We've seen one of the most groundbreaking intelligence scandals in history. Leaked to sources such as the Guardian, whistleblower Edward Snowden released a trove of files showing the NSA among others is not only spying on Americans, they are also monitoring conferences such as political negotiations, foreign diplomatic offices, and more.
Ironically, HSBC (HBC) recently shocked the financial world in an unprecedented closure of 'diplomatic accounts.' Information now shows sentiment how the scandal will impact electronic business. Most obviously, foreign companies may use less U.S. services such as cloud computing, hosting, and other services that have become commoditized in the U.S.
Mass surveillance by the NSA may directly harm the bottom of line of Internet companies, Silicon Valley, California … and the entire national economy.
Fact 1: U.S. financial markets are the envy of the world because we have fair disclosure requirements, accounting standards and impartial courts. This is the foundation of shareholder value. The company may lose money, but they at least told you the truth.
Fact 2: We now know multiple public companies, including Microsoft (MSFT), Google (GOOG), Facebook (FB) and other, gave their user information to NSA. Forget the privacy implications for a minute. Assume for the sake of argument that everything complies with U.S. law. Even if true, the businesses may still be at risk.
Fact 3: All these companies operate globally. They get revenue from China, Japan, Russia, Germany, France and everywhere else. Did those governments consent to have their citizens monitored by the NSA? I think we can safely say no.
Securities lawyers call this "materially adverse information" and companies are required to disclose it. But they are not. Only chief executives and a handful of technical people know when companies cooperate with the NSA. If the CEO can't even tell his own board members he has placed the company at risk, you can bet it won't be in the annual report.
This strikes to the very heart of the U.S. financial system. Our markets have lost any legitimate claim to "full and fair disclosure." Every prospectus, quarterly report and news release now includes an unwritten NSA asterisk. Whenever a CEO speaks, we must assume his fingers are crossed.
On the surface, this will hurt the cloud services of companies like Amazon (AMZN), IBM (IBM), Google, and Microsoft. But these companies do not rely on this revenue as their businesses are much more diverse. Simply investing in alternative providers is also not the solution, as some corporations may choose to keep data in their own private servers as opposed to outsourcing cloud services such as file hosting, backup, and application hosting.
But let's understand the deeper implications. Executives, like government officials, are bound by their rules of engagement to protect privacy, confidentiality, and offer full disclosure. Cybersecurity is a means to an end, they are not required to have cybersecurity. But if a breach due to poor cybersecurity causes divulging of private customer data, the CEO or CIO can be liable. Same is true to an extent with government, although shareholders usually have more power over executives than voters over government officials. The point is that for a number of reasons, corporations and government may be forced to implement additional cybersecurity systems and policies, which will inevitably lead to spending money.
A second less direct but possibly more significant development in terms of the market growth of cybersecurity, is public awareness. Since the popularity of Google, Gmail, Facebook, and social media in general, most users (including corporate users) have not considered security or privacy implications. Typically users of free services such as Gmail have lax security policies and don't use encrypted email (although it's also available free). People don't think their emails are valuable unless they are in some sensitive line of work. However, emails used for website registration and confirmation can be used by criminals to breach other accounts, and engage in a plethora of other criminal activity such as identity theft, stealing money from online accounts, or ordering products with a stored credit card. An interesting project called The Cloudsweeper Project has developed a system that can actually calculate the value of your inbox for criminals:
People who have ever wondered why online criminals would want to gain access to their email accounts now have a way to find out: Two researchers at the University of Illinois at Chicago have created an online service that checks a person's Gmail account for sensitive information, offers to encrypt the information and then estimates how much access to the account would be worth on the black market.
The group was featured on NPR, just another example of how public awareness is growing on the topic. Users are thinking differently about cybersecurity, this will affect all sectors of users including general consumers, corporate executives, administrators, and government officials. While the current cybersecurity scare will shake up how people use the internet in many ways, we are focusing here on investments in the growing cybersecurity industry. Some of the changes will be obvious but some very subtle, but not necessarily negative for companies involved. For example users may not use Google's free Gmail service, but Google may offer in the future a secure encrypted email. Gmail already has capability to send and receive encrypted emails, so users may simply start to utilize that functionality. In the case of browsing, users may use secure browsers or services such as the Hide My Ass privacy service. These changes will just be another step in the evolution of the internet more from the perspective of users.
But what about companies offering cybersecurity solutions? What is the sure investment play here, capturing a global macro trend in the long term? The answer is cybersecurity companies and orbiting industries.
About the growing cybersecurity business
Even 5 years ago Cybersecurity was not considered a sector, it was part of Information Technology. The U.S. government opened the National Cyber Security Division (NCSD) in 2003. But since then, it has grown in its budget, facilities, and reach. In 2009 CYBERCOM was opened, a division of the Army called United States Cyber Command (NCSD is operated under DHS). In parallel, private companies with a focus on cybersecurity have been growing in number and size. Companies such as STG have seen their cybersecurity business exploding (STG also provides cybersecurity to federal agencies). Others include Check Point, SRA International, CACI (CACI), Fortinet (FTNT), and KeyW (KEYW) (these are just a few that have a focus on cybersecurity).
As early as 2010 the Washington Post picked up on the growing trend. But this was before Wikileaks first big leak "cablegate", and long before the Edward Snowden NSA scandal. Now, governments and corporations of all sizes and shapes are rushing to lock down their networks. Despite the supposed ability of the NSA to monitor all global communications, the NSA claims they do not have a system to monitor their internal emails.
Many cybersecurity companies such as Barracuda Networks, Inc., SonicWALL, Inc. SecureLogix Corporation, and others, are private. Investors should keep an eye out for any of these private companies going public or being bought out, as many of them are leading cybersecurity firms (especially Barracuda Networks, Inc.).
