How to protect our economies and capitalize on the trend
As Palantir filed for IPO (while also settling a score with Silicon Valley), news on the cybersecurity front has been grim since the start of the pandemic. One of the unintended consequences of COVID-19 and subsequently of the entire economy moving online was the exponential increase in the points of vulnerability both on the clients’ and employees’ sides. In addition, the uncertain and fearful global environment became a fertile ground for fraudsters. Accordingly, the spike in cyber security threats related to COVID-19 and specifically the influx of associated malware and phishing scams was fast, furious and global; more specifically, attacks against the financial sector increased 238% globally from the beginning of February to the end of April
With the IMF estimating, back in 2018, that cybercrime was costing the world ~$100 billion to 350 billion annually (the equivalent to ~10 to 30 percent of banks’ net income globally) and was potentially threatening financial stability, what are the trends we can anticipate? Below are several areas where I see a lot of activity taking place, hence generating opportunity to capitalize on the disruption.
Cybersecurity companies will consolidate; valuations are likely to increase as well
Notwithstanding Palantir staggering $600M losses in 2019, cybersecurity companies have seen great results in terms of top/bottom lines, and valuation. Private and public companies in the space were already trading at very healthy multiples; a trend that will likely continue. We will see more M&A as the industry is maturing and getting away from point solutions towards a platform approach. We are seeing an arm race to consolidate and capture market share at every stage (hence a jump in capital being raised). KnowBe4, a KKR-backed cybersecurity company, which last year raised $300M is readying its IPO estimated at +$2Bn. ReliaQuest just raised +$300m in growth financing, also lead by KKR. Early-stage ventures like Plurilock are turning to public markets to enable their acquisition strategy of complementary players to make the transition from point to platform solution. A player in the Identity & Access Management space (with a former NSA director on its Board and clients such as the US Department of Homeland Security and the US Army), Plurilock received conditional approval to be listed on the TSX-V this August.
The option of launching an industry utility/ COE/ Institute catering to T1 and T2/T3 banks should be explored by large players, such as Absolute Software and BlackBerry in Canada, or CarbonBlack, CrowdStrike, CyberArk and Fortinet in the USA. A model in the same vein as the Canadian superclusters would be beneficial across the board for businesses in the cybersecurity space, the financial services industry, the end clients, the regulators, the national governments and ultimately the society at large.
Allocating capital to cybersecurity companies (that might become M&A targets or platforms), as well as companies enabling them (in space such as cloud computing and AI) should be on most investors’ radars (even for investors focusing on other verticals than Financial services, as the trend is ubiquitous). Cyber firms transitioning from point solutions to platforms should be high on the list for long term holdings; firms with a deep expertise and niche solutions will be of interest as potential acquisition targets with shorter terms horizons.
A challenge faced by investors, similarly to banks and Fintechs, is the lack of experience and skillset when it comes to cybersecurity. We can expect VC/PE funds specializing in cybersecurity, such as Evolution Equity Partners, to see an influx of capital. Such strategies will not be easy to replicate considering the shortage of deep expertise in the space (hence limiting competition). You can then expect funds with skillset and track record in the cybersecurity industry to raise larger funds and write larger checks (and likely moving upward the maturity curve). We will probably also see more ETFs and mutual funds arise in the space.
To get exposure to the potentially outsized returns in the cybersecurity space, allocating capital to funds with deep expertise and track record is a great way in. For those investors who also want to build more direct exposure to the cybersecurity space, they will be able to do so via co-investment rights following investments in private VC/PE funds.
Overall, Israel, a cybersecurity powerhouse with an unmatched talent pool in the space, will greatly benefit from these trends.
FIs’ are becoming riskier and seeing additional pressure on their bottom lines
Cyberthreats were already at the top of the agenda for most FIs pre-pandemic; it has however taken a whole new meaning in a context where institutions’ financials are squeezed on multiple fronts — from low interest rate, to increased capital spending to enable digital transformation and growing loan losses. The complexity and the costs to shield themselves and their clients, compounded by the losses coming from successful attacks and punitive fines from regulators (a very recent example being Capital One fined $80 million for 2019 hack of 100 million credit card applications) are making the situation very challenging for banks. If you add to that the shortage of expertise combined with the acceleration of digital transformation initiatives, it is easy to see a looming disaster. FIs have to up their game, quickly and materially, meaning: 1) allocate more capital to cybersecurity strategies (and develop such a strategy in the first place in many instances), 2) increase the mindshare of the Board & C- Suite regarding the issue, and, 3) alter the approach from being reactive to proactive/predictive when it comes to cyber-threats. Smaller institutions, such as T2–3 banks, will have the most difficulty to adapt due to the additional challenge of supporting these sizeable costs on a smaller profit base.
In parallel to developing a holistic cybersecurity strategy and allocating more capital, I can envision several steps that would help large and small players to face this potential Armageddon. First, and in my view best option, the development of an industry utility/ Center Of Excellence/ institute pooling resources from large and small FIs in some areas such as anti-fraud security, predictive intelligence and autonomous systems would accelerate the agenda and make it financially more palatable. It has been apparent that the current limited collaboration between banks won’t cut it (collaboration often limited to sharing information once a threat has been detected — which happens on average ~6 months after an attack has taken place and companies have been breached). Second option would be less ambitious, but still helpful, heightened collaboration between banks such as sharing strategies, best practices, and results from pilots / POCs. Not mutually exclusive with the second option, the opportunity for T1 banks to commercialize some of their cyber infrastructure to T2-T3 banks would allow smaller banks to operate more safely.
Cybersecurity is a topic that’s too important for our economies and societies to ignore. If a couple of institutions were to fall due to cyberattacks, we are back to the bailout dynamic of the financial crisis, endangering stability and eroding confidence in the system (while also being extremely costly to the taxpayers). No one wins in this scenario, even the unaffected banks.
From investor perspective, due to the growing risks associated with cyberattacks, banks are becoming inherently riskier while returns, due to the costs of putting in place solid and holistic cybersecurity strategies, are decreasing. This emerging trend has not yet permeated most analysts’ reports, despite its inexorability. Investors will have to get smarter re cybersecurity when allocating capital in the financial services space. The silver lining would be for the bank(s) taking the lead in packaging and commercializing their cybersecurity capabilities, as well as for the one(s) willing to lead the creation of a cybersecurity industry utility.
More barriers to entry…