Introducing BUGG: The Cybersecurity Investment Solution

The days of pen and paper are largely behind us, and for better or worse the world has moved towards digitalisation. Everything from working, socialising, shopping and banking, are becoming reliant on the internet and online forums, which has presented opportunities for investors and the broader economy alike. However, with the good comes the bad. Cyberthreats have also been on the rise. Online vigilantes are no longer the main perpetrators of cyberattacks, rather organised crime has emerged and hacking has become a US$300 billion industry with the power to target individuals, organisations, and governments.¹ Damages from cyberthreats have the potential to cost trillions annually, however spending in the space is not keeping up.² As such, investment in cybersecurity is vital to protect the vast digital economy the world has created and will continue to build.

Cybersecurity is an important thematic which will continue to grow as cyberthreats become more prolific alongside the development of more advanced technologies such as generative artificial intelligence (AI) and the cloud. The Global X Cybersecurity ETF (ASX: BUGG) aims to capture this megatrend by tracking the performance of global companies which are dedicated to this space.

Key Takeaways

An ever-increasing reliance on digital ecosystems has left individuals, businesses, and governments vulnerable to the exponential rise of cyberthreats.
There is an expanding investment opportunity as current cybersecurity initiatives only service around 10% of the US$2 trillion total addressable market.³
Targeted ETFs allow investors to gain exposure to the global cybersecurity industry which can otherwise be difficult if trying to do so via the ASX 200, S&P 500 or Nasdaq 100.

Cybercrime: The Silent Pandemic

Cybersecurity has been evolving alongside the internet for decades, however its adoption has not been as widespread. There are 5.18 billion internet users globally and 68% of the population have smartphones – meaning reliance on the digital economy is the highest it has ever been.^4,5

Every minute of the day there are 5.9 million Google searches, 231.4 million emails sent, 500 hours of video uploaded to YouTube and 16 million texts sent.⁶ So, while we are more connected than ever before, these connections are vulnerable to being exploited by cyberthreats. This is evidenced in the below chart which highlights that confidence in the internet has retreated in recent years as user trust has been depleted by security concerns, despite dependence holding at all-time highs.

According to the World Economic Forum, widespread cybercrime is the fifth most pressing concern for the global economy in 2023, only behind the energy crisis, cost-of-living, inflation and food supply.⁷ It is also the eighth largest risk over two and ten-year periods, which is the first time it has featured in the top ten economic risks.⁸ To put a price tag on that, cybercrimes could cost US$8 trillion in 2023 alone and reach US$10.5 trillion annually by 2025.⁹

Cyberthreats have steadily been on the rise, and then during the Covid-19 pandemic when lockdowns forced more businesses online, there was a notable spike in the number of reported cybercrimes. Many jumped on the remote and hybrid working bandwagon without the proper infrastructure to protect sensitive data – using unsafe wi-fi networks, personal devices, weak passwords and not using encrypted files. Notably, the number of phishing scams – where attackers trick legitimate users into accessing their information – jumped dramatically in 2020 as more people spent time online during the Covid-19 pandemic. Reported cybercrimes pulled back slightly in 2022 as time spent online started to level out. Still, there is a growing incentive to invest in cybersecurity as the amount and severity of cyberattacks are predicted to increase. The type and increasing number of recorded cybercrimes is shown on the below chart.

Heavy reliance on the digital economy means broader social, cultural and macroeconomic events are having a greater effect on online ecosystems and fast-tracking the prevalence of cyberattacks and malicious activity.¹¹ Turning the clocks back to 2016, allegations were raised that Russian hackers, trolls and bots swayed the result of the US Presidential Election which saw Donald Trump get the top job in the Oval Office.¹² Despite ongoing debate from both sides, it brought the dangers of cyberattacks to the fore.

Similarly, experts have said the Russia-Ukraine conflict has highlighted the ongoing threat of cyberwarfare as cybercriminals and political ‘hacktivists’ have taken the fighting from the streets of Ukraine to the dark web.¹³ According to the European Parliament, Russian cyberattacks have “undermined the distribution of medicines, food and relief supplies” as well as “sending of phishing emails, distributed denial-of-service attacks, and use of data-wiper malware, backdoors, surveillance software and information stealers”.¹⁴

Closer to home, Australia has seen an increasing number of largescale cyberattacks. From July to December 2022, data breach notifications jumped 26% and of the reported breaches 70% were confirmed to be malicious or criminal attacks.¹⁵ During this time, some of the largest cyberattacks in the country’s history took place, with Optus, Medibank and Woolworth’s subsidiary MyDeal all subject to significant attacks which collectively saw more than 13.9 million people’s information compromised.¹⁶

Medibank was the biggest incident, with 9.7 million people left vulnerable. Hackers essentially held customers’ data hostage, demanding a ransom before leaking the sensitive information on the dark web. After these cyberattacks, the Australian Information Commissioner and Privacy Commissioner said “the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase” – underscoring the need for businesses to invest more heavily in cybersecurity.¹⁷ Hence, cybersecurity is a matter of personal, organisational and national security.

