In February 2024, a cyberattack against the electronic payments system operated by Change Healthcare, a unit of United Health Care, wreaked havoc on the nation’s health care payment processing system. Doctors and health care providers were unable to process insurance claims, squeezing health care providers and patients alike. The fallout from the attack continued to be felt for weeks afterward.1
The episode was a significant disruption, but hardly unique. Every week seems to bring news of a company, government agency, library, or some other entity being hacked. While the digitization of the world has brought enormous economic efficiencies and benefits, this, sadly, is one of the chief downsides.
The good news is that in response to the rise of cyberattacks, a cybersecurity industry has emerged to protect digital assets. Let’s explore cybersecurity, the scope of the problem, the effort to combat these attacks -- and the investment opportunity it presents.
Cybersecurity, as the name suggests, is the term describing the effort to protect individuals’ and organizations’ digital assets from cyberattacks, such as through phishing, viruses, and sophisticated ransomware efforts. But the term encompasses a range of activities, including protecting the security of networks, the cloud, critical tech infrastructure, personal information, external applications, endpoint, or mobile usages.
Each cyberattack is unique, and the way they unfold is constantly shifting. However, the individuals or organizations perpetrating the attacks typically fall into two camps: antagonistic adversaries or governments and criminals. A cold war is taking place between several countries that have units able to engage in cyberattacks, the goal of which is to disable essential computer, defense, or infrastructure systems. Criminals, meanwhile, usually ask for money in exchange for removing the bug or malware, an act known as ransomware.
Whatever the incentive for the attack may be, the scale, scope and impacts of these attacks is enormous. In 2023 alone, 725 data breaches of 500 or more records occurred. The largest data breach of 2023 affected 11,270,000 individuals.2 Governments may experience the publication of secret information, or actual military setbacks. Businesses may incur the loss of trade secrets, reputational risk and at the very least, the wrath of unhappy customers.
Faced with the growing threat of cyberattacks, businesses and governments are investing billions to protect cybersecurity. In 2023, the global cybersecurity market reached $236.75 billion; it is projected to more than double over the next nine years and is expected to grow to $506.79 billion by 2032.3 According to the CISO Report, 93% of organizations expect to increase cybersecurity spending over the next year.4 And defense spending on cybersecurity is growing significantly: the overall DoD proposed budget grew 3.2% for 2024 vs 2023 while cyber spending (as part of that request) grew more than 15%.5
Indeed, cybersecurity spending might even become one of the biggest expenditures for companies going forward, given its importance in an increasingly digital world. Importantly, no business in any sector can ignore this. Cybersecurity spending has become a form of essential modern-day insurance.
Furthermore, this will become an ongoing expense for companies and organizations. Those attacking digital infrastructure are elusive, constantly developing new methods to breach cyber defenses. For instance, the development of artificial intelligence technology has given cyber-attackers a new tool in their efforts. However, AI, alongside blockchain technology, can also be used by cybersecurity experts to detect and deter attacks as discussed recently.
Meanwhile, regulators have worked to address the problem. In December of 2023, new rules from the Securities and Exchange Commission went into effect to enhance cybersecurity. These rules require companies to report cyberattacks, disclose both the firm’s risk management and the board’s oversight of cybersecurity risks. While the rules are for public companies, experts expect private companies will adopt them as well.
In recent years, dozens of companies have developed, built, and released technology to protect digital assets. This growing sector of the economy, in turn, is creating an opportunity for investors to take advantage of the technology developed to protect digital assets.
As with any new thematic investing, the opportunity presents both risks and opportunities. It is difficult to predict which companies will succeed in the space, and which will falter. Therefore, a diversified approach may make sense for most investors.
Investors that see cybersecurity as a compelling growth investment may want to take into account aspects such as direct pure play exposure, diversification within the theme, active share, correlation with the S&P 500, and the amount to be allocated. For instance, in considering the overlap with other investment allocations, a minimal correlation with the S&P 500 may further boost diversification appeal.
The cybersecurity challenge is serious, extensive and it is not likely to go away any time soon. But it can be managed, and attacks can be prevented or mitigated. Meanwhile, investors may potentially benefit from the growth potential of the companies engaged at the front lines of the effort.
Index definition:
The S&P 500 Total Return Index (S&P 500), is a market-capitalization weighted index of the 500 largest U.S. publicly traded companies.
1 https://www.nytimes.com/2024/03/29/health/cyber-attack-unitedhealth-hospital-patients.html
2 Healthcare Data Breach Statistics, hipaajournal.com
3 https://www.expertmarketresearch.com/reports/industrial-cybersecurity-market
4 The CISO Report | Splunk.
5 https://federalbudgetiq.com/insights/dods-fy24-cyber-budget/