Why is the cybersecurity sector set for a 9.63% CAGR?

Growth in the number of cyber-attacks means businesses will continue to prioritise cybersecurity spend. While specialist cybersecurity firms are well positioned to capture these tailwinds, non-specialist tech companies are seeking to enter the market.

• Cybersecurity revenues reached $147bn in 2022.
• Leading players benefit from sector consolidation, but tech giants including Microsoft [MSFT] provide new competition.
• How to invest in cybersecurity: the First Trust Nasdaq Cybersecurity ETF is up 15% in the last six months.

Cybersecurity is no longer an issue just for IT departments, but a key factor in any organisation’s strategic planning. Cyber crime, whether phishing, ransomware, malware or data and intellectual property theft, remains a serious threat to everyday operations and revenues.

In the past few years, cyber-attacks have increased significantly in number, variety and sophistication. Global cyber-attacks were up 28% in the third quarter of 2022 year-over-year, according to data from Check Point Software [CHKP], a trend that seems likely to continue. A full suite of robust cybersecurity measures is now a critical element in IT infrastructure and companies’ technology budgets.

There is a macro element to this escalation in cyber crime and the responses to it. Jon Maier, chief investment officer at Global X ETFs, wrote in 2022 that Russia’s invasion of Ukraine prompted a unified response at government level from across the EU, with nations including Lithuania, Croatia and Poland uniting to defend Ukraine from Russian cyber-attacks. Microsoft and Alphabet [GOOGL] have also played significant parts in Ukraine’s cyber defence strategy, highlighting how the growth of the theme is attracting increasingly significant players.

Fear of cyber-attacks drove growth in global cybersecurity market revenues from $83bn in 2016 to $147bn in 2022, according to a report from Statista. Global revenue for 2023 is projected to reach $162bn, with the US market accounting for $68.7bn. The sector is projected to see a compound annual growth rate of 9.63% over the next five years, generating $256.50bn by 2028.

The UK is the third-biggest cybersecurity market by revenues after the US and China. Annual cybersecurity revenue for the financial year 2021/2022 is estimated at £10.5bn, an increase of 3% on the previous year, attracting more than £300m in equity investment.

Buyouts consolidate cybersecurity sector

Investment in cybersecurity peaked in 2020-21, as working from home rose during the Covid-19 pandemic. This presented hackers with an opportunity to gain access to company IT systems and data, forcing companies to accelerate spending on cybersecurity. The ongoing threat from hackers and bots will likely continue to drive growth, while developments in technology such as 5G and the internet of things, and the shift towards ecommerce, are also drivers.

US multinationals dominate the cybersecurity sector, benefiting from client preferences for integrated offerings. A process of consolidation is seeing some smaller players being bought out or facing stiff competition. In July 2023, French defence contractor Thales [HO.PA] acquired Imperva, a cybersecurity company based in San Mateo, California, in a private equity deal worth $3.6bn as part of a strategy to build its presence. US asset management company TPG [TPG] has agreed to buy Texas-based Forcepoint’s G2CI business for $2.45bn.

Key developments this year include the adoption of artificial intelligence (AI). In April, Palo Alto Networks [PANW] began using generative AI for threat detection logs on its security operations centre platform. In April, SentinelOne [S] installed generative AI features on its threat-hunting platform. In May, CrowdStrike [CRWD] introduced Charlotte AI to allow all users, regardless of technical expertise, to ask questions about network vulnerabilities and receive real-time answers. Are you finding this content insightful? Leave us some feedback here.

Palo Alto’s revenue rise

The earnings season for key players in the cybersecurity space has mostly run according to analysts’ expectations. The biggest cybersecurity company is California-based Palo Alto Networks. As of 28 July it has a market cap of $75.99bn, and it held an 8.4% share of the 2022 market according to research firm Canalys. In May, Palo Alto reported third quarter revenue of $1.72bn, an increase of 24% year-over-year and 0.58% above the consensus estimate of analysts polled by Refinitiv, with growth of 25-27% forecast for the fourth quarter.

Fortinet [FTNT], a California-based company with a market cap of $60.30bn, produces best-in-class hardware for data-centre security. In its first-quarter results, Fortinet reported total revenue growth of 32% year-over-year to $1.26bn. Fortinet’s intention is to ensure its technology delivers “lower total cost of ownership while improving the efficiency and efficacy” of users’ security.

Check Point, an Israeli company with a market cap of $15.91bn, announced modest Q2 results, with a 3% year-over-year increase in total revenues to $589m, though higher-than-expected profits. Security subscriptions were the driver of performance, with 14% growth to $239m, while product and licences dragged, with a 12% fall in revenues to $117m. CEO Gil Shwed said the company was focusing on the use of AI to protect against a growing number of AI-related cyber-attacks.

Non-specialists shaking up sector

Volatility in the markets and higher inflation have forced businesses to rethink their spending plans for this year, but cybersecurity players have nevertheless reported increasing revenues. Growth in the number of cyber-attacks and their increased sophistication ensures that businesses will continue to give cybersecurity priority in their spending budgets.

Competition for market share is intensifying, as non-specialist technology giants pitch for business in this lucrative sector, affecting market share and share price performance across the board. In July, Microsoft announced it would pivot towards the cybersecurity sub-sector, causing shares in Palo Alto, Cloudflare [NET] and Zscaler [ZS] to fall by 5-7%. Long-term ramifications could affect other cybersecurity companies, such as Fortinet and Check Point. In January, Microsoft revealed that its cybersecurity business had passed $20bn in revenue, with chairman and CEO Satya Nadella targeting revenues of $100bn by 2030.

The cyber arms race

The cybersecurity sector is in a high-stakes technology race with cybercriminals, and the result is innovation and a thriving start-up scene working to meet the sector’s complex technical needs. Much of it so far has been funded by venture capital firms geared to serving a fast-growing sector. However, macro headwinds are shifting spending priorities, as buyers become more selective, favouring long-term value projects.

Cutting-edge technology, disruptive ideas and a smart anticipation of the market’s needs, particularly where AI meets cloud security, will attract a greater share of the investment inflows and cause a sector shake-out. A survey by SiliconAngle suggests that the four companies best placed to exploit AI are Palo Alto, CrowdStrike, Okta [OKTA] and Zscaler.

How to invest in cybersecurity stocks

ETFs, or exchange-traded funds, offer an economical and diversified way to invest in a variety of stocks within a particular theme.

Funds in focus: First Trust Nasdaq Cybersecurity ETF

The First Trust Nasdaq Cybersecurity ETF [CIBR], which holds $5.1bn in assets under management, is the largest cybersecurity ETF. The fund aims to replicate the Nasdaq CTA Cybersecurity Index, which tracks the performance of companies primarily involved in the cybersecurity space. CIBR gained 15.36% in the six months to 28 July.

Investors can also select the Global X Cybersecurity ETF [BUG], which tracks the Indxx Cybersecurity Index. BUG gained 11.88% in the six months to 28 July. As of 30 June, 96.3% of the fund’s holdings are in the information technology sector, while the remaining 3.7% are in communication services.

The iShares Cybersecurity and Tech ETF [IHAK] tracks the NYSE FactSet Global Cyber Security Index. It is up 14.15% in the last six months. Like BUG, IHAK’s holdings are disproportionately in the information technology sector which has a 86.21% weighting as of 27 July, with 13.58% in industrials and the remaining 0.22% of holdings being cash or derivatives.