We asked a cyber expert to hack the hack etf

January 18, 2016 09:00 AM

“When you’re in positions of privileged access, like a systems administrator for these sort of intelligence community agencies, you’re exposed to a lot more information on a broader scale than the average employee.”
– Edward Snowden 

Cybersecurity is a complex and multifaceted challenge that is continuously growing in importance. It is a concern that not only affects banks and government agencies, as is constantly revealed through the media, but its implications expand beyond that. In 2014, we saw high-end data breaches of large, historically respected companies, with data, personal records and financial information stolen and sold on the dark web, including but not limited to Neiman Marcus, PF Chang’s (PFCB), UPS, JP Morgan Chase (JPM), and Sony (ADR). During the same year, market research firm Gartner reported that the worldwide cybersecurity market would be $77 billion in 2015 and up to $170 billion by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8%. Aerospace, defense and the desire for intelligence are the likely largest contributors. 

So, it was no surprise, at least to us hackers, when 30-year-old Andrew Chanin launched the PureFunds ISE Cyber Security ETF (HACK). We knew that at some point, investors would want to cash in on the opportunity that is cybersecurity. It was quite fortuitous for HACK that just 12 days after its launch, Sony Pictures Entertainment announced that hackers had managed to steal terabytes of data, including Social Security numbers, salary figures, and personal e-mails. 

People all over the world watched as Sony floundered and leaked money like a sieve in the first major international cyber incident of its kind. After the massive breach in 2014 and the $171 million breach of its PlayStation Network in 2011, Sony was looking at losses of almost $300 million over three years, all caused by hackers. It became evident to everyone that cybersecurity was a crucial concern. The HACK ETF provided a potential avenue for investors to gain exposure to an area in which most lack understanding (see “Buying security,” below).

By July 2015, HACK had pulled in $1.4 billion, making it one of the most successful ETF launches in history. It was the third fastest growing new ETF in 2014 and reportedly the fastest from a small company, but it’s uncertain whether or not the ETF will hold up. 

A survey from PwC in 2015 found that information security budgets have grown at almost double the rate of IT budgets over the last two years. Another study found that high-value cybersecurity deals have increased by 40% year-over-year. But although cybersecurity spending has continued to skyrocket, HACK itself is down 1% on the year and 14% from its June peak. A recent story in Reuters questioned whether “a passively managed index fund, narrowly focused on a diverse but small industry group, can reward investors.” It turns out that another fund like HACK, the First Trust Nasdaq CEA Cybersecurity ETF, has fallen 11% since its July launch. 

It seems that Chanin figured that if he created a passive fund, with no attentive manager to pick the winners and losers, it would be a solid low-risk way for investors to cash in on cybersecurity. He was wrong. Cybersecurity is a field where performance between companies can be vast. In fact, it’s a field where companies can be valued at $1 billion and have never actually turned a profit. 

One issue with HACK is that instead of weighing companies based on market capitalization, like many index funds, it weighs all of the companies equally. Another issue is that the fund owns companies like Symantec Corp. (SYMC), Cisco (CSCO) and Juniper (JNPR), which offer broad IT products and services. For example, Cisco was focused solely on Internet networking products until two years ago when it began acquiring security companies. In 2013, it bought Sourcefire, ThreatGRID in 2014, Neohapsis and OpenDNS this year. However, even with these acquisitions, cybersecurity accounts for a fraction of the company’s $49 billion in revenue.

Some experts have accused HACK of being a confusing hodge-podge of stocks. This fund is not the way to gain access to a specific sector. As suggested by Todd Rosenbluth, research director at S&P Capital IQ, “investors might do better to pick well-valued individual stocks.” 

