IT security stocks have soared after the seven big data breaches made public over the past three years, according to the Bessemer Venture Partners Cyber Index released Tuesday.
The BVP Cyber Index tracked the capital-weighted performance since Jan. 1, 2011, of 29 public companies whose primary business is cybersecurity. Almost half of those companies are valued at more than a billion dollars.
The public IT security sector outperformed the stock market by more than two times during that time, and outperformed the market by about five times the month after those breaches were made public.
"With IT security budgets approaching 10 percent annual growth rates, the market is projected to double over the coming five years, reaching nearly $200 billion in sales," said BVP partner David Cowan.
The IT security sector broke away from the market 3 ½ years ago. "That was about the time when enterprises started spending more on cybersecurity to protect themselves against this new class of data breach," said Cowan.
Since then, it has seen more than twice the gains of the Nasdaq and S&P indexes. The sector spikes in the month after reports of major breaches. Over time, those multiples seem to settle back in line with the overall enterprise technology sector, said Cowan.
The biggest spike followed news of the Anthem data breach in February 2015, when the BVP Cyber Index shot up 29 percent. "Spectacular medical data breaches are much more concerning to victims than financial breaches," he said.
Over the past five years or since initial public offering, the largest gain in value as of Monday's close for an individual IT security company came from Proofpoint, which was up 281 percent since its first day of trading on the Nasdaq (April 20 2012), Verisign was up 190 percent (since January 1 2011), Palo Alto Networks was up 166 percent as of its first day of trading on the NYSE (July 20, 2012), Imperva was up 105 percent (since January 1 2011) and Check Point Software was up 91 percent (since January 1 2011).
Palo Alto Networks has the advantage of having a more modern firewall architecture than many of its competitors in an industry where newer is better, said Cowan. The longer a security company has been in the market, the more likely it is that hackers have figured out how to attack its products, he said.
"Any mature cybersecurity product is an obsolete cybersecurity product," said Cowan.
As most of the innovation in cybersecurity comes from start-ups, the public IT security companies are under constant pressure to make acquisitions. M&A is likely to rise as buyers increase budgets and become more sophisticated about the technology available on the market, said Cowan. At the same time, with so many cybersecurity start-ups trying to raise money, many will find themselves eager to be bought, he said.
"We have seen a fair level of M&A activity," he said. "I think it's going to have to increase."
Ultimately, the types of security solutions companies need to defend against nation state attacks will not come from Silicon Valley, he said. "The people who have conducted cyber ops for nation states understand the nature of the threat better than a Silicon Valley engineer," said Cowan.