Cybersecurity valuations have been rocked this year along with many disruptive technology themes; yet from governments and businesses to ETF investors, money continues to pour into the sector.
It is an industry that continues to enjoy exponential growth in line with the rollout of increasingly capable and scaled hardware and software. At the start of the year, US-based tech consulting firm Gartner predicted global spending on information security and risk management will jump to $172bn in 2022, up from $155bn in 2021.
Meanwhile, Russian cybersecurity service provider Kaspersky found 85% of IT decision-makers in North America plan to increase their digital security budget up to 50% this year.
Underlying these predictions is an altogether worrying spike in cybercrime, with US cybersecurity firm SonicWall finding ransomware attacks more than doubled yearon-year to 623 million incidents in 2021.
As Chris Versace, CIO at Tematica Research, told ETF Stream: “The dark underbelly of our increasing connectivity and digital lifestyle is that there are just more attack vectors for bad actors.”
Versace pointed to society’s reliance on more capable systems that are increasingly integrated with our daily lives and personal information such as eCommerce, work-from-home tech, the internet of things, 5G and data centres.
Meanwhile, Aanand Venkatramanan, head of ETF investment strategies at Legal & General Investment Management (LGIM), warned more cloudcentric protection is needed, including the continued growth of ID authentication software and hardware.
He added more efficient encryption could be called for as blockchain development is used more widely.
Stressing the ability of cyberattacks to create logjams at ports, disruptions in railway networks, power supplies and more, Venkatramanan continued: “What we have seen so far is cyberattacks on businesses, individuals, governments and so on. What we have not seen are attacks that have an immediate impact at a societal level.”
Looking ahead, the number of “attack vectors” is only set to increase, with the varying degrees of rollout of autonomous vehicles, telemedicine, the metaverse and later Wi-Fi 6 and 7 and even 6G.
In a more immediate context, digital security has been brought into focus in recent months with Russia’s invasion of Ukraine and the aggressive spike in distributed denial-of-service attacks that have accompanied it.
Russia launched datawiping malware which infected “hundreds” of computers in Ukraine, Latvia and Lithuania, temporarily disabling Ukrainian government websites and internet access in some areas.
Responding, ‘hacktivists’ including the infamous Anonymous group launched attacks against the websites of the Russian military, the Kremlin and Russian propaganda outlet RT News. A subsequent warning issued from the Department of Homeland Security to US businesses then signalled the start of a more proactive approach to cybersecurity risk management.
In April, the Securities and Exchange Commission said it was considering making it mandatory for investment managers and funds to implement cyber risk policies and disclose cyber incidents to current and prospective clients.
From the beginning of May, it became compulsory for US banks to notify regulators within 36 hours of a cyberattack taking place – following a report by cloud company VMware which found cybercrime against financial institutions jumped 63% over the past year.
Speaking on growing regulatory pressure and fines imposed on companies due to cybersecurity incidents, Versace said: “Some of the fines are punitive, without a doubt. It is a major pain point for companies.”
Echoing his thoughts, Venkatramanan argued: “Regulation should promote more security, it should build up awareness and push people towards secure solutions, but regulation should not penalise the victims.”
This last point is certainly up for debate. In fact, taking sufficient steps to protect customers from cyber threats is an increasingly important but underappreciated part of corporate responsibility.
Supporting this, US-based cybersecurity provider Arctic Wolf found that half of the 300 IT security decision-makers it surveyed believe their organisation’s cybersecurity budget “fails to meet the minimum figure they need to remain on track with their security goals”.
Growing tech applications and networks and more sophisticated criminals will require actors on different levels to continue upgrading their defences to protect the increasingly techintegrated parts of society. This steady, growing stream of capital is what makes cybersecurity a theme to watch among ETF investors.
A breakdown of cybersecurity ETFs
While the structural long-term theme is clear to see, selecting which cybersecurity ETF to invest in is a challenge, with each of the six ETFs in Europe tracking a different index.
Chart 1: Cybersecurity ETFs in Europe
Despite spotty performance so far in 2022, cybersecurity ETFs in Europe house almost $5.1bn assets under management, with every product in the sector booking impressive inflows.
After launching last May, the $451m First Trust Nasdaq Cybersecurity UCITS ETF (CIBR) has almost doubled in size, with $203m in inflows, according to data from ETFLogic. CIBR has only been slightly outgunned by the veteran $2.7bn L&G Cyber Security UCITS ETF (USPY) and the $1.5bn iShares Digital Security UCITS ETF (LOCK), which have collected $290m and $326m in new assets, respectively.
Despite tumbling -19.7% over the past six months, CIBR has finished top of the pile in the sector over this period with equivalents from LGIM, BlackRock, WisdomTree and Rize ETF falling between 22.4% and 33.7% apiece, according to justETF, as central bank interest rate hikes destroyed any resilience cybersecurity valuations had displayed to drawdowns earlier in the year.
However, as the performance dispersion between the ETFs might suggest, investors would be wise to dig into the differences between the products beneath their cybersecurity labels.
For instance, five ETFs offer exposure to between 29 and 53 stocks, whereas BlackRock’s LOCK is the odd one out with its far less concentrated basket of 119 companies.
Reflecting this, LOCK’s holdings have overlap ratios with other ETFs in the product class ranging from 0.45 to 0.58 versus 0.81 for USPY and CIBR, and 0.72 for USPY and the Rize Cyber Security & Data Privacy UCITS ETF (CYBR).
Chart 2: Portfolio correlation and basket overlap of cybersecurity ETFs
Out of the two longer-standing ETFs, the more concentrated portfolio appears to have outperformed, with USPY boasting annualised returns of 11.7% over the past three years versus 8.8% for LOCK’s more diversified offering.
However, USPY carries a significantly higher total expense ratio of 0.69% against LOCK’s 0.40% – with the respective advantages in spreads on primary listing and securities lending returns cancelling each other out.
Despite their differences, all six strategies in the cybersecurity class react in a similar way to market events. According to ETFLogic, correlation ratios only go as low as 0.87 between the performance trends of the most dispersed ETFs – LOCK and the $65m WisdomTree Cybersecurity UCITS ETF (WCBR) – with a high of 0.98 between CIBR and the $14m Global X Cybersecurity UCITS ETF (BUG).
This article first appeared in Thematics Unlocked: Signs of a maturing ETF market, an ETF Stream report. To access the full issue,click here.