Hacked! Cybersecurity stocks fight back

There have been several high-profile hacks recently, and share prices can plummet in response. Examples include Medibank, Optus, Latitude, and even tech darling Canva. And most of these hacks were before technology advances gifted scammers AI tools to make it harder to detect scams. Cryptocurrencies now provide an efficient way for scammers to get paid efficiently. Many of the perpetrators are based in Russia, and given Ukraine war sanctions, there is little incentive for the Russian government to limit scammer activity. At face value, the risks are much higher than a few years ago. What does it mean for investors, and which companies are involved in cybersecurity?

The main hacker methods

There are basically three main methods that companies should worry about:

1. Ransomware: hackers breach a company's computers and lock files or access. Then, they demand ransom for the company to regain access.
2. Data breaches: hackers breach a company's main database. Then, they demand ransom or threaten to release the data.
3. Business email compromise: hackers breach a key staff member's email. Then, they send out doctored invoices, changing details to a different hacked bank account.

Have we normalised hacks?

Recent high-profile hacks have caused share prices to drop significantly, but the losses tend not to last. Are investors now inured to the issue?

Possibly. We took the view that the Medibank hack was not going to be a permanent issue, and the share price so far has agreed. I would hazard an opinion that while the first hack is no longer as much of an issue, the second may well be. For example, multiple hacks of Lastpass have severely dented its prospects.

Also, if a competitor to someone who got hacked gets hacked, look out. For example, after Medibank was hacked, you can be sure that every other medical insurer triple-checked their own security. A breach now would suggest deeper problems.

Cybersecurity risks have been democratised.

The bad news for investors? The risks have been democratised. Every company is now a target; the question is how much of a target.

Business-to-consumer companies are most at risk from data breaches. But business-to-business companies are also at risk from ransomware or business email compromise.

Service companies have more to lose. Do I want to trust a continually hacked supplier? Commodity companies and basic product suppliers do face direct financial risk. But they are less likely to face the same negative shock from loss of reputation.

Who is at risk from cybersecurity issues?

We had Patrick Gray, from Risky Business, on the Nucleus investment insights podcast last week, who highlighted major issues. Hospitals are a favourite. Life-threatening consequences from being offline and relatively small IT budgets have made them a target. Lawyers are another favourite. Very sensitive data, reputation is paramount, and are typically small businesses with limited IT budgets. Patrick was surprised we have yet to see a major hack among superannuation funds. They have large amounts of money and smaller IT departments.

Interestingly, Patrick highlighted the large banks as companies with a lower risk profile. Yes, banks have a lot at risk. However, he notes that banks have always effectively been security companies, and their processes are among the best in Australia.

We ran through the warning signs, and creating a pre-emptive warning list is tough. Spending on IT is not a good measure; it can sometimes signal inefficiency! Robust procedures in place for resetting passwords, issuing new SIM cards, and disabling multi-factor authentication are guides from security experts. But none of those can be determined as an outside investor looking in.

Does my voice still identify me?

No. It doesn't. AI can already generate convincing voice and video. As a result, it is becoming increasingly difficult to know what is real and what is fake. Expect to hear stories of parents talking to a convincing-sounding child and being asked to send money to get them out of a bind.

Patrick's list of the best technology to prevent being hacked includes passkeys and hardware security.

Which cybersecurity companies can you invest in?

There are a lot. In our Direct Index products, we allow clients to "tilt" their portfolios towards cyber security. That gives those investors the top eight (by market cap) security-focused companies.

At one end of the scale, you have massive companies with security divisions that are large relative to the security sector but a relatively small part of the actual companies. i.e. you get some exposure, but realistically, the effect of security earnings on the company's overall results is going to be outweighed by other factors. Microsoft, Broadcom and Cisco all fit this bill.

Then, a range of companies that focus on software products in the "security as a service space". Stocks like Zscaler, Palo Alto Networks, Fortinet or Crowdstrike. These companies tend to provide things like web and mobile security, firewall as a service, breach detection, and threat management.

Companies that work largely on delivering content, helping to prevent denial of service attacks, include Akamai Technologies.

Finally, there is extensive revenue for consulting firms. Many consultants (EY, KPMG, PwC etc) are unlisted, but someone like Booz Allen Hamilton can give you exposure.

Stocks in the sector tend to be expensive. Dividends are rare. You need to look at this sector primarily as a growth play. Most companies have little debt, and tend to generate reasonable cashflow. The expectation is that these stocks will grow revenues relatively quickly, but that costs will be restrained, resulting in strong earnings per share growth.

Check Point, Akamai and Booz Allen Hamilton look cheaper than peers. But there are reasons. Check Point is largely seen as lagging on the technology. Akamai is seen more as an infrastructure play. Booz Allen Hamilton is a consulting firm, with different growth expectations and a very different business model.

The track record of revenue growth is really strong for most companies in the sector. Profit not so much. The question is whether the market is now large enough that the cost increases will slow and profits will start to flow. That seems like a reasonable assumption, but time will tell.