Cybersecurity has become a hot business over the past few years due to a surge in cyber attacks and data breaches. The Identity Theft Resource Center (ITRC) reports that the number of personal records exposed in data breaches nearly doubled last year to 169 million across the enterprise, healthcare, government, educational, and financial sectors.
Yet cybersecurity stocks have fared poorly this year, with the PureFunds ISE Cyber Security ETF (NYSEMKT:HACK) -- which owns a wide variety of cybersecurity stocks -- sliding more than 20% over the past 12 months. That sectorwide decline has revealed some lucrative long-term investment opportunities, but investors should understand the basics of the cybersecurity industry first.
Market growth potential
Research firm Markets and Markets expects the global cybersecurity market to grow from $106.3 billion to $170.2 billion in 2020. Last December, a survey by Wakefield Research found that 81% of 700 IT decision makers at SMBs planned to boost their annual IT security budget by an average of 22% in 2016.
Governments, which accounted for 8% of all data breaches last year in the ITRC report, are also facing pressure to increase cybersecurity spending. Earlier this year, the Obama administration proposed increasing federal cybersecurity spending by $5 billion to $19 billion in 2017. Therefore, businesses and governments might reduce spending in other areas, but cybersecurity spending will likely climb as cyberattacks become increasingly sophisticated.
External and internal threats
Cybersecurity companies are generally split into two categories -- those which protect a network from external threats, and those that deal with internal ones.
Companies that deal with external threats create firewalls, threat prevention systems, antivirus software, and other security solutions. "Best in breed" players in this market include firewall providers Palo Alto Networks (NYSE:PANW) and Check Point, threat prevention leader FireEye (NASDAQ:FEYE), antivirus maker Symantec, and networking giant Cisco's bundled security solutions.
Companies that tackle internal threats offer network monitoring solutions. Key players in this market include IT giants IBM and Hewlett-Packard Enterprise, IT management software provider CA, cloud-based security firms Splunk and Imperva, and privileged accounts protector CyberArk (NASDAQ:CYBR).
A key threat facing many smaller players in both markets is that larger players like IBM, Cisco, and HPE are bundling more of their own security services into their hardware and services. If that happens, companies which don't have a well-protected niche (like CyberArk in privileged accounts) could be wiped out, while companies which dominate specific niches could be acquired.
Common financial themes
Investors will also notice some common financial themes across the cybersecurity industry. First, it's common for these companies to generate double or triple-digit sales growth for multiple quarters. Palo Alto has delivered over 50% annual sales growth every quarter since the fourth quarter of 2014. FireEye's revenue rose 34% last quarter, while CyberArk's improved 42%.
But sales growth isn't everything. Most companies split their revenue into product and services. Product (or license) revenue growth is considered more important, since companies must keep selling new licenses for their products to generate recurring services revenue from subscriptions and maintenance fees. Product revenue growth outpacing total revenue growth is considered a strong positive indicator of future growth.
However, many cybersecurity companies are deeply unprofitable due to high stock-based compensation expenses and rapid cash burn rates. Many cybersecurity companies -- including Palo Alto, FireEye, and CyberArk -- used secondary offerings to raise cash, which diluted shares for existing investors. Some companies, like CyberArk, have since become profitable on both a GAAP and non-GAAP basis by reining in their spending. Others, like FireEye, remain unprofitable by both measures.
Therefore, investors should look closely at these companies' cash positions and the reconciliation between non-GAAP and GAAP profits. For example, Palo Alto -- which is profitable on a non-GAAP basis -- is unprofitable on a GAAP basis due to stock-based compensation expenses, which soared 76% annually last quarter and swallowed up nearly a third of its revenue.
A volatile but promising market
Investors seemed to sell many cybersecurity stocks over the past year due to concerns regarding softer enterprise spending and competition. But I believe that fears about enterprise spending are unjustified, since companies are realizing that the brand damage caused by data breaches far outweighs the cost of solid protection. Competition is worrisome, but only for certain companies which don't dominate niches, lack growth, and aren't considered "best in breed" players.
Cybersecurity stocks certainly aren't for risk averse investors. But investors who can stomach the volatility could generate big returns within the next few years by investing in the right players in this promising market.