The cybersecurity sector has attracted a lot of investor attention of late, fuelled further by the sheer number of Covid-19 related cyber-attacks in lockdown.
There's no doubt that the sector is on the cusp of a huge growth surge given some recent very high-profile data breaches such as easyJet, Twitter, Instagram, TikTok, Marriott and Experian.
Given the sheer scale of fines being dished out (BA were fined £183m for a 2018 data breach) companies are likely to increase cyber-spending vastly in the coming months and years.
From companies building firewalls in the cloud (such as Cloudflare), to those developing crowdsourced endpoint security tools (for instance, CrowdStrike), to those working on consumer-oriented privacy software (for example, Avast), the cybersecurity sector always seems to be able to drum up a new, multi-billion-dollar winner.
Last year saw the IPOs of a number of new cybersecurity companies, including identity access management company Ping Identity (with remote work, "identity" has become perhaps the hottest topic in cybersecurity right now).
As these new companies have joined the public markets, legacy cybersecurity players have had to keep pace with the innovation.
Many have recalibrated their businesses, reinvented themselves as something new, while others have wholly rebuilt their security stacks to remain relevant. Others have failed to remain relevant.
The shift away, from traditional enterprise security to cloud-native security has created a lot of zombie companies.
Similarly, the advent of artificial intelligence, and the accelerated shift to predictive security models has left many legacy players scratching their heads for new ideas.
For investors, in a sector undergoing such rapid transformation, separating the real cybersecurity companies from generalist security companies has been a challenge.
With almost every company in the broader "security" category proclaiming to be a next-generation cybersecurity specialist, real cybersecurity companies with unique and sustainable competitive advantages have been overshadowed by bigger giants and their alluring digital marketing campaigns.
Nowhere has this been more obvious than in the "defence" sub-sector. At the same time as cybersecurity has boomed in recent years, a large number of traditional "defence" companies have repackaged and resold themselves to the market as cybersecurity specialists.
The consequence for investors has been significant; getting exposed unwittingly to companies with little to no cybersecurity relevance, but also those with admittedly poor ESG records - not uncommon for defence sector companies.
For this reason, it has been crucial for investors to evaluate their cybersecurity exposure to ensure they are not getting exposed to howlers, and that they are getting exposed to the most compelling and exciting pure-play companies in the sector.
The table below sheds some light on defence companies that regularly appear in the cybersecurity category that investors should be looking out for. A quick look at any of their financials (or an email to the investor relations department) will reveal negligible revenue exposure to cybersecurity.
Further in the table we showcase the extent to which these companies are engaged in production of controversial weapons. This includes not only companies engaged in the production of key components for nuclear weapons, but also companies developing new controversial technologies such as autonomous weapons systems.
What is striking here is that all of these companies are engaged in the export of arms, not only to countries that are considered "controversial" (defined as unfree countries by various non-partisan organisations) but which are either directly or indirectly also involved in the war in Yemen. Lockheed Martin and General Dynamics in the US, BAE Systems in the UK, Rheinmetall in Germany and Thales in France all stand out.
From an ESG standpoint, investing in these companies simply does not add up and they should therefore be excluded from cybersecurity exposures. This is before looking at the revenue exposure to cybersecurity which is trivial at best.
We believe therefore that careful scrutiny is required when investors are taking exposure to the cybersecurity sector. Investors should assess the companies individually in the funds they're buying to ensure that they are not unknowingly tarnishing their own track records.
Rahul Bhushan is co-founder of Rize ETF