Investing in Cyber Security

by: Richard Shaw

With all the hacks being reported by major companies and government agencies, and with non-state enemies and countries developing cyber warfare capabilities, cyber security investing as a theme is popular.

We think it is important to invest in personal cyber security, and it could be rewarding over time to invest in cyber security related companies. Like many popularized investment themes, they wax and wane with events and news focus, and often are over-hyped with speculation overriding rational valuation and risk control.

For many investors, however, the biggest investment payoff in cyber security may come from taking reasonable precautions at home, at the office and on mobile devices.

Personal Best Practices:

Personal precaution is broadly of several types:

  1. maintaining paper copies, or PDF files, of account statements from banks, credit card companies, broker-dealers and the like;
  2. installing and keeping up to date the best virus and intrusion detection software on all internet connected devices;
  3. being careful about going to sites you do not know well, or opening attachments or clicking links on emails from senders you do not know;
  4. subscribing to one of the monitoring services that notifies you if credit accounts are being opened in your name, or that assist you in restoring your identity and profile if your identity is stolen and used;
  5. select a bank that offers daily email notices of your bank balances, and sign up for the services; and
  6. back up your computers.

That doesn't sound a whole lot like picking stocks, but for many investors the economic downside of being hacked could be as great as the net upside on trying to pick the next big winners in the cyber security investment game.

In The Event of Hot Cyber War:

In addition to the "normal" identity theft, malicious computer intrusions, loss of mission critical data, and other common cyber attack losses, we should all think about outright cyber war.

Consider this possibility. A serious and capable enemy, among other forms of infrastructure damage, managed to shut down the banking system, or wall street. And imagine also that beyond shutting the system down, they manage also to scramble the records, so that the holdings and balances in your accounts after the systems come back up are not even remotely similar to what you know is correct.

If the whole country were attacked in that way, and if you have built your financial life around ATMs for cash, credit card limits to buy gasoline and other essentials, scheduled electronic bill payments, periodic dividend and interest receipts from banks, brokers, and the Treasury to pay for your daily cost of living --- what would you do? --- what could you do to survive the long and complex period of data reconstruction?

This all may be more like science fiction that reality, and may be highly unlikely, but what would you do? If anything is clear over the last few years, it is that we should expect the unexpected and prepare for the unlikely.

Backed Up PDF Statements, Not Survival Seeds and Bottled Water:

The single best tool you could have, besides money at different institutions, is a set of paper or printable PDF files showing what those institutions have been telling you is the value of your account, and what is held within it.

If you think about investment position exit strategies, and stop loss protection, then not relying totally on electronic records and statements, is an important stop loss measure too.

Your bank and broker are not encouraging you to go paperless because they want to reduce your risk, or to save a tree. They want to reduce their costs of operation. That is all fine and good, but we suggest you still need records in your possession.

For most people who have taken the paperless route, as this author has personally, downloading PDF files of all account statements and saving them on the computer, and backing them up as well, is probably a reasonable compromise between no local records and keeping physical paper records.

So much for evangelizing a boy-scout "be prepared" approach to cyber attack, and all out cyber war. Now here is a bit about some cyber security related companies recently in the news.

Barron's Article on Cyber Security Companies:

On May 31st, Barron's had an article about SourceFire (NASDAQ:FIRE) being upgraded to BUY at Citigroup, with neutrals on Websense (NASDAQ:WBSN) and Fortinet (NASDAQ:FTNT), and suggested that large-cap Cisco (NASDAQ:CSCO), Juniper (NYSE:JNPR) and Intel (NASDAQ:INTC) were respectively "challenged", "more network focused" and having "execution woes".

We think all of those companies are clearly involved in cyber security, but just as we suggest that your personal efforts are the last firewall for financial cyber security, we tend to think that the human and management side of cyber security is of primary importance.

People, Procedures and Policy Are As Important As Software and Hardware:

It doesn't matter how good the software and hardware available or installed is; if design of their installation is flawed; if the procedures and training for human users is inadequate; if the adherence to procedures is lax; or the monitoring of the human- software-machine network is not executed well.

As a result, we think that while they are not on the tip of people's tongues, there are other companies that may be more involved in the design, installation, procedures and monitoring side that should be evaluated in terms of cyber security investing as well.

That would include companies, among others, such as Accenture (NYSE:ACN), IBM (NYSE:IBM) and SAIC (SAI). That doesn't mean we recommend them for investment, but it does mean that a rounder consideration of the cyber security industry would include names such as these too.

