McKinsey & Co. stated it bluntly and ominously in its October 2022 report on the subject: As the digital economy grows, digital crime grows with it. Soaring numbers of online and mobile interactions are creating millions of attack opportunities. Many lead to data breaches that threaten both people and businesses. At the current rate of growth, damage from cyberattacks will amount to about $10.5 trillion annually by 2025 — a 300 percent increase from 2015 levels.
That opening statement might alternately have been framed this way: As digital crime grows and companies spend vastly greater sums to protect themselves from corporate espionage, the opportunities for investors soar in tandem. What’s more, there is nothing to suggest cybersecurity is a passing situation. On the contrary, it is sure to be just as abiding as every other form of crime.
Given the situation, Real Assets Adviser senior editor Mike Consol asked Raj Lala, founder and CEO of Toronto-based Evolve ETFs, to address some of the pertinent issues revolving around cybersecurity and investment opportunities in the space.
Prior to founding Evolve ETFs, Lala was head of WisdomTree Canada, a division of WisdomTree Investments, one of the world’s largest ETF issuers. Prior to WisdomTree Canada, he was executive vice president and head of retail markets for Fiera Capital Corp. Lala co-founded and served as CEO of Propel Capital Corp., acquired by Fiera Capital in 2014. He also worked with Jovian Capital, where he held several roles, including president of JovFunds Inc., an asset management division of Jovian Capital.
With more than $7 billion in assets under management, Evolve is one of Canada’s fastest growing ETF providers since launching its first ETF in September 2017. The firm’s array of ETFs includes the Evolve Cyber Security Index Fund.
Speak to the scale of the cybersecurity problem?
Cybersecurity is the No. 1 risk facing CEOs today, as the cost to the global economy is expected to reach $8 trillion this year, and forecast to grow to $10.5 trillion by 2025. That is five times the GDP of Canada, or the GDP of Japan and Germany combined. This will create 3.5 million cybersecurity job openings by 2025.
Consider that an estimated 60 percent of companies that suffer a full-scale cyberattack go out of business within six months after the breach.
Meanwhile, artificial intelligence is creating a new wave of cybersecurity risks. Computer generated children’s voices are so realistic they fool their own parents, and “masks” created from a person’s social media photos that can penetrate facial ID protections.
How is it being dealt with?
In 2022, victims making ransomware payments increased from 21 percent to 85 percent, totaling $456.8 million. Recognizing the escalating threat, cybersecurity has become a nondiscretionary expense with over half of chief information security officers either sustaining or increasing their cybersecurity budgets in 2022. Companies are reinforcing their defenses with robust security measures and emphasizing the importance of employee training to ward off phishing and bolster password security. The U.S. government responded with the introduction of the 2023 National Cybersecurity Strategy, and the SEC has set rigorous guidelines requiring public firms to report significant cyber breaches within just four days. In a strategic move, the Biden administration has also curtailed U.S. investments in China’s leading AI and tech industries due to national security implications.
How big an industry is cybersecurity?
The global cybersecurity market size was estimated at $202.72 billion in 2022 and is projected to grow at a compound annual growth rate (CAGR) of 12.3 percent from 2023 to 2030. In Canada, where my company is based, the cybersecurity market is expected to reach $11.68 billion in 2023 and grow at a CAGR of 10.99 percent to reach $19.67 billion by 2028.
What are the investment opportunities in the space?
There is a large variance in returns across cybersecurity companies, which is why a diversified ETF or other fund that provides investors with a diversified exposure to the entire industry makes sense.
Revenue growth among cybersecurity companies has been extremely strong. Examples include Zscaler, with a one-year revenue growth of 62 percent, Crowdstrike (55 percent), Okta (43 percent), and Palo Alto (25 percent).
One might consider cybersecurity the utility sector of the technology industry, a nondiscretionary spend that companies cannot afford to cut out.
What can you tell us about the evolution of cybersecurity software?
Cybersecurity has evolved since the 1970s, adapting to new forms of digital threats from viruses to large-scale data breaches. The shift to remote work due to the COVID-19 pandemic has expanded potential points of cyberattacks, including vulnerabilities in messaging apps and collaboration tools. As cyber threats grow in sophistication, cybersecurity will become an enterprise-wide priority, necessitating compliance with stringent regulations.
What innovations are being anticipated?
AI and machine learning will certainly play a role. These technologies can analyze vast amounts of data to identify unusual patterns or threats quickly, which is beyond the scope of human capability in real-time. This can lead to faster detection of new types of attacks and can dynamically adapt to evolving threats, drastically reducing the time to respond to an attack.
Also, as quantum computing comes closer to practical use, it has the potential to undermine current encryption techniques, making most existing security protocols obsolete. Quantum cryptography aims to counter this by developing new, more secure methods of encryption based on quantum mechanics.
Then there is Zero Trust Architecture, the principle of “never trust, always verify,” which is becoming increasingly important as organizations face threats both external and internal. Zero Trust can minimize the potential damage of a breach by requiring continuous verification at every point in the network, making it one of the most comprehensive approaches to modern cybersecurity.
How does quantum computing factor into this issue?
Quantum computing is a super-fast way of doing computer calculations using special particles called “qubits.” It can solve problems much faster than today’s computers. When it comes to cybersecurity, quantum computing is both good and bad news. The bad news is that it could easily crack the passwords and security codes we use now. The good news is that it could help us create even better security systems in the future. So, while it could make current online safety methods weaker, it could also help us build stronger ones.
How do you see the future of cybercrime and cybersecurity playing out?
In the future, cybercrime is expected to become more advanced, with criminals using sophisticated technologies like AI for targeted attacks. At the same time, cybersecurity measures will also evolve, incorporating real-time analytics and AI to counter threats. Both public and private sectors are likely to collaborate more closely to combat the rising complexity and frequency of cyber threats.
How is AI impacting cybersecurity?
Some 85 percent of hackers are leveraging generative AI. By 2025, lack of talent or human failure will be responsible for more than half of significant cyber incidents.
Do you anticipate M&A activity among cybersecurity companies to increase over the next decade?
Yes, there has already been significant M&As in the cybersecurity industry. Among the largest recent acquisitions were:
- Broadcom’s $61 billion acquisition of VMware
- Thoma Bravo’s $2.6 billion purchase of Ping Identity
- SailPoint’s $7 billion buyout of Thoma Bravo
- The $5.4 billion acquisition of Mandiant, now part of Google Cloud.
M&A activity of this sort is expected to continue, in part because major companies are looking to buy cybersecurity players and bring them in house.