With nearly every aspect of our lives linked through networks and data, cyber-security risks are growing—and so are the business and investment opportunities.
Over the past few decades, the Internet has grown from a communication tool to something so ubiquitous that it touches nearly every aspect of our lives. Consider the growth of smartphones and the Internet of Things, which includes everything from home appliances and medical devices, to the cars we drive. Even when we're “unplugged," data related to our finances, careers, health and personal lives are pervasive—and vulnerable.
Such fears aren’t just for individuals anymore. As high-profile cyber attacks have shown, virtually every industry—from retail and financial services, to healthcare and entertainment—is at risk. An attack can disrupt business operations, result in direct losses and—just as importantly—do lasting damage to a brand. While retail and financial services companies have been the most prominent targets, the landscape is constantly evolving.
“Forward-leaning businesses are starting to approach the threat of cyberattack as a question of 'when' rather than 'if,' ” says Victoria Chapelow, an analyst with Morgan Stanley’s Sustainable + Responsible Investing Research team, which recently issued a report, "Investor Roadmap for Cyber Security," on the risks and opportunities for investors, with guidance on how to factor this critical threat into valuations, and assess which companies are best positioned to capture the $75 billion—and growing—global information-security market.
Even as organizations continue to fortify their digital fortresses, the number of security incidents against companies is on the rise—up 38% so far in 2015, according to PwC's most recent Global State of Security Information Survey. All told, cyber crime costs the global economy $400 billion annually, according to the Center for Strategic and International Studies.
Not surprisingly, more companies are ramping up cyber-security measures, and carving out bigger shares of their IT budgets for this space. Morgan Stanley's October, 2015, survey of chief information officers found that security is a top priority, with overall spending expected to grow 15% in 2015 and 16% in 2016.
Historically, organizations have focused on “block and protect" technology designed to keep hackers out. Increasingly, companies are looking at comprehensive solutions. Rather than simply “keep the bad guys out," companies are interested in improving "endpoint security," or shoring up security at the user level, walling off the most sensitive data, and quickly detecting and closing breaches.
“Among the stocks that are exposed to the cyber security theme, investors will want to be selective, focusing on names that should see sustainable growth," says Melissa Gorham, a Morgan Stanley analyst who covers the software industry, with a focus on enterprise security software.
Investors can access cyber security through three primary sectors.
- Security Software: This is the most obvious area of interest for investors, as it focuses on niche players who may directly benefit from growth in cyber security. These providers of comprehensive solutions not only secure information but aim to secure users and offer operational intelligence that can spot breaches early.
- Aerospace & Defense: Information security is a small but growing area that could offer a back door into this sector, at lower valuations. Such companies are growing their security divisions and expanding via mergers and acquisitions. One U.K. company, for example, is expected to grow its applied intelligence business by 30% this year.
- Cyber Insurance: This niche market has the potential to expand, particularly as new regulations require critical industries to report all data breaches. Cyber insurance represents just $2 billion to $3 billion of written premiums, according to Morgan Stanley's Global Insurance team, but could easily surpass $8 billion to $10 billion by 2020.
In addition to understanding exposure, investors will want to assess whether companies are taking proactive steps to safeguard against cyber crime. Company CEOs and boards should “set the tone" for cyber security, notes Chapelow, but education and information security at the employee level is also key. Any time an employee opens an email, copies information to a data device or uses a personal device to access sensitive information, it can open doors for cyber criminals to slip in.