HACK ETF will remain volatile for three reasons:

  1. Constantly changing threat landscape: Cybersecurity is so difficult to achieve because risks are always shifting. Protection mechanisms that are successful today are short-lived victories. One of the best strategies to have in the field is to accept that there is no logical endgame for cybersecurity. Malicious hackers are always going to try to exploit their targets by adapting to change, usually through directly altering their malicious code or the mechanisms through which it is injected into your system. This means that you need an expert in the field that is able to understand the changes to the threat landscape and adapt the investment strategy accordingly.
  2. Security companies are narrowly focused: The security tools currently offered by some of these companies effectively contribute to defensive posturing, but rarely work well together. In order to detect and defend continuously, cybersecurity solutions must process and analyze overwhelming and ever-changing data about vulnerabilities, threats and technological evolutions. The lack of effective integration makes this incredibly difficult and does little to help us get closer to proactively anticipating threats. As customers demand this kind of proactivity, cybersecurity companies will have to pivot to meet the challenge.
  3. Lack of Understanding: A recent study from the Ponemon Institute indicated that only 21% of non-IT executives have a good understanding of their company’s cybersecurity strategy and posture. Additionally, only 18% of the board members have knowledge and concern about cybersecurity. Because of this lack of understanding of the risks and associated impacts caused by security breaches, we can expect to continue seeing poor estimations of risk by executives. Unfortunately, this means that executives are not quite sure which products or services appropriately benefit their organizations. Until companies get a better grip on what they should be protecting and who they should be protecting it from, we can expect volatile movement from the cybersecurity industry as a whole.

Because of the current volatility of the industry, this hacker recommends that investors seek out specific cybersecurity companies that are proactively meeting the largest challenges of this ever-changing landscape. Most companies prefer to be reactive to cyber breaches and will seek out cybersecurity solutions once something has happened. As investors consider opportunities within this current threat landscape, the cybersecurity themes that they could look for are insider threat and malicious software or malware. Insiders have a unique opportunity to cause harm because a company’s internal security measures are easier to bypass than externally protected perimeter defenses. Insiders have enhanced access and the ability to observe technical gaps that exist within the network. The insider threat not only represents malicious employees, but also well-intentioned employees whose conduct unwittingly causes or contributes to a security incident. The most successful cyber-attacks occur when malicious hackers manage to get insiders to execute malware via e-mail attachment, e-mail link, bad websites, and other nefarious means. That’s when the hackers can use the malware to gain intelligence to discover where the crown jewels are located and find an easy path to them (see “Insider threats,” below).

Many firms are positioned to capitalize on the current landscape themes and the demand for necessary cybersecurity protection (see “Most secured,” below). These include Palo Alto Networks Inc. (PANW), CyberArk Software Ltd. (CYBR) and Imperva, Inc. (IMPV).

Analysts recently issued an Outperform rating and a one-year price target of $207 for Palo Alto after it reported impressive growth and first-quarter earnings that destroyed analyst estimates. Analysts are anticipating robust growth in recurring revenue fueled by WildFire, a subscription service provided by Palo Alto, which detects malware before it has the ability to do damage. 

CyberArk Software, which specializes in protecting organizations from attacks that use insider threats, has annihilated all estimates for the fifth consecutive quarter since it went public in September 2014. CyberArk’s adjusted earnings have increased 29% year-over-year driven by strong revenue growth. As more organizations adopt a bring-your-own-device policy to enhance employee productivity, expect this player to have continued success. But what happens when an insider wants to steal or reveal company data? Imperva, focuses on protecting business-critical data and applications from theft and loss due to compromise malicious or careless users. Their CounterBreach platform uses machine learning to analyze how users access data in order to identify dangerous data access and use patterns. Imperva’s stock is a slightly riskier play for investors than the other two companies; however, it is seeing decent short-term momentum and analysts are becoming more optimistic on their earnings for the coming quarter and year. The stock has been trending upward, which could indicate that investors are starting to see the value of the company’s offering. It’s a must-have within the enterprise.

About the Author

Timothy C. Summers, Ph.D. is the CEO of Summers & Company, LLC and specializes in organizational design and cyber strategy. He is also a professor and Director of Innovation, Entrepreneurship, and Engagement at the College of Information Studies at the University of Maryland College Park. @HowHackersThink