What brings more risk to the world stability than a pandemic? Cyber-attacks!
How to protect our economies and capitalize on the trend
How to protect our economies and capitalize on the trend
As Palantir filed for IPO (while also settling a score with Silicon Valley), news on the cybersecurity front has been grim since the start of the pandemic.
One of the unintended consequences of COVID-19 and subsequently of the entire economy moving online was the exponential increase in the points of vulnerability both on the clients’ and employees’ sides. In addition, the uncertain and fearful global environment became a fertile ground for fraudsters. Accordingly, the spike in cyber security threats related to COVID-19 and specifically the influx of associated malware and phishing scams was fast, furious and global; more specifically, attacks against the financial sector increased 238% globally from the beginning of February to the end of April
With the IMF estimating, back in 2018, that cybercrime was costing the world ~$100 billion to 350 billion annually (the equivalent to ~10 to 30 percent of banks’ net income globally) and was potentially threatening financial stability, what are the trends we can anticipate? Below are several areas where I see a lot of activity taking place, hence generating opportunity to capitalize on the disruption.
Cybersecurity companies will consolidate; valuations are likely to increase as well
Notwithstanding Palantir staggering $600M losses in 2019, cybersecurity companies have seen great results in terms of top/bottom lines, and valuation. Private and public companies in the space were already trading at very healthy multiples; a trend that will likely continue. We will see more M&A as the industry is maturing and getting away from point solutions towards a platform approach. We are seeing an arm race to consolidate and capture market share at every stage (hence a jump in capital being raised). KnowBe4, a KKR-backed cybersecurity company, which last year raised $300M is readying its IPO estimated at +$2Bn. ReliaQuest just raised +$300m in growth financing, also lead by KKR. Early-stage ventures like Plurilock are turning to public markets to enable their acquisition strategy of complementary players to make the transition from point to platform solution. A player in the Identity & Access Management space (with a former NSA director on its Board and clients such as the US Department of Homeland Security and the US Army), Plurilock received conditional approval to be listed on the TSX-V this August.
The option of launching an industry utility/ COE/ Institute catering to T1 and T2/T3 banks should be explored by large players, such as Absolute Software and BlackBerry in Canada, or CarbonBlack, CrowdStrike, CyberArk and Fortinet in the USA. A model in the same vein as the Canadian superclusters would be beneficial across the board for businesses in the cybersecurity space, the financial services industry, the end clients, the regulators, the national governments and ultimately the society at large.
Allocating capital to cybersecurity companies (that might become M&A targets or platforms), as well as companies enabling them (in space such as cloud computing and AI) should be on most investors’ radars (even for investors focusing on other verticals than Financial services, as the trend is ubiquitous). Cyber firms transitioning from point solutions to platforms should be high on the list for long term holdings; firms with a deep expertise and niche solutions will be of interest as potential acquisition targets with shorter terms horizons.
A challenge faced by investors, similarly to banks and Fintechs, is the lack of experience and skillset when it comes to cybersecurity. We can expect VC/PE funds specializing in cybersecurity, such as Evolution Equity Partners, to see an influx of capital. Such strategies will not be easy to replicate considering the shortage of deep expertise in the space (hence limiting competition). You can then expect funds with skillset and track record in the cybersecurity industry to raise larger funds and write larger checks (and likely moving upward the maturity curve). We will probably also see more ETFs and mutual funds arise in the space.
To get exposure to the potentially outsized returns in the cybersecurity space, allocating capital to funds with deep expertise and track record is a great way in. For those investors who also want to build more direct exposure to the cybersecurity space, they will be able to do so via co-investment rights following investments in private VC/PE funds.
Overall, Israel, a cybersecurity powerhouse with an unmatched talent pool in the space, will greatly benefit from these trends.
FIs’ are becoming riskier and seeing additional pressure on their bottom lines
Cyberthreats were already at the top of the agenda for most FIs pre-pandemic; it has however taken a whole new meaning in a context where institutions’ financials are squeezed on multiple fronts — from low interest rate, to increased capital spending to enable digital transformation and growing loan losses. The complexity and the costs to shield themselves and their clients, compounded by the losses coming from successful attacks and punitive fines from regulators (a very recent example being Capital One fined $80 million for 2019 hack of 100 million credit card applications) are making the situation very challenging for banks. If you add to that the shortage of expertise combined with the acceleration of digital transformation initiatives, it is easy to see a looming disaster. FIs have to up their game, quickly and materially, meaning: 1) allocate more capital to cybersecurity strategies (and develop such a strategy in the first place in many instances), 2) increase the mindshare of the Board & C- Suite regarding the issue, and, 3) alter the approach from being reactive to proactive/predictive when it comes to cyber-threats. Smaller institutions, such as T2–3 banks, will have the most difficulty to adapt due to the additional challenge of supporting these sizeable costs on a smaller profit base.
In parallel to developing a holistic cybersecurity strategy and allocating more capital, I can envision several steps that would help large and small players to face this potential Armageddon. First, and in my view best option, the development of an industry utility/ Center Of Excellence/ institute pooling resources from large and small FIs in some areas such as anti-fraud security, predictive intelligence and autonomous systems would accelerate the agenda and make it financially more palatable. It has been apparent that the current limited collaboration between banks won’t cut it (collaboration often limited to sharing information once a threat has been detected — which happens on average ~6 months after an attack has taken place and companies have been breached). Second option would be less ambitious, but still helpful, heightened collaboration between banks such as sharing strategies, best practices, and results from pilots / POCs. Not mutually exclusive with the second option, the opportunity for T1 banks to commercialize some of their cyber infrastructure to T2-T3 banks would allow smaller banks to operate more safely.
