With data breaches on the rise, cybersecurity stocks have become a major growth niche in the tech sector over the past few years. But over the past year, concerns about slower enterprise spending, lack of profitability at many companies, and lofty valuations have weighed down the entire sector. The PureFunds ISE Cyber Security ETF (HACK 0.43%), which contains a basket of top cybersecurity stocks, has fallen more than 25% over the past 12 months.
That slump has created some lucrative buying opportunities for investors willing to stomach the volatility. But before jumping in, investors should understand ten key facts about the cybersecurity industry.
1. 177 million personal records were exposed in data breaches in 2015, according to the Identity Theft Resource Center. That's double the 85.6 million records that were exposed in 2014.
2. 68.4% of those data breaches occurred in the healthcare sector. 19.2% occurred in the government, 9.1% occurred in the enterprise sector, 2.8% occurred in the financial sector, and 0.4% occurred in educational institutions.
3. The average global cost per stolen record was $154, according to study by IBM (IBM 0.01%) and Ponemon. The price was considerably higher in the healthcare sector at $363. On average, companies lost $7.7 million per data breach last year.
4. Nine common attacks are used in 96% of data breaches, according to Verizon's 2015 Data Breach Investigations Report. In order of frequency, the so-called "nefarious nine" are miscellaneous errors, crimeware, insider misuse, physical theft/loss, web app attacks, denial of service attacks, cyber espionage, point-of-sale intrusions, and payment card skimmers.
5. About 80% of threats originate externally. Companies like next-gen firewall provider Palo Alto Networks (PANW 1.14%) and threat prevention firms like FireEye (MNDT) set up perimeter defenses against these attacks. Bigger IT firms like IBM and Cisco (CSCO -0.03%) are also bundling comparable solutions into their other hardware and software products.
6. Other attacks originate internally from compromised accounts or disgruntled employees. CyberArk (CYBR -0.54%) currently dominates this space with its privileged account management solutions. Its customers include 40% of the Fortune 100 and 17 of the 20 biggest banks in the world.
7. Attacks often go undiscovered for over 200 days, according to a study by FireEye's Mandiant division. That's why companies report data breaches long after they occurred, and why hackers have so much time to sell stolen credentials online.
8. Therefore, it wasn't surprising when a recent KPMG study found that 50% of CEOs of companies with over $500 million in annual revenue didn't feel prepared for a cyber attack. Massive data breaches at Target, Anthem, and even the IRS have likely shaken their confidence and prompted them to invest in more robust cybersecurity measures.
9. That's why the global cybersecurity market could grow from $106.3 billion in 2015 to $170.2 billion by 2020, according to research firm Markets and Markets. This means that although some cybersecurity stocks look too hot to handle, they could still have plenty of room to grow. Demand is clearly rising -- Palo Alto Networks, for example, has been posting around 50% year-over-year sales growth over the past few quarters.
10. There are currently 458 cybersecurity start-ups listed on Angellist with an average valuation of $4.9 million. This means that over $2.2 billion in venture capital has been invested in the industry.
Which stocks are the best plays?
Investors will likely notice that high multiples and low profitability are common across the cybersecurity sector. That's because many companies are still in an early growth phase, prioritizing revenue growth over profitability.
Investors should also note that smaller firms with smaller portfolios of products could be acquired or undercut by diversified tech giants like Cisco or IBM. The former would be good for investors, but the latter could be tough to counter. Therefore, investors should fully understand what a cybersecurity firm has to offer before making a play on rising data breaches.