Recently, Barron's ran a story about cybersecurity investing, see a review of the article here. The idea was not very unique considering the security flaws of IT systems that enabled insiders, in the case of Snowden, and hackers, in other cases, to penetrate networks seizing confidential and in some cases top secret data. But IT security is not something that's widely understood. In many cases, basic security policies, not the purchase of additional hardware or systems, would have prevented breaches. In the case of hacker Gary McKinnon, he was able to remotely penetrate NASA and DOD networks using a simple perl script he wrote that searched the network for "blank" Windows passwords. If the admins had simply used complex passwords, a basic security policy, he would not have been able to gain access to computer files even though he was already on the network. Think about your own security, do you use a complex password? Most desktop machines and even servers in data centers don't have any passwords. Many servers can be remotely controlled via embedded Intel technology that allows near complete control of a server remotely (you can even boot and shut down).
So cybersecurity investors need to consider what is actually the problem, it's not a case of simple supply and demand. Without delving too much into the details of securing networks, let's take a look at a few publicly traded companies that offer robust security solutions that should see a substantial increase in sales during this rush for cybersecurity.
Investing in cybersecurity is not new, but with the recent NSA scandal it makes cybersecurity significantly more important in the eyes of governments and corporations. A Seeking Alpha author covered this topic in his article Investing in Cyber Security. Another author reviews cybersecurity companies in this article, with a focus on Symantec (SYMC).
Fortinet is a unique security company which makes hardware devices supported by their proprietary Linux based management software. They make what's called "Unified Threat Management" (UTM) systems which means one device protects your network from hackers, but also acts as a web-filter, anti-spam, anti-malware, anti-virus, and just about any other threat that pops up (they are constantly adding features as threats evolve). They are not the only company that makes UTM systems, others include Astaro, Barracuda (a favorite with large corporate networks), and others. See a complete list of UTM vendors here. Cisco (CSCO) and Check Point (CHKP) have also jumped into this business, but the concept of UTM was pioneered by a few smaller firms including Fortinet and Astaro. Before UTM, admins would need to purchase and implement multiple systems which created bottlenecks and many times had compatibility issues. Fortinet solved this by providing an all in one hardware solution, including fantastic support. A big problem of many security systems is admins need to configure them properly and users need to follow security policies, which as referenced above in the case of NASA, they don't. The difference between a UTM device and other security solutions, a UTM is like a physical wall whereas other solutions are virtual. Windows firewall and Microsoft Security Essentials will protect home users from basic threats, but it always allow the possibility for exploitation of backdoors, bugs, or other ways around. A properly configured Fortinet device (and they will configure it for you included with the support contract) prevents even a bad admin from allowing a hole in security, making it virtually impossible for a hacker to break in.
Check Point Software Technologies Ltd.
Check Point also makes UTM systems similar to Fortinet . They have about a thousand more employees and a stronger enterprise business. They provide the famous "Zone Alarm" software that was very popular with users in the infancy of the world wide web before systems such as UTM were widely used. Check Point is an Israeli company which may raise security concerns for some users. However, Check Point boasts claims such as being used by 100% of Fortune 100 firms:
Check Point's particular specialty--scalable firewall solutions for enterprise customers--is particularly lucrative. In promotional materials, Check Point boasts that 100% of Fortune 100 firms and 98% of the Fortune 500 use their product.
Cisco Systems, Inc.
While Cisco has a business far greater than cybersecurity, they also have the ability to implement their security products with existing clients. Also, as networks are secured, they will likely need to upgrade or acquire other Cisco devices and products not offered by the pure cybersecurity company such as routers, switches, network cards, and other products. Cisco is such a well known and widely covered company, we don't need to go into detail about it other than to mention in the context of cybersecurity, Cisco does offer UTM systems similar to Check Point and Fortinet . Cisco's systems are more pricey, but if a company already has a contract with Cisco they may go with Cisco for convenience for the sake of having a brand homogenous network.
A list of companies that should benefit from the cybersecurity trend:
- Fortinet Inc.
- Check Point Software Technologies Ltd.
- Cisco Systems, Inc.
- NQ Mobile Inc. (NQ)
- BASF SE (OTCQX:BASFY)
- Sourcefire (FIRE)
- Imperva Inc. (IMPV)
- Palo Alto Networks (PANW)
While comparing which company that will benefit greatest from the cybersecurity trend, consider that while Cisco has a dominant market position, smaller upstarts like Check Point and Fortinet have grown fast focusing on small business and organizations that previously didn't consider security. Individual company financials may also be a significant factor, while Fortinet systems may be a favorite for system admins, the P/E ratio of Fortinet is currently 58, whereas Check Point is only 19. Further individual financial analysis should be done on each company for significant investment, but the purpose of this article is simply to underline the fact that given recent NSA scandal, the trend in cybersecurity is guaranteed to be a new norm. Also, there can be further attacks and data breaches that could reinforce this trend.
One approach would be instead of deciding which company is best poised to capitalize on the trend (because even with good analysis events can cause some companies to outperform others in regard to security), to create a 'security portfolio' including smaller positions in all the companies in the list, and possibly some orbiting industries such as defense and technology in general. If including technology in the context of security, we are referring to Intel (INTC), Microsoft , NOT Apple (AAPL). Apple will struggle in a secure environment, see the recent Obama emergency app for the iPhone that can't be switched off. That means also that investors should beware of negative impacts the NSA scandal will have on companies, such as the immediate fallout on Booz Allen Hamilton (BAH), which fell soon after Snowden's revelations.