Cybersecurity: Discovering Growth in a Recession
The COVID-19 pandemic was fuel for the economy’s digitization. Rapid adoption of cloud, multiplication of devices, and increase in data generation ended up straining existing systems, exposing gaps in enterprise defences. Parallelly, cyberattacks saw a broad uptick worldwide. Both factors are now pushing global businesses to ramp up spending on security solutions. Cybersecurity pure-play vendors serving emerging demands across enterprise, consumer, and government use cases are seeing growth accelerate. This presents an opportunity for investors seeking exposure to growth themes amidst the ongoing macro-induced challenges.
- Cyberattacks are growing in frequency and sophistication. Security of digital operations continues to be a major concern for global enterprises.
- Leading cybersecurity solutions vendors are witnessing growth accelerate as security spending increases. Earnings display resilience in billings, revenues, and margins.
- We expect increasing use of technology to further strengthen tailwinds. Cybersecurity spend will likely continue to outpace the rest of the IT market in the near to medium term.
Attack Landscape Is Getting Worse
The threat of COVID-19 may be receding, but the increased digital activity that the pandemic spurred isn’t. First, hybrid work remains popular and is likely to be standard practice for many businesses. Even if they’re largely back in the office, employees expect to be able to work from anywhere. This dynamic enhances the surface area that enterprises must defend, requiring investment in specialized solutions.
Second, the conflict in Ukraine illustrates new threats that companies face. Hacking organizations, hacktivists, and criminal organizations are seen targeting infrastructures of nation states they do not agree with. Businesses are often caught in the middle, which has elevated cyber security from an engineering challenge to an executive concern. Even the U.S. government recommends businesses place tighter protections in place.1
Third, we appear to be in the middle of a broad digital transformation where enterprise data and applications are moving to the cloud. Securing this shift of data assets is a priority area of investment.
Fourth, the operational technology running critical infrastructure such as pipelines, dams, electric grids, and the industrial control systems running supply chains and production facilities are being digitized. Securing these nodes presents challenges for governments around the world.
The threat landscape is increasingly dangerous. For the first half of 2022, ransomware attacks grew nearly 52% year-over-year (YoY).2 Ransom-ware-as-a-service attacks from well tracked and notoriously popular hacking organizations such as Conti and LockBit, which caused some of the worst ransomware outages during COVID, grew 500% YoY.3 Encrypted threats continue to grow as well.4 Other common attacks include Distributed denial of service (DDoS), malware, and simple attacks like phishing and social engineering. An average U.S. business can lose $9.4 million in a data breach.5 The longtail impact of such attacks can be far worse. Data assets, credentials, and company secrets are often seen changing hands on the dark web for decades after the attack.6
Earnings Show Resilience
Cybersecurity businesses may be able to leverage strengthening tailwinds to accelerate growth. Cybersecurity companies grew revenues by approximately 19% year-over-year (YoY) for the most recently reported quarter on an annualized basis, up 680 basis points (bps) sequentially and 1,250 bps year-over-year (YoY).7 In our view, this acceleration is the best evidence of increased enterprise spending.
Looking deeper at the fundamentals of these companies, gross margins for cybersecurity companies remained healthy, averaging more than 70%.8 Earnings before interest and taxes (EBIT) margins at -0.5% showed some contraction because of the current macro-induced hiccups.9 Free cash flow margins were over 20%.10
Demand for subscription-first platforms is particularly strong. Palo Alto Networks, a network security software provider, grew its top line by 27% YoY for Q2 2022 and revised its Q3 2022 guidance to the upside.11 Sales for CrowdStrike, a vendor of endpoint security software, grew its top line by ~59%, beating estimates by 3.6%.12 CrowdStrike also raised its guidance.13 Traffic monitoring software vendor ZScaler grew its top line by ~61% YoY and revised guidance to the upside.14 Industry bellwethers Fortinet, Sentinel One, and Checkpoint all beat estimates for the last reported quarter.15,16,17
Many of these companies are also pushing innovative frameworks and approaches in a bid to capture incremental share. Zero Trust architecture is a comprehensive security framework that distrusts all software and hardware agents by default, thereby enforcing the need to verify each end system every time it interacts with a broader network.18 Another emerging framework called SASE combines best practices of traditional network security with cloud-native security frameworks – allowing remote logins and endpoint interactions in a much more secure fashion.19
Cybersecurity M&A Hasn’t Slowed Down
As the market grows, we believe that leading solution providers positioned as one-stop shops will be able to consolidate more share, boost margins, and grow more efficiently than their competition. Mergers and acquisitions (M&A) activity remains high with leading cybersecurity companies looking to acquire smaller startups and fill gaps in their product portfolios. Palo Alto Networks acquired Apiiro for $600 million in September.20 CrowdStrike acquired Humio for $400M in Nov 2021.21
Other potential buyers of cybersecurity companies include big cloud franchises and hyperscalers looking to bolster their existing infrastructure software portfolios. For these companies, security software can be a way to retain large clients and improve margins. Also, private equity companies are becoming major players in cybersecurity M&A. The playbook is simple: Buy smaller cyber businesses within a specific category and bundle them to create a market dominating player.
Most recent cybersecurity acquisitions were completed at a premium to the rest of the technology market. As of June 2022, the median deal multiple for deals announced was at over 9 times revenues, nearly 25% higher than average sales multiple for cybersecurity companies.22
Governments Expected to Ramp Up Cyber Spending
Securing the online operating environment for businesses is a priority for governments around the world. Global businesses lost nearly $6 trillion annually to cybercrime because of lost data, penalties, productivity loss, ransoms, and attacks that led to total business failure.23 Cybercrime’s impact can be particularly damaging for small businesses.
The U.S.’ fiscal year 2023 budget increased cybersecurity spending by nearly 10% YoY.24 The budget included $11 billion for the Department of Defence to implement zero-trust architecture across its vendor systems.25 In addition, the Infrastructure and Jobs Act included a couple billion dollars to secure local government assets.26 We believe the U.S. government’s commitment to cybersecurity may be a sign of cyber spending to come as other governments ramp up their defence.
Conclusion: Cybersecurity Appears Well Positioned in This Recession
Cybersecurity must evolve in lockstep with broader technology. As attacks rise and businesses consume more technological products, the importance of cyber defence’s will be paramount. Even in a potential recessionary environment in 2023, we believe security spending will be the last item squeezed. Chief Information Officers around the world call out cybersecurity as a top priority budget item in 2023.27 It is estimated that global security spending will grow ~7% to more than $165 billion in 2022, following ~14% growth in 2021 and nearly 7% in 2020.28,29
Spending is expected to be particularly visible in cloud security, end point security, data security, ID and access management, and infrastructure security, which were brought into focus by computing needs surfaced during the pandemic. Nearly 50% of all cybersecurity spending today goes to custom services, and cloud deployed solutions can also attack this pocket.30
Overall, we expect spending growth rates to likely remain elevated over the next 5 years, boosted by appetite for more scalable cloud-deployed solutions. Meanwhile, cybersecurity stocks are trading down 28% year-to-date as of Nov 10, 2022.31 Given this growth trajectory and pullback, we see attractive potential upside for the theme.
This document is not intended to be, or does not constitute, investment research