Data breaches such as Equifax's recent hacking scandal are a nightmare for hundreds of millions of consumers. They do, however, offer lucrative opportunities for niche investors and venture capitalists who are banking on the ability of new cybersecurity, artificial intelligence and data protection technologies to solve one of the world's largest evolving problems.
"Security is one of the best near- to mid-term market segments to be in," said venture capitalist Rick Grinnell, who began investing in early stage cybersecurity and artificial intelligence firms more than 15 years ago and now operates his own venture capital firm, Glasswing Ventures.
Venture capital firms invested $3.1 billion in nearly 300 cybersecurity startups in 2016, according to research firm CB Insights. Top-funded, privately held cyber companies now include Tanium, which has raised about $395 million to support its endpoint protection technology, and Lookout, which has raised about $281 million and secures smartphones. The two are each valued at more than $1 billion, CB Insights reports.
It's no surprise money is pouring into the cybersecurity sector: About 64 percent of Americans have experienced a data breach, according to Pew Research Center. Around half of Americans do not trust the federal government or social media sites to protect their data, Pew found. The Identity Theft Resource Center has uncovered 1,120 data breaches to date this year, with some 171 million records exposed.
Yet, despite the flow of dollars into the industry — to the tune of about $90 billion — it's growing somewhat "slowly," at about 10 percent a year, Grinnell said.
To top it off, "the bad guys have more money to spend than the good guys," said Vikram Phatak, CEO of NSS Labs in Austin, Texas. NSS Labs creates independent performance scorecards for security company products.
In fact, one of the biggest threats to cyber investors is that their technologies may be proven to have holes or be exploited. If they are, their value essentially becomes negative, said Grinnell at Glasswing Ventures.
That hasn't stopped entrepreneurs from trying to create the holy grail that banks, health-care companies, credit bureaus and card issuers can rely on to protect sensitive personal data.
"Data is the new type of petrol … it's an incredibly large space that has become more and more complicated," said Sunil Madhu, CEO of Socure. The firm is a provider of digital identity verification predictive analytics technology that recently secured about $14 million in a series B round led by Commerce Ventures (raising about $27.5 million to date).
Socure's revenues have grown 600 percent over last year, Madhu said, and its valuation is pegged at $55 million. Three of Madhu's five ventures have been in cybersecurity.
Venture capital firms aren't the only ones able to capitalize; individual investors also have a few publicly traded opportunities to gain diversified exposure to the sector, such as the ETFMG Prime Cyber Security ETF and First Trust Nasdaq Cybersecurity ETF. Both have performed well this year, with the former trading at about $30 per share, up from about $26 a year ago. The latter, meanwhile, is trading at about $22 per share, up from about $19 a year ago.
The Prime Cyber Security ETF "has proven itself to be a very popular ETF, and it's a good tool for positioning in the cybersecurity space," according to Erika Jensen, president of Respire Wealth Management. "That's where we live now and there's no doubt that there will always be a need for new technology and new protection."
Cyber-knowledgeable and experienced investors are betting on individual companies with particular technologies — such as block-chain, which helps isolate and log data using cryptography — that they think will be revolutionary or that have a specific focus.
NSS Labs' Phatak believes even big players such as Microsoft are currently undervalued based on the innovation they are making to secure data in the cloud. In the Advanced Endpoint Protection market, Symantec, McAfee and Sophos are good buys for their effectiveness, while the privately-held Cylance, an artificial intelligence based company, has about $250 million in revenue and may soon have an IPO, according to Phatak.
NSS Labs also reports Trend Micro, Cisco, FireEye and Check Point Software Technologies as good values for their products in the breach-detection system market, while Fortinet is a solid publicly traded option in the web application firewall market.
Grinnell is bullish on network security innovator Palo Alto Networks. At about $147 per share, it has almost tripled in value in five years. The value of Proofpoint has increased about eightfold in that time to about $90 per share. The company offers information, email and digital risk protection services, among other cybersecurity products.
How long the cyber market will be on the up and up is hard to say, since there are now many firms and parts that aren't quite yet working together to create a cohesive or uniform solution, said Michael Sury, a lecturer in finance at the University of Texas at Austin.
"The biggest issue that I hear today from these investors is that of standards," he said. "Security protocols don't yet have an industry-wide standard that companies can rely upon.
"This may mean that there will be first-mover advantages, or it could mean that the market is so fragmented that there will be many players," Sury added.
This can be good for investors because it creates plenty of consolidation opportunities, according to Grinnell at Glasswing Ventures. His past successful cyber-related exits were at five to 20 times their investment, one example being Resilient Systems, which was acquired by IBM last year for its innovative security operations and response platform (IBM itself has $2 billion in security revenue and hired 1,000 new security experts in 2015).
At the end of the day, there's going to be reckoning, said Phatak of NSS Labs. "It won't be in the next couple of years," he said. "All these companies with all of this funding are going to have to show profitability … it's a market for lemons.
"Cybersecurity is one of the few industries where you don't have solid metrics."