Data About Barron's Article Cyber Security Companies:

It's just blind faith to jump on an analyst rating without looking into the company a bit. Here are some important key data on those companies mentioned by Citigroup:

click images to enlarge

Quite a contrast in size, growth rates, margins, valuation multiples, excess cash as a percentage of price, yield, and mean street expectations for year ahead price appreciation.

For those who like to go for the ring, the narrowly focused smaller companies would probably appeal. However, the low valuation multiples for Cisco and Intel can't fail to catch the eye.

Price Charts for Barron's Article Cyber Security Companies:

Let's look at the charts for those six companies.

These daily, 3-year charts also contain the 200-day average (gold line), the 63-day price channel (blue lines), and the 5%, 10%, 15% and 20% trailing offset lines from the 1 year high (red lines). The dotted red line is for the 5% trailing offset from the 1-year high. The dashed red line is for the 10% trailing offset. The solid red line is for the 15% trailing offset, and the bold solid red line is for the 20% offset.

The 3-year perspective allows you to see the price action in these stocks since the 2009 U.S. stock market bottom.

The contrasts are also quite stark on the price side, but in somewhat opposite ways.

FTNT with one of the highest growth rates and valuations (unattractive), also has the steepest positive trend price chart (attractive).

CSCO with one of the lowest set of valuation multiples, and a dividend set to grow (attractive), also has the worst looking price chart that is nearly back to its 2009 low (unattractive).

It Boils Down To This:

So, the question one faces is do you go for a mature company with a dominant brand, tons of excess cash, a dividend that is likely to grow, with lot's of bad news priced in, with plenty of room for upside surprises; but a sickeningly declining price chart like Cisco? Or, do you go for a young and narrowly focused company in a rapidly evolving field, where brand dominance is not yet a factor, with high valuation multiples, lot's of high expectations, plenty of room for negative surprises; but a great looking chart like Fortinet?

Immature stocks in popular, narrow themes with high expectations and valuation multiples have a high risk of substantial and sustained price declines, with uncertainty as to ultimate survivors. Solar stocks recently, and the dotCom companies of yore, are examples.

A group of young high tech companies may each have the potential to rise by a large percentage. However, the certainty may be low as to which will live and which will die, or which will lead and which will wither.

The gain potential needs to be tempered by the probabilities if you buy one, or averaged over those that do well and those that do not, if you own the group.

For that type of individual company, the probability weighted price appreciation potential is likely to be much lower than the raw potential before taking uncertainty into account,

Mature stocks in boring or old-hat broad themes with low or diminished expectations and valuation multiples, often have a low risk of substantial and sustained price declines, with reasonable certainty about ultimate survivors. Johnson & Johnson (NYSE:JNJ) and Intel are examples.

Such stocks also often have dividend yields that make waiting for them to fix their problems, or to be once again the focus of popular opinion, to be a reasonable proposition.

A high quality, brand dominant company going through a rough operational or market popularity period, may not have the ultimate price increase potential of a young high tech company, but is likely to have a lower probability of death and less uncertainty about eventual recovery. The probability weighted potential may be just as high as that of the young high tech company as a result.

Consequently, we think the hot new industry stocks require a higher degree of skill and a greater amount of research to be successfully owned, than mature companies dominating established industries.

The former are probably best owned through actively managed funds that have the time and specialized skills, and make the effort to know them well.

The mature companies in established industries can be more effectively owned by individual investors who have access to loads of published research, and who have the time and patience to wait for company specific or industry cyclical recovery -- preferably being paid to wait with dividends.

We don't own any of these stocks at this time. When we consider the various risks and reward potential of each in light of our mostly conservative client portfolios, we tend to favor Intel around about now, and eventually Cisco, for our specific purposes.

Looking at the probabilities, we also think the odds increasingly favor you being hacked, your data destroyed, your identity stolen, your credit rating ruined, and at the outside, records of your institutionally held assets being irrecoverable. Be cautious about buying cyber security stocks, but be aggressive about personal "best practices" against cyber attack potential.

Disclosure: We do not own any mentioned security in any managed account as of the publication date of this article.

Disclaimer: This article provides opinions and information, but does not contain recommendations or personal investment advice to any specific person for any particular purpose. Do your own research or obtain suitable personal advice. You are responsible for your own investment decisions. This article is presented subject to our full disclaimer found on our site available here.