With demand for next-generation security and vulnerability-management solutions climbing, sales of cybersecurity products and services are expected to grow by 9% in 2019

Like many powerful technologies, the internet creates both tremendous benefits and daunting challenges. It offers us myriad conveniences, instant access to news and information and quick and efficient communications. It also provides criminals access to sensitive information they use to commit fraud, steal intellectual property and perpetrate other crimes.

With the number and cost of cyber attacks rising, businesses and other organizations are fighting back by continuing to invest in technologies they hope will keep their data secure. But while the spending on these safeguards could present investment opportunities in companies combating cybersecurity threats, it's a tricky space. Tools designed to safeguard sensitive data are evolving quickly, as are the tactics cyber thieves employ to steal it. The challenge for companies and investors is anticipating cybersecurity trends – and identifying future leaders and laggards in the marketplace for information security products.

Cyber threats' massive scale offers a clue. The annual cost of cybercrime is estimated to hit $6 trillion by 20211 — twice the 2016 cost, in part because the frequency and scale of cyber-attacks are growing.

Corporate executives and government officials are also racing to fortify their cyber defenses. In a recent survey, 45% of chief information officers indicated they would be accelerating their investment in security over the next 12 months2 and that it was their highest priority in terms of spending. 

These dollars are going towards hiring cybersecurity threat specialists, upgrading highly manual information security platforms with automated systems and adopting artificial intelligence, among other uses. 

In sizing this opportunity, consider the scope of cybersecurity threats. Billions of dollars are being allocated to cyber defense, making the cybersecurity space a compelling investment opportunity.

In 2017, the global number of high-profile data breaches—defined as those with 50,000 or more records stolen—increased by 28% year-over-year3. The average cost of a data breach in 2017 was estimated to be just shy of $3.9 million, up 6.4% from the previous year.4

As the risk of cyber threats has grown, so, too, has the market for cyber defense solutions. From a few companies offering antivirus software in the 1980s, the total addressable market for cybersecurity tools is more than $40 billion today with a number of verticals, each dedicated to a different solution area. See the graphic below.

With demand for next-generation security and vulnerability-management solutions climbing, sales of cybersecurity products and services are expected to grow by 9% in 2019—outpacing not only the broader market but also the tech sector in aggregate.5

A pie chart showing the breakdown of the total addressable cybersecurity market.

As the number of people and devices connected to the internet multiplies, so will opportunities for criminals to commit identity theft, steal data (or ransom it) and crash websites. Constant innovation will be required to counter increasingly sophisticated attacks, as will increased spending on cybersecurity threats by businesses and governments. That spending bodes well for the cybersecurity sector as a whole, but it could be particularly beneficial for companies focused on three potential growth areas:

  1. Denial of access. Before the advent of smartphones, laptops, tablets and web-connected televisions and printers, hackers had limited entry points to companies' computer networks. More connected devices give hackers more paths to those networks, especially as companies allow telecommuting and mobile employees to connect to their networks with their personal devices. To reduce the number of gateways or "endpoints" available to hackers, organizations are investing heavily in antivirus, anti-spyware, firewall, and host-intrusion-prevention systems. Of course, endpoint security is just one cybersecurity trend. Other areas, such as networks, mobile, security management, and applications, are equally ripe for innovation and present interesting investment opportunities.
  2. Automating security protocols. Chief information officers are prioritizing the introduction of technologies that can perform routine, but time-consuming, tasks. This is boosting the demand for software that incorporates artificial intelligence (AI) and machine learning. Software underpinned by these technologies process vast amounts of data to anticipate, detect and respond to cyber attacks with little if any, human intervention. As such, it has the potential to increase the effectiveness of cyber defenses, while lowering the cost of maintaining them. Tempering the opportunity presented by the push to automate is a lack of qualified software developers with AI or machine learning expertise. Put simply, the adoption of AI and machine learning is being slowed not by a lack of demand for these technologies, but by the scarcity of talented engineers and programmers needed to accelerate their development.
  3. Defending the cloud. Not long ago, companies housed data and applications solely on internal networks. Today, many companies are migrating sensitive information and "mission-critical" functions to the cloud, which has made cloud security a priority for both cloud services companies and their customers. Indeed, concern about cybersecurity threats like data breaches has been cited as the main reason for slower adoption of the public cloud. The use of web-based tools that allow globally scattered work teams to collaborate with each other also puts a premium on cloud security.

    Amazon, Microsoft and other cloud enterprises are bolstering their cyber defenses both by developing proprietary security solutions and by partnering with independent providers with the expertise and technology to address arcane and sometimes customer-specific security challenges. To the latter point, a financial services firm typically requires more robust security protocols than, say, a film production company, so an Amazon or Microsoft might task a company to address threats specific to banks or brokerage firms. Demand for these should grow as businesses across diverse industries become more comfortable shifting critical functions to the cloud.

While the large legacy technology companies continue to pioneer cybersecurity tools, some smaller, more innovative companies have been gaining ground and may be a threat to incumbent players. Smaller businesses typically deal with less corporate bureaucracy and thus, often are quick to market with innovative solutions. Many legacy companies, on the other hand, have been slow to respond to the changing landscape of cybersecurity threats, which is one reason about half of all attacks go undetected.6

The growth potential of the nimble, non-listed companies in the cybersecurity space has not gone unnoticed by investors. So far in 2018, there has been about $2 billion of financing across 165 transactions, and 84 M&A deals worth $3.8 billion.7 Much of that activity has involved the smaller, private companies that constitute the vast majority of the 3,000 companies in the cybersecurity sector. In addition, more of the funding referenced above has been directed at companies in the expansion stage rather than to startups in need of seed capital.8 This reflects a gradual maturing of the sector and a wider opportunity set for private investors.

Because the cybersecurity sector is inhabited largely by private companies, it is difficult for most individual investors to gain exposure. There are exchange-traded funds focused on cybersecurity, but they have little-to-no access to the unlisted firms that dominate the space. To invest in up-and-coming players, qualified investors can invest in venture capital firms that provide capital for early-stage cybersecurity businesses. Another option is to take a stake in a private growth fund, which invests in more established, expansion-minded enterprises.

Understanding why cybersecurity is important illuminates the opportunities presented by the burgeoning cybersecurity market. Yet the potential to achieve solid, long-term profits likely would come with the higher volatility endemic to rapidly evolving sectors.

For ideas on how to incorporate these views in a way that is suitable for you, we invite you to contact a J.P. Morgan representative.