares Cybersecurity and Tech exchange-traded fund, ticker IHAK, which covers cybersecurity companies, is down 25% this year. At least that’s not as bad as the Invesco QQQ Trust, an ETF with the biggest tech stocks, off 32%.

Before the market’s current malaise, cybersecurity stocks were burgeoning. The sector ETF almost doubled in value from its mid-2019 initial public offering through the end of 2021, right before tech plummeted along with almost everything else.

When a threat arises, the response often produces good stock returns, as coldblooded as that sounds. Think about defense stocks during the Cold War or pharma ones at the pandemic’s outset. In a constantly digitizing world, the need for bulwarks against these intrusions is distressingly obvious.

“The cybersecurity industry will continue to grow as the need to protect our technology infrastructure and data remains in the forefront of business and IT leaders’ minds alike,” observes Holland Timmins, CIO of the Texas Permanent School Fund, who is a self-described keen follower of tech trends.

“Every year brings new headlines of cyberattacks and data breaches,” he laments. “Even the best cybersecurity talent cannot protect your organization without a robust collection of cybersecurity technology solutions and services.”

Certainly, protecting ever-mounting volumes of data is the biggest obstacle for corporate data managers, a new Deloitte survey of tech industry leaders finds.

The beauty of investing in IT security companies is that “they are difficult to cut” when corporate managers are looking to downsize, remarks Scott Kessler, head of tech, media and telecom at the consulting firm Third Bridge. Underscoring how vital cybersecurity has become, Kessler called it among the two “most resilient” businesses in good times or bad (the other being automation.)

The best way to invest in cybersecurity is via pure plays, asset managers say. Some large tech companies have cybersecurity divisions, but these can’t deliver the full benefit of this growing field.

Microsoft, for instance, has a successful cyber defense operation, generating $15 billion in the company’s last fiscal year; the unit grew out of Microsoft’s in-house efforts to secure its Azure cloud business. In fact, the cybersecurity unit controls about 8% of the global security software market, Gartner estimates. Within Microsoft, though, the data defense segment, meanwhile, has sales that amount to around 7.5% of the behemoth’s massive corporate revenue.

For the pure plays, the downside is that, like many up-and-coming tech companies, they are unprofitable. The upside: Revenues are exploding, in some cases doubling over the past year, something Big Tech denizens such as Microsoft (revenue up 17% for its last fiscal year) cannot claim.

“A lot of these companies are struggling” financially, says Third Bridge’s Kessler. Many of them specialize in one area, then branch out as they grow.

The class act of this bunch, many agree, is Palo Alto Networks, which went public before the competition, in 2012, and thus has had longer to become entrenched. Of this group, it boasts the biggest market cap, $45 billion. and has lost the least this year, just 20%.

To Nancy Tengler, CEO and CIO of Laffer Tengler Investments, Palo Alto “is No. 1—we overweight it” in her firm’s portfolio. Tengler appreciates that the company is steadily increasing its number of clients billed $1 million or more annually.

In addition, Palo Alto appears to have ended its history of losses. For the last two quarters, it has been in the black. Its “remaining performance obligation,” meaning contractually obligated revenue not yet included in the financial results, grew 38% over the previous 12 months, implying that more good tidings lie ahead. Palo Alto started out focused on data-center firewalls (protecting traffic in and out). It later moved into other realms, such as threat intelligence (seeking to suss out who could do what against a client.)

Zscaler is another well-regarded outfit, with revenue that has almost doubled in the most recent fiscal year ending in July 2022. It provides its own cloud, which it calls “the Zero Trust Exchange.” The company promises “deep inspection of content” and blocks “the lateral movement of threats” to thwart viruses from spreading. Zscaler also gets a lot of government work, which is not easy to obtain. That “requires a lot of certification,” says Alex Gordon, director at ETF Manager Group, issuer of a cybersecurity ETF.

Cybersecurity is a kind of cat-and-mouse game, with much larger stakes. For investors, there is the promise of good returns—provided their accounts don’t get hacked.