investment insights
Cybersecurity investment opportunities
Lombard Odier Private Bank
Key takeaways
- The conflict in Ukraine – long a focus of cyber attacks – has raised cyber risks worldwide
- Such attacks are not precision instruments and can have large unforeseen consequences – one reason that could deter nation-state attackers keen to avoid conflict escalation
- Cybersecurity has risen up country and company agendas. Its link to governance and reputational risk makes it an increasingly protected part of corporate spending, and we expect healthy growth here in coming years
- We are positive on the cybersecurity industry – and see growing implications for insurers.
Russia’s invasion of Ukraine has raised fears of a cyberwar with global consequences. We assess the threats and limiting factors behind any cyber aspect to the conflict. Beyond the immediate risks, we believe the war in Ukraine will drive further growth in cybersecurity, with a range of investment implications.
Ukraine’s ongoing cyber struggles
Ukraine has long been a testing ground for cyber attacks, and Russia widely acknowledged as the biggest state-sponsored actor1. In June 2021, a NATO communiqué had already noted the risk of malicious cyber activities by Russia against its members. A confident cyberpower engaged in a military invasion has now raised digital alert levels worldwide.
Ukraine has been dealing with digital harassment for years, from the spread of disinformation via the internet, to vicious and costly malware – or malicious software – to disable infrastructure. Since 2014, when Russia annexed Crimea, attacks have risen. Government agencies, the electoral commission, banks, airports and power networks have all been targets. Earlier this year, hackers left the message: “Be afraid and expect the worst” on a number of Ukrainian websites, and hit others with ‘distributed denial of service’ (DDoS) attacks that overwhelmed them with traffic.
Such attacks have heightened risks for international companies and investors. In 2017, a vicious form of malware – a ‘wiper virus’ designed to wipe computer hard drives – called NotPetya attacked accounting software used by Ukrainian firms. The US and UK laid the blame at Russia’s door. NotPetya spread to global companies including FedEx and Merck, causing an estimated USD10bn of damage. For investors, it highlighted the threat of collateral damage to firms worldwide, and the need for cybersecurity protection and resilience. An attack on one of Toyota’s major suppliers on 28 February this year, which took place shortly after Japan announced sanctions on Russia, caused the firm to halt domestic auto production, and led investors to fear wider supply chain vulnerability.
Risks of cyber attack have risen
The risk of cyber operations being deployed in the current conflict is certainly elevated. Cyber attacks are comparatively cheap and easy to launch. In the public mind, they probably sit somewhere above sanctions, but below military or nuclear actions. Many would argue they are now just another facet of modern warfare. Even their threat spreads fear; perhaps more, some academics posit, than their direct impact. Although a widespread communications blackout in Ukraine might be difficult to orchestrate, even limited blocks on mobile networks could cause panic.
Thus far, however, there has not been the devastating cyber attack that many had feared. Ukraine has bolstered its cyber defences in recent years, and has now assembled a virtual army of cybersecurity professionals and hackers to attack Russia online: including taking down websites and pro-Russian content on social media, and reporting Russian troop locations. A separate activist hacking group called Anonymous has launched its own DDoS attacks on Russian media and government websites, and claims to have stolen files from Russia’s defence ministry. Such unregulated guerrilla forces are one of the ways in which the conflict – and its associated risks – have already spilled way beyond the country’s borders.
Threats for the West, companies and individuals
As the international response to Russia hardens, the risk of cyber retaliation has risen, perhaps on the instruments of the sanctions: Western government agencies, banks and financial infrastructure, or on strategic players in telecoms or technology. According to Reuters reports, both European and US regulators have warned banks to prepare for imminent cyber attacks.
Such attacks could have consequences beyond financial damage. NotPetya knocked out a radiation monitoring system at the defunct, but still contaminated, Chernobyl reactor. Previous attacks in Ukraine and Israel have targeted water, sewage and chlorine plants, with an attempt to contaminate water supplies. Hospitals, utilities, military command centres, Ukraine’s 15 nuclear power stations – or indeed anything software-dependent – could potentially be vulnerable. On various occasions in recent years, hackers have taken control of parts of a Tesla car, opening up the possibility of hacking fleets of vehicles.
The latter goes to show that even in the most software-centric companies, vulnerabilities exist. Cyber attacks can target any industry or country, and the implications if cybersecurity risks are neglected can go well beyond data theft, to encompass reputational, operational, legal and compliance threats. One well-known case is that of Stuxnet, a malicious computer worm which was used to infect Siemens SCADA (Supervisory Control and Data Acquisition) and PLCs (programmable logic controller) systems to compromise the Iranian nuclear programme. Another was an attack on the British Airways app in 2018, where the personal data of almost 400,000 customers was compromised. The airline was fined GBP183mn for the breach, a figure that was later revised down to GBP20mn.
Cyber operations by the West?
Would the West potentially use cyber tactics against Russia? For years, many countries have used such methods to supplement traditional espionage and intelligence gathering. The New York Times claimed that in 2018, the US Cyber Command, part of the US military, attacked the Russian-based Internet Research Agency, to stop it spreading disinformation around the mid-term elections. But Western countries have been reluctant to use cyber powers to curb Russia’s invasion of Ukraine. In part, this is because they would be contrary to measures and guidelines that the UN has been discussing to address international law and cyberspace. The West would be ill-placed to criticise Russia if it used tactics it had previously deplored. Besides, with more advanced digital integration and automation, many Western countries look more vulnerable than Russia to cyber attacks. In part also, there is the fear of unforeseen consequences triggering an escalation, and potentially drawing NATO members into an armed conflict with Russia.