The Billion Dollar Race to Lockdown Data

Investment in cybersecurity needs to keep up with the increasing prevalence and advancement of cyberthreats. Worldwide spending on cybersecurity solutions and services is tipped to be US$219 billion in 2023, up 12.1% from 2022.¹⁸ However, this is still a far cry from what the industry could be worth, with projections suggesting it is closer to US$2 trillion.¹⁹

Despite the proven and potential ramifications of not having effective cybersecurity measures in place, investment in the space has not kept up with the proliferation of cyberthreats.²⁰ In 2022, companies on average dedicated 12.7% of their Information Technology (IT) budget to cybersecurity, which is a mere 0.6% increase since 2018.²¹ This implies there may be a significant upside for broad industry growth.

According to McKinsey & Company, 85% of small and midsize businesses are planning to increase their IT security spend through to 2023 and the projected spend on cybersecurity service providers will reach US$101.5 billion by 2025.²² There is also growing support for cybersecurity investment at the C-suite and board levels. Cyber/information security was the top spending priority in the 2023 Gartner CIO and Technology Executive Survey, with 66% of respondents indicating they are looking to increase investment in the space. In comparison, 32% of respondents said they were increasing artificial intelligence and machine learning spending.²³ Cybersecurity companies are also heavily investing themselves. In the third quarter of 2022, security software companies spent over US$1 billion on organic and inorganic growth investments.²⁴

Government intervention and regulation is another key factor driving more capital towards cybersecurity. The US is ranked as the most comprehensive cyber power in the world.²⁵ In 2021, the President’s Executive Order (EO) on Improving the Nation’s Cybersecurity (14028) was introduced, which acknowledged the “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy”.²⁶ The EO has had ongoing effects, with the White House allocating more than US$26 billion in the 2024 fiscal year budget to cybersecurity.²⁷

Elsewhere, Japan’s cybersecurity market rose 16% to US$3.6 billion in 2022 after a steep increase in the number of digital attacks. In response, Japan introduced the Cybersecurity Policy for Critical Infrastructure Protection and revised its National Security Strategy – effectively elevating information and cybersecurity as a major national concern.²⁸ Meanwhile, Israel has positioned itself as an emerging cybersecurity powerhouse. Funding for cyber security in Israel tripled from 2020 to 2021, reaching US$8.8 billion. It is also home to 40% of the world’s private investment in cybersecurity.²⁹

Looking ahead, there are several structural megatrends in disruptive technologies which stand to benefit the cybersecurity industry.

Proliferation of the cloud. Almost 50% of data breaches happen in the cloud (servers which are accessed via the internet).³⁰ Global spending on public cloud services is expected to rise almost 22% to just shy of US$600 billion in 2023.³¹ As adoption of the cloud increases, it becomes a bigger target for cyberattacks. Tellingly, cloud users – whether they are individual consumers, businesses, or governments – need to implement suitable security measures to protect themselves.
AI is a double-edged sword. As AI makes its way into the mainstream, with the likes of Google, Meta, Microsoft and Amazon moving quickly to lead widespread adoption, it’s inevitable AI will become increasingly entwined in everyday life. Just as AI may help fill gaps in the cybersecurity industry alongside machine learning and automation, it can be leveraged for malicious use. Some experts are already warning of the proliferation of cybercrimes using AI, including ChatGPT.³² As such, these companies and those which follow suit down the AI path will need to invest heavily in cybersecurity.
Digital currencies and assets open for exploitation. Blockchain use cases are expanding beyond cryptocurrencies and the industry could grow upwards of 85% each year to be worth US$1.43 trillion by 2030.³³ Given the unique qualities of digital currencies and blockchains, it requires more sophisticated, purpose-built cybersecurity measures.³⁴

Investing in Cybersecurity with ETFs

Cybersecurity companies are specialised businesses with a goal to protect their clients from cybercrimes, data breaches and malicious attacks. They do so by designing solutions to safeguard organisations’ hardware, software and data. Despite technology giants such as Apple, Microsoft, Amazon, Nvidia and Alphabet making up the top companies on major indices like the S&P 500 and Nasdaq 100, cybersecurity companies are far less prevalent. Not to say big technology companies do not have internal cybersecurity capabilities, but that is only a small portion of their value proposition. Cybersecurity companies also have a defensive property which helps separate them from other technology stocks because cybercrime is not cyclical in nature, as trading in the space generally correlates more to heightened levels of cybercrime.

