This article was originally published on Nov. 26, 2016, and updated on April 6, 2017.
Over the past few years, the surge in data breaches worldwide has boosted bullish interest in the cybersecurity industry. However, many cybersecurity stocks have been deemed risky bets due to slowing sales growth, low profitability, high valuations, and rising competition.
But despite those higher stakes, the PureFunds ISE Cybersecurity ETF, which owns a basket of top cybersecurity stocks, rallied 21% over the past 12 months and outperformed the S&P 500's 14% gain. To see if these stocks can bounce back, we should identify some key trends which could affect the cybersecurity sector in the coming year.
Weak security, more sophisticated attacks
More than 1.4 billion records were lost or stolen during data breaches in 2016, according to the Breach Level Index -- an 86% jump from 2015. 62% of respondents in CyberEdge Group's 2016 Cyberthreat Defense Report believed that their companies could be hit by successful cyberattacks within the year.
Bigger companies are slowly responding to these threats, but Cisco's 2016 Annual Security Report found that only 29% of small to medium-sized businesses used basic security tools to prevent breaches. Symantec (GEN 0.84%) also found that three quarters of all monitored websites had exploitable vulnerabilities.
Those weak security measures, combined with the growing number of unsecured IoT (Internet of Things) gadgets on the market, could result in more catastrophic attacks in the coming year.
Higher enterprise and government spending
As more data breaches occur, companies will need to prioritize cybersecurity spending. Lloyd's and Juniper Research estimate that the global cost of handling cyberattacks will surge from $400 billion in 2015 to $2.1 trillion in 2019 -- indicating that demand for "best in breed" cybersecurity services will rise over the next few years.
The Trump Administration plans to develop a new national cybersecurity plan to counter attacks from foreign hackers. This means that higher spending from government agencies could boost revenue at government-certified cybersecurity firms like FireEye (MNDT) and Palo Alto Networks (PANW 0.72%), as well as the cybersecurity arms of defense companies like Raytheon.
However, President Trump faces a tough uphill battle to restore confidence in the government's cybersecurity capabilities -- three-quarters of respondents in Passcode's survey of digital security and privacy experts didn't believe that cybersecurity standards would improve under a Republican administration.
Balancing expenses and profitability
Many cybersecurity companies post solid revenue growth, but only a few are able to generate consistent GAAP-adjusted profits. This is because many cybersecurity companies have high operating expenses, weak cash flows, and use high stock-based compensation (SBC) to attract top talent.
Those high expenses made Silicon Valley-based FireEye and Palo Alto unprofitable on a GAAP basis, and both companies have struggled to keep those costs under control. However, Israeli cybersecurity companies like CyberArk (CYBR 0.49%) and Check Point Software (CHKP -0.04%) generally pay lower salaries and stock bonuses than their Silicon Valley counterparts, making both companies profitable by both non-GAAP and GAAP metrics.
Looking ahead, investors should see if the Silicon Valley players can get their costs under control, and see if non-Silicon Valley cybersecurity firms can keep expanding and building competitive workforces.
Many analysts believe that the fragmented cybersecurity market is on the brink of a major consolidation. Over the past few years, larger tech companies like Cisco, Symantec, and IBM have all beefed up their security businesses with various acquisitions.
Cisco became a direct competitor to Palo Alto and FireEye with its purchases of Sourcefire and ThreatGRID; Symantec is evolving into an end-to-end player with its purchases of BlueCoat and LifeLock; and IBM's purchases of Resilient, Lighthouse, and CrossIdeas bolstered its IT security capabilities.
Smaller stand-alone service players like Palo Alto, FireEye, and CyberArk could find it tough to compete with these bundled solutions. But at the same time, these companies all have "best in breed" products -- Palo Alto's next-gen firewall, FireEye's threat prevention solutions, and CyberArk's privileged account management platform are all widely used by large companies.
Therefore, it's more likely that bigger companies like Cisco, Symantec, and IBM will simply acquire these companies and their customers instead of trying to marginalize them. However, some of these companies' valuations might need to drop before they can be considered reasonable acquisition targets. For example, Palo Alto and CyberArk respectively trade at 6 and 8 times sales -- which is much higher than the industry average of 4 for software companies.
The key takeaways
Investors should be very picky with cybersecurity stocks this year. It's better to stick with companies like Check Point and CyberArk, which have concrete profits, than companies like Palo Alto, which have robust revenue growth but weak control over their expenses.
However, I believe that all investors should have some exposure to the cybersecurity market, which could experience very steep growth over the next few years as cyberattacks and data breaches escalate.