Spill-over effects could be significant: one reason behind current restraint
The latter perhaps explains why we have not yet seen Russia deploy more digital weapons. Cyber attacks are not precision instruments, and the technology behind them is still in comparative infancy. NotPetya also ended up damaging Russian companies, including petroleum giant Rosneft. Ukrainian firms are a popular source of IT outsourcing services – the Ukrainian government estimates that over 100 Fortune 500 firms use such services, heightening the risk of wider contagion. Indeed, spill-over effects, or worse, the inadvertent loss of civilian life from a cyber attack, could see a rapid escalation from a localised to a more global conflict that both sides might be keen to avoid. There is also the growing possibility that the actions of private, autonomous hacktivists complicate the picture. The potential for such deadly miscalculations is one reason why financial markets remain so volatile.
Investment implications across sectors
From a broader investment perspective, the war in Ukraine has certainly driven cybersecurity further up company and government agendas. This process had already started with the pandemic, when increased working from home broadened risks to data security. Many companies still lack adequate protection and data security measures: regular employee training and security software updates, measures such as two-factor authentication for online accounts, and cyber attack action plans.
Industrial firms that provide automation and electrification products are exposed to the risk of hackers taking control of critical infrastructure. Many are already increasing capital expenditure on ‘edge computing’, which brings computing power and storage closer to the sources of data, reducing the risks associated with the transmission of sensitive data over the internet or cloud storage. Meanwhile, social media platforms face risks if they are not vigilant enough in removing false stories and inflammatory content.
Focus on cybersecurity firms
In light of the increased cyber risk arising from the Ukraine conflict, and a rise in remote working, we are positive on the cybersecurity industry. We consider the recent multiple compression – as rising nominal rates have weighed on high valuation stocks – as an interesting opportunity to build up positions. Cybersecurity is an increasingly critical and protected area of enterprise spend. Research firm Gartner estimates spending on IT security and risk management technology rose 12.4% to USD150.4bn in 2021 worldwide, and should grow at high single-digits until 2024.
In the face of continually evolving risks, cybersecurity is also fast-evolving. The focus has shifted from the perimeter of the network to deeper within it, to endpoints (user devices, such as PCs, laptops, manufacturing equipment, or mobile phones), users, and applications. The ‘attack surface’ has opened up, complicating old concepts of security. The industry has responded by building more complete platforms, incorporating features that were previously offered on a standalone basis: firewalls that include cryptographic authentication of responses even from ‘authorised’ servers, and tools that continuously monitor networks for malicious activity. IT security companies play an increasingly critical role in business governance by securing enterprise and customer data, thereby mitigating reputational risks. Together, market and technology forces are driving the move to cloud-delivered deployments. We therefore see lower cyclicality in the industry moving forward, as it migrates from solutions tied to product cycles, towards software subscription models – and hence more reliable, recurring revenues.
Within cybersecurity firms, we prefer companies with complete security platforms over those with standalone products: the latter could see their solutions integrated into other platforms. Legacy network security vendors should maintain sticky relationships with customers but we expect growth to come from new cloud-based delivery of network security and from legacy players that are making rapid efforts to transition. We favour high quality names that benefit from secular growth via exposure to next-generation security, demonstrate an ability to execute, and exhibit strong cash flow generation.
Meanwhile, cyber insurance is also a very small but fast-growing part of the insurance market (currently responsible for just 0.4% of global property and casualty premiums, according to Swiss Re). Rising risks from increased remote working, and the heightened risk of cyber attack following Russia’s invasion of Ukraine, could focus policymakers’ minds on setting a clearer regulatory and legal framework going forward. That could pave the way for greater policy standardisation and market growth ahead.
Cyber attack methods and risks
Malware: ‘Malicious software’ is installed in a network when users click on a link or email attachment. It is among the most common forms of cyber attack, and comprises spyware, viruses, worms, Trojans and ransomware
Spyware: Collects information about the system or its users and passes it on to the attacker
Viruses: Like their biological counterparts, viruses attack the host by infecting applications and code across the system, replicating themselves as they go
Worms: These programs are often installed via an email attachment, which sends a copy of itself to every user or contact in email lists. Worms do not attack the system but are often used to overload it
Trojans: Establish a back door into systems to create a vulnerability to attack. Trojans hide themselves inside legitimate programs
Ransomware: Collects information but also denies access to the victim’s data, including in some cases via encrypting it, and demands a ransom for its release
Phishing: These attacks target users via fraudulent emails, phone calls or through social media, hoping to obtain their financial details, or to gain control of their device and use it to extract data
Distributed denial-of-Service (DDOS) Attacks: These attacks flood systems, servers or networks with information, effectively blocking them
Zero-day exploit: When cyber criminals exploit a vulnerability in well-known software or operating systems, to target organisations using them before a fix is found
Man-in-the-middle attack: Intercepts a two-way communication to obtain information, spy on the participants, or alter the outcome. End-to-end encrypted email and chat systems help prevent attacks
Cryptojacking: Where criminals compromise a company network or device and use it to mine cryptocurrencies without the organisation knowing
158% of nation-state cyberattacks come from Russia, according to a 2021 Microsoft Digital Defense Report
Important information
This is a marketing communication issued by Bank Lombard Odier & Co Ltd (hereinafter “Lombard Odier”).
It is not intended for distribution, publication, or use in any jurisdiction where such distribution, publication, or use would be unlawful, nor is it aimed at any person or entity to whom it would be unlawful to address such a marketing communication.
Read more.
share.