Cybersecurity Market Update: October 2020

Key Takeaways for Q3 2020

• The combination of a nearly overnight shift to working from home and the increased level of general uncertainty left countless employees and companies vulnerable to eager cybercriminals

• The increased demand for cybersecurity solutions has translated into strong top-line performance across the sector

• We believe that companies should turn their focus toward planning and implementing a robust cybersecurity roadmap designed to deal with the complexities of today’s work environment

Q3 came and went with minimal abatement of the issues gripping our country over the past several months. COVID-19, the dominant concern, remains the leading conversation topic across dinner tables, political debates, and board rooms, as decision-makers everywhere attempt to balance safety with economic continuity. Similar to Q2, the stock market largely ignored the noise in Q3 and continued on its “up and to the right” trajectory. All else equal, this pattern would seem to be directly at odds with high unemployment, increasing debt, widespread business closures, and more. The picture becomes clearer when considering the aggressive measures taken by the Fed, including near zero interest rates and unlimited bond buybacks.

With Q2 financial data now available for public cybersecurity companies, we can see that demand translated into strong top-line performance across the sector

Within cybersecurity, volatility has accelerated demand for best-of-breed solutions to protect against mounting cyber threats. As postulated in Adams Street’s Q2 2020 Cybersecurity Market Update, the combination of a nearly overnight shift to working from home and the increased level of general uncertainty left countless employees and companies vulnerable to eager cybercriminals. Looking at the data from Q2, it’s clear that these bad actors jumped on the opportunity. According to the FBI Cyber Division, inbound cybersecurity complaints jumped 3-4x in the early days of COVID as international and domestic hackers looked to exploit the increasing online presence of Americans. These attacks have manifested themselves in many different ways but are all intended to prey on stressed individuals and vulnerable businesses:

• Malicious Websites:
  Everyone is constantly in search of the most up-to-date resources to assist in better understanding the risks COVID-19 poses. The internet provides a trove of valuable knowledge but also is home to countless sites masquerading as legitimate sources of information. According to an analysis done by ZDNet, 9 out of 10 COVID-19 websites are scams and are, in many cases, used to distribute malware.
• Phishing:
  Human error is the most frequent cause of successful cyberattacks. Individuals are especially prone to mistakes in times like these, when anxiety and distractions are at an all-time high. According to a Google report, phishing attacks increased 350% from January through March as hackers took advantage of widespread misunderstanding of, and confusion around, COVID-19.
• Ransomware:
  In the past several months, ransomware has targeted major corporations and everyday individuals. On one end of the spectrum, massive companies like Honda, Garmin, and Canon were the victims of ransomware events over the summer demanding, in some cases, 7-figure sums in exchange for the safe return of their data. On the other end, in May, some Italian citizens that accessed a spoofed webpage mimicking the Italian Pharmacist Federation site were requested to pay €300 of Bitcoin within 3 days or all their data would be deleted from their device.

The past few months have shown that the current environment is fertile hunting ground for cybercriminals. Businesses of all sizes have had to lean heavily on cybersecurity solutions to effectively secure a distributed workforce. With Q2 financial data now available for public cybersecurity companies, we can see that demand translated into strong top-line performance across the sector. Of the 26 public cybersecurity companies (excluding Sumo Logic given in-quarter IPO), all but 2 (Splunk and Radware) beat consensus revenue estimates for the quarter ending June or July. Additionally, the median margin above expectations was 3.74% compared to 1.71% in Q1’20 and 2.47% in Q4’19. Management revenue guidance trends also underpin the strong performance of the cybersecurity sector. Of the 13 cybersecurity companies that released 2020 revenue guidance at the end of Q2, 8 are projecting the same or higher revenue as they expected at the end of Q4’19 (before the COVID pandemic). This is especially impressive given the broader economic slowdown and enterprise disruption present in 2020.

The high-growth cybersecurity index outpaced the S&P 500 by more than 2x over Q3

Performance within the public markets has been mixed. The high-growth (>20% 2020E revenue growth) cybersecurity index outpaced the S&P 500 by more than 2x over Q3, with all six companies (excluding Sumo Logic) trading upwards during the quarter. The low-growth cybersecurity index did not perform as strongly, finishing the quarter down 1%.

Growth over profitability continued to reign as the high-growth cybersecurity companies saw TEV / NTM revenue multiple expansion (7%) during the quarter while the low-growth companies experienced contraction (-4%). This is despite a median 2020E EBITDA margin of 3.2% for the former bucket and 19.4% for the latter.

So, what’s next for cybersecurity? Businesses that initially scrambled to meet the demanding needs of a remote workforce now have a moment to come up for air. We believe these companies should turn their focus toward planning and implementing a robust cybersecurity roadmap designed to deal with the complexities of today’s work environment. The piecemeal, “just good enough” security measures that some companies scrambled to pull together at the beginning of the pandemic will not be sufficient moving forward. Working from home won’t be permanent for all companies but it is the reality for many for the foreseeable future. A viable cybersecurity program should include critical capabilities such as:

• Full visibility into all of a company’s technical assets, regardless of location
• VPN solution to ensure employees can securely access internal systems
• 2-factor authentication to add an additional layer of security to identity verification
• Cybersecurity training program to educate employees on cyber threat mitigation

One thing that is certain is that cybercriminals are here to stay. Their attacks will continue to become more advanced and creative. To avoid harmful breaches, it is paramount that businesses lay the groundwork for a strong cybersecurity presence with the resources to remain agile as new threats present themselves.

Data and analytics provided by S&P Global Market Intelligence. List of public cybersecurity companies compiled by Adams Street. Data sourced September 30, 2020.

Important Considerations: This information (the “Paper”) is provided for educational purposes only and is not investment advice or an offer or sale of any security or investment product or investment advice. Offerings are made only pursuant to a private offering memorandum containing important information. Statements in this Paper are made as of the date of this Paper unless stated otherwise, and there is no implication that the information contained herein is correct as of any time subsequent to such date. All information has been obtained from sources believed to be reliable and current, but accuracy cannot be guaranteed. References herein to specific companies or sectors are not to be considered a recommendation or solicitation for any such company or sector. Projections or forward-looking statements contained in the Paper are only estimates of future results or events that are based upon assumptions made at the time such projections or statements were developed or made; actual results may be significantly different from the projections. Also, general economic factors, which are not predictable, can have a material impact on the reliability of projections or forward-looking statements.