The introduction of new technologies in our everyday lives is increasing exponentially. The financial sector is no exception. Customers expect to get service anywhere, any time and on any device. In order for these new technologies to be used, they must be trustworthy. One of the conditions for being trustworthy is to be secure. The financial sector is most often targeted by criminals, loses most when breached, but underinvests in security. We believe this will change quickly, which creates investment opportunities.
Although developments in some parts of security (especially on the cyber side) are still in an early stage, valuations of companies in this area have already peaked. Many companies with exposure to the theme have rich valuations, as shown by the characteristics of security ETFs like HACK US or CIBR US. Currently it is hard to pinpoint clear winners.
In our investment analysis, we work with a corporate governance checklist to assess how far financial institutions are in terms of security. Several financials have already started to implement security solutions such as biometrics, advanced persistence threat detection and cybersecurity insurance. Although progress has been made, we see challenges for companies that are lagging behind, especially due to new regulations. Few senior executives have enough technical background to understand the underlying dynamics of security risks, and there is a more general lack of qualified personnel. Big structural changes are required, but as with many changes, it first needs to get worse before there is a feeling of urge to change.
In order for a financial institution to be well positioned it must have a strategy to be secure, vigilant and resilient with regard to security. Secure means reacting to currently known threats and making sure that the underlying application- and system security are up to date. Being vigilant implies being able to react quickly to new threats and continuously search for unfound breaches. The focus of resilience is to minimize damage once a breach has occurred and to develop a clear roadmap on how to respond to security issues. It goes without saying that we prefer financial companies with a clear strategy for being secure, vigilant and resilient.
Another way of looking at the theme from an investment perspective is to search for companies that are best positioned to supply financial institutions with the required security solutions. Within the preventive aspect it is important to have scale because of the commodity-like nature of the product offering. The products and services that are being offered are reasonably similar and price is the biggest differentiator. Within the vigilance aspect it is important to have a top-of-class product or service and price is less relevant. Offering unique solutions to deal with advanced threats is at the core of the companies in this segment, but there are no clear winners. Solutions for being resilient are still early stage. Companies that offer products and services to become resilient to security risks are no pure-plays. We see interesting developments here, but no pure-play investment opportunities, yet.
The security theme is broad and there is not just one correct way of approaching investment opportunities. Many of the companies we identified have exposure to almost all industries. Within the financial sector a lot of the basic infrastrucure to be installed is the same as in other industries, but there are also parts of the industry that require a more specialized approach. It is important to have a good understanding of the specific underlying mechanisms and risks, especially within payments.