New details about the severity of the infiltration of popular file hosting service Dropbox by hackers serves as a reminder of the importance of online security. It also highlights the prospects of firms specialising in cybersecurity and the investment potential of exchange-traded funds that track them.
The attack on Dropbox occurred in 2012 with the firm reporting that a collection of users’ email address had been stolen by hackers. However, it has very recently emerged that not only were 68 million addresses compromised (representing roughly two-thirds of Dropbox accounts at the time) but the passwords associated with these accounts were stolen as well, leaving users’ personal files exposed to thefts or attack. The full list of email addresses and passwords were leaked on the internet.
Dropbox confirmed the detail of the full extent of the attack in a statement advising clients on appropriate actions to mitigate the risk to their privacy. The statement reads: “If you signed up for Dropbox before mid-2012 and reused your password elsewhere, you should change it on those services. We recommend that you create strong, unique passwords, and enable two-step verification. Also, please be alert to spam or phishing because email addresses were included in the list.”
The hack is just one of a growing number of examples of the underprepared nature of firms and organizations in protecting themselves online. Members in the Democratic National Committee had emails exposed online whereby they expressed criticism of Bernie Sanders’ bid for the Democratic nominee. Hilary Clinton’s campaign subsequently had a data analytics program hacked. Federal investigators have linked both events to Russian intelligence agencies, although this has yet to be proved.
Sony Pictures Entertainment was also a recent victim of an online attack with the social security numbers of more than 47,000 current and former employees, as well as actors and other freelancers who have worked for the studio, compromised. Controversial infidelity dating website Ashley Madison was targeted in July 2015 when the names and addresses of thousands of clients were exposed online.
Cyberattacks on banks in Bangladesh, Vietnam, the Philippines and Ecuador saw hackers use malware to circumvent local security systems, and in some cases, steal money, highlighting the direct monetary cost of online vulnerability. The attack on Bangladesh’s central bank cost $101m while hackers made off with $12m from Ecuador’s Banco del Austro.
These events signal the potential for the cybersecurity industry to grow strongly in upcoming years. According to the Global State of Information Security Survey, between 2009 and 2015, the number of cyber security incidents grew by an annual compound growth rate of 66%. MarketsandMarkets, a research firm, predicted in June 2015 that the industry would grow from a current valuation of $106bn to over $170bn within five years.
While a prominent cybersecurity attack has the potential to provide significant short-term price appreciation to individual cybersecurity stocks, the industry is relatively volatile with a high degree of mergers as well as companies going under. In this way, investors may benefit from a diversified exposure to the sector, as provided by the following ETFs from PureFunds and First Trust in the US and ETF Securities in the UK/Europe.
The PureFunds ISE Cyber Security ETF (NYSE Arca: HACK) tracks the performance of the ISE Cyber Security Index. There is a significant weighting to the US (approximately 70%) with Israel (roughly 10%) making up the second largest country exposure. The largest sub industry exposures was systems software (roughly 60%), followed by communications equipment (roughly 15%) and IT consulting & services (roughly 10%). The fund has over $770m in assets under management and a total expense ratio (TER) of 0.75%.
The First Trust Nasdaq Cybersecurity ETF (Nasdaq: CIBR) tracks the Nasdaq CTA Cybersecurity Index. As of 1 September 2016, the largest sub industry exposures were software (49.9%), communication equipment (21.1%) and IT services (6.7%). The fund has approximately $100m in AUM and a TER of 0.60%.
In Europe, the ETFS ISE Cyber Security GO UCITS ETF (LSE: USPY) from ETF Securities, similar to the PureFunds ETF, also tracks the performance of the ISE Cyber Security Index. The fund has AUM of $52m and a TER of 0.75%.
Of course, there are numerous technology-focused ETFs, which provide a degree of access to cybersecurity firms, but for pure-play and largely undiluted exposure, the above ETFs are the best way to tap the potential profits of this high-growth industry.