BUGG aims to simplify gaining exposure to cybersecurity pure-plays by selecting companies based on the revenue they earn from cybersecurity activities. As shown in the below table, there is very little overlap between BUGG and the S&P 500 and Nasdaq 100, with only five companies appearing in the three indices. All of which are less than 0.6% of the total index weighting – meaning many investors are likely missing out on growth of the cybersecurity industry if they are only exposed to broad US indices, even if it is tech-heavy like the Nasdaq.

Moreover, there are very few cybersecurity companies listed in Australia, all of which are small enough to fall into the micro-cap category. Plus, Australia’s forecasted cybersecurity revenue growth of 5.5% is low compared to international leaders in the space such as the US and Israel.³⁵ As there are currently limited domestic opportunities for Australian investors to gain exposure to the cybersecurity thematic, it is vital to diversify geographically. The chart below illustrates the weightings of companies in BUGG based on country of origin.

These international markets are more established than Australia’s, meaning the companies within them are larger (indicating their balance sheets may be more robust and have greater access to cutting-edge technologies) and generally, have higher revenue. Additionally, cybercrime is a truly worldwide issue which has no regard for national borders, so the industry has needed to expand internationally to counter attacks from all corners of the globe.

To ensure users are gaining exposure to pure-play companies BUGG uses FactSet’s Level 6 RBICS (Revere Business Industry Classification System) to select companies, which is the most in-depth level of the FactSet Industry revenue system and offers the most descriptive classification of revenue exposure. This precise classification methodology makes FactSet a leading index provider and allows BUGG to have a “robust picture of companies’ primary and ancillary lines of business with quantified sector exposures and concrete products/services information”.³⁶ The stocks in BUGG are required to have at least 50% of their revenue generated by cybersecurity activities including network security software, network security access policy software, and customer premises network security equipment.

This is an important feature as it avoids theme dilution and aims to focus on companies which will benefit most from global revenue growth in cybersecurity in the coming years, which is shown on the chart below. It must be noted BUGG’s targeted approach may expose investors to sector concentration risk and is designed to be used as a satellite holding as a part of a well-diversified portfolio.

Cybersecurity is a Necessity and Opportunity

The move towards a fully digital economy is an exciting prospect, however as technology advances it will leave users vulnerable to a range of cyberthreats. Tellingly, investment in cybersecurity will continue to expand as it increasingly becomes a necessity for individuals, businesses, and governments. This presents a compelling investment opportunity for those looking to capture an industry which is poised for growth around the world.

Related Funds

BUGG: The Global X Cybersecurity ETF (ASX: BUGG) seeks to invest in companies that stand to benefit from the increased adoption of cybersecurity technology, particularly those whose principal business is in the development and management of security protocols preventing intrusion and attacks to systems, networks, applications, computers, and mobile devices.