Cybersecurity is a topic that’s too important for our economies and societies to ignore. If a couple of institutions were to fall due to cyberattacks, we are back to the bailout dynamic of the financial crisis, endangering stability and eroding confidence in the system (while also being extremely costly to the taxpayers). No one wins in this scenario, even the unaffected banks.
From investor perspective, due to the growing risks associated with cyberattacks, banks are becoming inherently riskier while returns, due to the costs of putting in place solid and holistic cybersecurity strategies, are decreasing. This emerging trend has not yet permeated most analysts’ reports, despite its inexorability. Investors will have to get smarter re cybersecurity when allocating capital in the financial services space. The silver lining would be for the bank(s) taking the lead in packaging and commercializing their cybersecurity capabilities, as well as for the one(s) willing to lead the creation of a cybersecurity industry utility.
More barriers to entry and less attractive risk/return profile for early-stage Fintechs
B2B Fintechs will accordingly be under much more scrutiny from banks CISO groups during the procurement process. Considering the already punitive and lengthy process akin to a colonoscopy in most FIs, it might seem difficult to envision. However, those banks that are increasing their focus on cybersecurity will look with renewed interest at their partners’ cybersecurity practices in order to mitigate their own risks. Fintechs touching clients’ data can, in particular, expect longer sales cycle, more costs and challenges to partner with large banks; so, this is not good news, especially for early-stage companies.
Another unintended consequence might be a reluctance from FIs partnering with Fintechs to announce these collaborations to the world in order to avoid visibility on another vulnerability point; so less “free” PR.
Given B2C Fintechs’ own exposure to end-clients (akin to banks), there is a burning need to up the cybersecurity game. This becomes an even bigger challenge for typically cash strapped early stage companies.
Similar to the dynamic we discussed with FIs, increased collaboration between Fintechs is needed to alleviate the burden of costs and improve client protection. The value of an industry utility is even greater for Fintechs than for banks; if T1 banks already struggle to adequately protect themselves, most Fintechs will by definition face even greater pressures.
The risk-return profile of existing Fintechs is negatively impacted by the increased cyberthreats (and similar to banks, investors have not yet discounted this dynamic in their valuation process). Once the de-rating exercise takes place, it could create more barriers to entry when it comes to launching new Fintechs (on top of requiring to raise more capital to address the cybersecurity conundrum). The opportunity for some Fintechs to pivot and commercialize their cybersecurity capabilities might in some cases provide a great avenue.
Now is the time for regulators to step in and step up
When talented individuals bankrolled by rogue nations (the usual suspects being North Korea, Russia, Iran) attack at an increasing rate and level of sophistication financial, healthcare and industrial players, the risk to our economies and the stability of our societies is real. Regulators have to take charge of the issue, promptly leading a discussion around cybersecurity in order to act swiftly and decisively. It cannot be another situation where it is urgent to wait; the stakes here are just too high for all of us.
The European Banking Authority has opened a consultation on RegTech and supporting the use of RegTech across the EU; cybersecurity is one of the topics that will be covered in this consultation. This is a timid step in the right direction, and already more than what is happening in many other regions.
Setting up specifications, guidelines, and standards, establishing formal collaboration channels between countries, implementing an overarching international body are some of the actions that should be taken to get in front of the problem, as proactively and quickly as possible. Distributing fines a posteriori is not helping much the industry in protecting itself and its clients; but at least it should keep the industry honest (even though we had a suspicious 45% decrease in data breach reports in the UK in Q2 2020). It is important for countries to collaborate on this topic, despite many protectionism trends and posturing. At this point, if regulators are not stepping in, the industry needs to (wo)man-up and self-organize. China is launching its own initiative to set global standards on data security, aiming to counter the US Clean Network Program announced earlier this summer. This is an opportune time for countries to team up with other like-minded countries in order to weigh in on the topic. It is likely that most of the world would rather see data security standards coming from a coalition of countries than standards coming from only one country and fraught with personal agendas.
In parallel, scaling up the re-training of employees within organizations, in combination with the implementation of new university programs in cybersecurity, would provide much needed competence in the industry. “Jazzing up” the space would be beneficial to attract a more diverse talent set as so far it has not necessarily brought profiles with strategic mindset, political savviness or leadership skills. To be successful, cybersecurity experts need to have more than just the technical skillset, similarly to the transition technology leaders had to undertake 20 years ago.
More Insights — Videos
New Model for cybersecurity, Peggy Van de Plassche
Cybercrimes during C-19, Peggy Van de Plassche
Key Takeaways:
· We’ll see more consolidation in the cybersecurity space, with companies moving from point solutions to platforms or being acquired — companies to watch are ReliaQuest, Stealthcare, Plurilock, Naoris.
· Cybersecurity valuations will continue to enjoy healthy multiples with more money being directed towards the space directly and indirectly — fund to watch Evolution Equity Partners.
· FIs and Fintechs will have to support higher costs to fight cybercrime, putting pressure on their profitability; this creates a less attractive risk/return profile.
· Fintechs will require more capital to reach bank-grade security standards, increasing the barriers to entry.
· Financial Services investors will have to get smart on cybersecurity and increase their focus in this area during due diligence.
· A large FI or Cybersecurity player, in conjunction with regulators or not, should take the lead in launching an industry utility, commercializing “turnkey” protection in some areas for smaller players, and organizing the industry to better collaborate — most likely movers Blackberry, CarbonBlack, Fortinet.
For more information, please visit my website.