The cybersecurity sector grew significantly over the past few years as the Covid-19 pandemic boosted digitalisation globally, forcing companies to adapt to remote systems to remain active. According to a study by Deep Instinct, malware and ransomware attacks increased 358% and 435% year-on-year, respectively, in 2020. The sector remained in the spotlight in 2022 as the Russia-Ukraine war contributed to “a new wave of hacktivism”, according to a report by the EU cybersecurity agency ENISA.
The global cybersecurity market was valued at an estimated $222.2bn in 2022 and will grow at a CAGR of 7.5%, reaching $297.2bn by 2026, according to Research and Markets.
Expected global cybersecurity market value by 2026
Cybersecurity refers to how individuals and organisations reduce the risk of cyber attacks, and it usually involves strategies including data loss prevention, identity and access management, intrusion detection systems or intrusion prevention systems, network security, antivirus, and anti-malware.
2. Key players
Palo Alto Networks [PANW]
- With a market cap of $42.19bn, the American multinational company calls itself the “global cybersecurity leader”.
- It produces advanced firewalls and cloud-based offerings that expand those firewalls to cover other aspects of cybersecurity.
- It was recently named the top global cybersecurity vendor with market share of 8.4% in Q3 2022, according to research firm Canalys.
- CrowdStrike provides cloud-delivered protection of endpoints, cloud workloads, identity and data and has a market cap of $22.4bn as of 11 January.
- In Q3 2023, it reported total revenue of $580.9m, up 53% year-over-year.
- The company was chosen as winner of the 2022 CRN Tech Innovator Awards for its CrowdStrike Cloud Security.
- The California-based company, with a market cap of $37.7bn as of 11 January, produces best-in-class hardware for data centre security.
- Since its IPO in November 2009, its share price has risen by 2,875%.
- It was named a ‘visionary’ in the 2002 Gartner Magic Quadrant for Enterprise Wired and Wireless LAN Infrastructure.
The increasing need for cybersecurity has been a key driver of the market’s performance over the last decade. Although cyber crime is a worldwide growing concern, no agreed-upon international law exists to govern it, and countries differ in their tackling approach. According to the United Nations Conference on Trade and Development (UNCTAD), although 156 countries (80%) have passed cyber crime legislation, its adoption varies by region. Europe has the highest adoption rate (91%), while Africa the lowest (72%).
In November 2022, the European Parliament updated its 2016 Network and Information Security (NIS) Directive to strengthen its common investment in strong cybersecurity with stricter supervisory and enforcement measures and harmonised sanctions.
Around the same time, the United Kingdom also announced it would strengthen its 2018 NIS Regulations to protect essential and digital services against more frequent and sophisticated cyber attacks.
In 2022, US President Joe Biden signed three cybersecurity-related bills into law: the Quantum Computing Cybersecurity Preparedness Act, the Federal Rotational Cyber Workforce Program Act of 2021, and the State and Local Government Cybersecurity Act of 2021.
4. Growth Drivers
Cybersecurity software has been around since the 1970s when email inventor Ray Tomlinson created Reaper, a program that chased and deleted Creeper, another program that could move across computer networks.
Cyber threats have, of course, come a long way since then. The threats experienced today are increasingly sophisticated — and harder to detect and fight, driving cybersecurity adoption as a consequence.
Here’s a snapshot of the biggest growth drivers for cybersecurity companies.
- Sophisticated cyber threats
Phishing attacks and ransomware strategies keep getting more sophisticated and complex. Greater Internet of Things (IoT) adoption is providing more avenues for attack, as cyber criminals can potentially target any connected devices, including smart medical devices, electronic medical records, connected cars, electrical grids, water treatment facilities and transportation systems. Rising ecommerce sales have also resulted in more frequent cyber attacks. The crypto space is another cyber crime hotspot: ‘cryptojacking’, for example, is a type of cyber attack where criminals hijack third-party personal or work computers to mine for cryptocurrency. Social engineers (hackers who use human psychology to exploit people’s vulnerabilities and gain access to sensitive information) are also becoming more skilled. Cyber criminals target both individuals and organisations — but they do not stop there. They can even involve entire countries. A state-sponsored attack involves one government infiltrating the digital networks of another in order to carry out attacks on critical infrastructure and manipulate or steal data.