Footnotes

(2023). Cybersecurity: Hacking Has Become a $300 Billion Dollar Industry. Available here: https://insuretrust.com/2019/01/14/cybersecurity-hacking-has-become-a-300-billion-dollar-industry/.
P. Morgan. (January 2023). Initiating on Security Software.
McKinsey & Company. (October 2022). New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers. Available here: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers.
(April 2023). Number of internet and social media users worldwide as of April 2023. Available here: https://www.statista.com/statistics/617136/digital-population-worldwide/#:~:text=Worldwide%20digital%20population%202023&text=As%20of%20April%202023%2C%20there,population%2C%20were%20social%20media%20users.
(May 2023). Global smartphone penetration rate as share of population from 2016 to 2022. Available here: https://www.statista.com/statistics/203734/global-smartphone-penetration-per-capita-since-2005/#:~:text=The%20global%20smartphone%20penetration%20rate,population%20of%20around%207.4%20billion.
(2022). Data Never Sleeps 10.0. Available here: https://www.domo.com/data-never-sleeps.
World Economic Forum. (2023). The Global Risks Report 2023. Available here: https://www3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf.
World Economic Forum. (2023). The Global Risks Report 2023. Available here: https://www3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf.
Cybercrime Magazine. (May 2023). 2023 Cybersecurity Almanac: 100 Facts, Figures, Predictions, And Statistics. Available here: https://cybersecurityventures.com/cybersecurity-almanac-2023/.
University of San Diego. (2023). Top Cybersecurity Threats in 2023. Available here: https://onlinedegrees.sandiego.edu/top-cyber-security-threats/.
P. Morgan. (January 2023). Initiating on Security Software.
Hall Jamieson, Kathleen. (2018). Cyber-War: How Russian Hackers and Trolls Helped Elect President Trump. Oxford University Press.
National Cyber Security Centre. (April 2023). New analysis highlights strength of Ukraine’s defence against “unprecedented” Russian offensive. Available here: https://www.ncsc.gov.uk/news/new-analysis-eccri-highlights-ukraine-defence-against-russian-offensive.
European Parliament. (June 2022). Russia’s war on Ukraine: Timeline of cyber-attacks. Available here: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2022)733549.
Office of the Australian Information Commissioner. (March 2023). Notifiable Data Breaches Report: July to December 2022. Available here: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2022.
(March 2023). Australia had five data breaches that hit 1 million or more people. Available here: https://www.itnews.com.au/news/australia-had-five-data-breaches-that-hit-1-million-or-more-people-591439#:~:text=Three%20of%20the%20breaches%20are,have%20not%20been%20made%20public.
Office of the Australian Information Commissioner. (March 2023). Cyber security incidents impact data breach risk. Available here: https://www.oaic.gov.au/newsroom/cyber-security-incidents-impact-data-breach-risk.
International Data Corporation. (March 2023). New IDC Spending Guide Forecasts Worldwide Security Investments Will Grow 12.1% in 2023 to $219 Billion. Available here: https://www.idc.com/getdoc.jsp?containerId=prUS50498423.
McKinsey & Company. (October 2022). New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers. Available here: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers.
McKinsey & Company. (March 2022). Cybersecurity trends: Looking over the horizon. Available here: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/cybersecurity-trends-looking-over-the-horizon.
(May 2023). Average share of IT budget allocated to IT security by companies worldwide 2018-2022. Available here: https://www.statista.com/statistics/1319677/companies-it-budget-allocated-to-security-worldwide/.
McKinsey & Company. (March 2022). Cybersecurity trends: Looking over the horizon. Available here: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/cybersecurity-trends-looking-over-the-horizon.
P. Morgan. (January 2023). Initiating on Security Software.
P. Morgan. (January 2023). Initiating on Security Software.
Belfer Center for Science and International Affairs. (September 2022). National Cyber Power Index 2022. Available here: https://www.belfercenter.org/publication/national-cyber-power-index-2022.
The White House. (May 2021). Executive Order on Improving the Nation’s Cybersecurity. Available here: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
(March 2023). Biden Administration Seeks $26B in Cyber Funding for FY 2024. Available here: https://www.nextgov.com/cybersecurity/2023/03/biden-administration-seeks-26b-cyber-funding-fy-2024/384070/#:~:text=President%20Joe%20Biden’s%20%E2%80%8B%E2%80%8B,%2413.5%20billion%20under%20the%20proposal.
International Trade Administration. (June 2023). Opportunity for U.S. cybersecurity companies for Business Development in East Asia. Available here: https://www.trade.gov/market-intelligence/japan-cybersecurity.
Israel National Cyber Directorate. (January 2022). Israeli Cyber Security Industry Continued to Grow in 2021: Record of $8.8 Billion Raised. Available here: https://www.gov.il/en/departments/news/2021cyber_industry.
(2023). Cost of a data breach 2022: A million-dollar race to detect and respond. Available here: https://www.ibm.com/reports/data-breach.
(April 2023). Gartner Forecasts Worldwide Public Cloud End-User Spending to Reach Nearly $600 Billion in 2023. Available here: https://www.gartner.com/en/newsroom/press-releases/2023-04-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-reach-nearly-600-billion-in-2023.
(March 2023). How AI Is Disrupting And Transforming The Cybersecurity Landscape. Available here: https://www.forbes.com/sites/forbestechcouncil/2023/03/15/how-ai-is-disrupting-and-transforming-the-cybersecurity-landscape/?sh=3ae2eea04683.
(2020). Time for trust: How blockchain will transform business and the economy. Available here: https://www.pwc.com/gx/en/industries/technology/publications/blockchain-report-transform-business-economy.html.
World Economic Forum. (February 2023). Is blockchain really secure? Here are four pressing cyber threats you must consider. Available here: https://www.weforum.org/agenda/2023/02/blockchain-has-high-potential-but-beware-of-cyber-threats-8642651f20/.
(2022). Australia’s Cyber Security Sector Competitiveness Plan 2022. Available here: https://www.austcyber.com/resources/scp-2022/executive-summary.
FactSet. (2023). At a Glance: FactSet Revere Business Industry Classification Datafeed. Available here: https://insight.factset.com/resources/factset-revere-business-industry-classifications-datafeed.