- Work from home
Covid-19 normalised working from home, with research by Intuition.com showing that, currently, 63% of high-growth businesses have embraced hybrid work with requirements for employees to be in the office a set number of days rather than all week. Cyber attack risks increase when employees use unsecured networks to perform their jobs, such as free Wi-Fi networks, or use weak or recycled passwords, which might leave gaps for cyber criminals to exploit.
Worsening geopolitical tensions have increased cyber attacks called 'advanced persistent threats' (APTs), according to the World Economic Forum. Since Russia invaded Ukraine in February 2022, the conflict has often been referred to as a ‘cyber war’ due to the involvement of large-scale cyber operations. Russia’s most significant cyber attack so far was the disruption of Viasat Inc’s KA-SAT satellite in February 2022, although it ultimately did not provide a military advantage to the country.
5. Investment Case
The cost of cyber crime totalled $6trn in 2021 and is estimated to reach $23.82trn by 2027, according to data visualised in the infographic below from Statista’s 2022 Cybersecurity Outlook. In addition, the World Economic Forum’s 2023 Global Risks Report predicts that “failure of cybersecurity measures” will be one of the top five threats for at least 12 countries, including Qatar, Saudi Arabia, Albania and Ukraine.
In May 2022, Costa Rica declared a state of emergency after experiencing over a month of cyber attacks, where criminals infiltrated health systems, disrupted national business and demanded millions in ransomware. The attacks were estimated to cost around $30m per day, with Costa Rica eventually seeking help from the US government, Microsoft [MSFT] and other countries to resolve the crisis.
Such events highlight the urgent need for countries to invest heavily in their cyber defence and recovery capabilities. According to Morgan Stanley Research, cybersecurity spending is set to grow faster than other software categories and is likely to be more resilient during potential technology budget cuts.
“Companies, governments and even consumers do not spend on cybersecurity because they want to, but it’s really because they need to,” said Pedro Palandrani in a recent Opto Sessions podcast interview, adding that cybersecurity provided thematic portfolios with a degree of resilience in 2022.
1. Cybersecurity ETFs Spotlight
Cybersecurity ETFs that provide exposure to stocks in the sector include:
First Trust Nasdaq Cybersecurity UCITS ETF [CIBR]
This ETF tracks cybersecurity companies in the technology and industrial sectors. Its holdings have a median market cap of $8.6bn as of 30 December. As of 10 January, its top holding was software firm and chipmaker Broadcom [AVGO].
WisdomTree Cybersecurity UCITS ETF [WCBR]
This ETF offers exposure to companies providing cybersecurity-oriented products which meet WisdomTree’s environmental, social and governance (ESG) criteria. The US accounts for most of its holdings. However, it also includes Israeli, UK, Japanese, South Korean and Canadian companies as of December 2022.
Global X Cybersecurity ETF [BUG]
This ETF invests in companies that will potentially benefit from the increased adoption of cybersecurity. Its top three holdings were Varonis [VRNS], Fortinet [FTNT] and Okta [OKTA] as of 10 January.
7. Innovation and development
AI-based security products are experiencing high growth. “Artificial intelligence allows defenders to scan networks more automatically and fend off attacks rather than doing it manually,” David van Weel, NATO’s assistant secretary-general for emerging security challenges, said in December 2022. However, he also warned that this tech can also be used by nefarious actors.
- The global market for AI-based cybersecurity products is estimated to reach $133.8bn by 2030, up from $14.9bn in 2021, according to Acumen Research and Consulting.
- Security-focused AI can analyse huge amounts of data without interruption. However, it is vulnerable to data manipulation and poisoning.
- AI-generated phishing emails have been found to achieve higher opening rates than manually crafted ones, according to Singapore’s Government Technology Agency.
- AI can be misused to design constantly changing malware, which is difficult to detect by automated defence systems. Consequently, companies are increasingly developing and adopting ‘zero-trust’ models, where defences constantly inspect network traffic and applications to ensure they are not malicious.