High-profile data breaches and Russia’s invasion of Ukraine have heightened worries about cybersecurity and the rising threat of global cybercrime.
Digitization, remote work and the Internet of Things have made many organizations more vulnerable than ever to attack, but government agencies and cybersecurity businesses are stepping up to strengthen our defenses.
As investors, we are finding opportunities in companies we believe are well-positioned to be part of the solution for a safer cyberworld.
Cybercrime threats have been increasing over the last decade. Some of us even have firsthand experience with these crimes, having had personal data, such as credit card information, stolen from companies with which we do business.
In recent years, hackers—many believed to be state-sponsored—have expanded their tactics to ransomware attacks aimed at disrupting businesses, infrastructure and facilities such as hospitals and schools. These attacks involve penetrating an organization’s network to lock up and hold its data hostage until the organization pays a ransom.
According to cybersecurity firm Palo Alto Networks, losses from such incidents are escalating, with the average ransom demand climbing to $5.3 million in the first half of 2021.1 Cybercrime also threatens national security, and concern about this risk has intensified in the wake of Russia’s invasion of Ukraine.
Global Cybercrime Costs Trillions
Organizations are vulnerable to a range of attacks, including ransomware, malware, social engineering, hacking, web attacks and distributed denial of service (DDoS). As shown in Figure 1, research firm Cybersecurity Ventures estimates the cost of damages from these crimes to be mounting at a rate of 15% per year, with losses reaching $10.5 trillion by 2025.
Figure 1 | Cybercrime Losses Are Skyrocketing
Source: Cybersecurity Ventures, January 19, 2022. Costs are projected from 2022 – 2025.
Hackers Represent a New Front Away from the Battlefield
Suspected Russian hackers have targeted Ukrainian infrastructure, websites, banks and military networks for years. The attacks included knocking out part of Ukraine’s electrical grid in 2015, the year after Russia invaded Crimea. In late February 2022, hackers took aim again with a synchronized malware attack affecting Ukraine’s armed forces, government agencies and civilians as Russia launched its ground war.2
While many of the thousands of displaced tech workers in Russia, Belarus and Ukraine have likely found safe havens in other countries, the possibility that others could turn to cybercrime out of desperation concerns us. More hackers would only compound the problem.3
Since the war’s outbreak, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI and Department of Energy have issued advisories about the cyberthreats posed by Russian state-sponsored actors. CISA has reportedly observed related “preparatory activity,” such as scanning websites to hunt for vulnerabilities.
“We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim,” CISA Director Jen Easterly said in a February advisory on ransomware trends.
The White House Wants to Bolster Cybersecurity
In January, President Joe Biden expanded an executive order to bolster cybersecurity across the federal government. The measure seeks to boost cybersecurity measures in National Security Agency, Department of Defense and intelligence community systems.
In March, the president proposed a $10.9 billion budget for civilian cybersecurity-related initiatives, an 11% increase over the 2022 allocation.4
Biden is also urging businesses to be more vigilant. At the Business Roundtable CEO Quarterly Meeting in March, he told business leaders they have a “patriotic obligation” to guard against Russian cyberattacks. “The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming,” he cautioned.
Business Infrastructure Is Vulnerable
Though awareness of the potential threat is high, many organizations are likely more vulnerable to cybercrime than they realize. Several factors are contributing to this risk:
Digitization. There’s no denying that abandoning paper and using technology to replace manual processes have made many businesses more efficient and profitable. At the same time, however, digitization has made company assets and supply chains more vulnerable to cyberattacks.
Cloud technology and remote workers. Companies are becoming more decentralized, whether it’s physical hardware or where people work. With cloud computing and remote work trends likely to accelerate, companies must protect a growing number of potential weak links in their cyber protection.
Connected devices. The Internet of Things continues to expand and includes devices ranging from everyday home appliances to industrial machinery and sensors on oil rigs in the middle of the ocean. Each is a potential soft spot for hackers to exploit.
Cybersecurity Spending Is Rising
We believe the growing threat to the private sector will spur more spending on cybersecurity across many industries. Cybersecurity Ventures projects $1.75 trillion in global spending on cybersecurity products and services from 2021 to 2025. We’re seeing spending in several key areas:
On-premise infrastructure and hardware. This environment includes the physical and virtual resources that support the flow, storage, processing and analysis of data.
On-premise tools and software. On-premise arrangements include servers, storage, backup security and enterprise resource planning. Specialized IT personnel must manage the equipment, perform regular backups and acquire new hardware over time.
Skilled IT staff. Capable IT professionals are in great demand and protect online data from being compromised.
Cloud-based security. The cloud has emerged as an alternative or complement to on-premise protection, where organizations pay fees to access massive data centers for their data storage. The cloud vendor handles maintenance, backups, software updates, power and HVAC. Amazon Web Services, Google Cloud and Microsoft Azure are prominent cloud providers.
Cybersecurity Will be an Ongoing Investment Theme
Building defenses against cyberthreats may require organizations to change how they approach their network architecture.
Traditionally, the firewall was the primary point of security enforcement. Organizations considered users behind firewalls trustworthy and granted them access to sensitive data and intellectual capital. Because businesses have learned that insiders may also pose threats, the so-called zero-trust model has emerged. The premise of this approach is that no user, internal or external, should be trusted more than any other.
Adopting zero-trust and other cyber-protection measures will require significant spending. Our research has identified information technology, consumer discretionary, financials and communications services companies we think may benefit from this theme.
For example, we’ve invested in a professional services firm that helps organizations become more proactive in fighting cybercrime through threat profiling, system design and compliance solutions. We also own shares in a company that’s evolved from its core firewall business to offering zero-trust solutions that protect people and their work.
We’ve also taken a position in the developer of an innovative content delivery network that helps protect websites by thwarting denial-of-service attacks and other common cyberthreats.
We close by noting the environmental, social and governance (ESG) considerations of the cybersecurity theme. Investors must increasingly examine a company’s data protection policies and information security systems to assess its ESG risks and opportunities.
Ramarcus Balor, Jeremy Brown, and John Martineau, “Extortion Payments Hit New Records as Ransomware Crisis Intensifies,” Palo Alto Networks Blog, August 9, 2021.
Stuart Madnick, “What Russia’s Ongoing Cyberattacks in Ukraine Suggest About the Future of Cyber Warfare,” Harvard Business Review, March 7, 2022.
Gian M. Volpicelli, “Russia Is Facing a Tech Worker Exodus,” Wired, March 23, 2022.
“Information Technology and Cybersecurity Funding,” Budget FY 2023 of the U.S. Government, March 28, 2022.
Many of American Century's investment strategies incorporate the consideration of environmental, social, and/or governance (ESG) factors into their investment processes in addition to traditional financial analysis. However, when doing so, the portfolio managers may not consider ESG factors with respect to every investment decision and, even when such factors are considered, they may conclude that other attributes of an investment outweigh ESG considerations when making decisions for the portfolio. The consideration of ESG factors may limit the investment opportunities available to a portfolio, and the portfolio may perform differently than those that do not incorporate ESG considerations. ESG data used by the portfolio managers often lacks standardization, consistency, and transparency, and for certain companies such data may not be available, complete, or accurate.
References to specific securities are for illustrative purposes only, and are not intended as recommendations to purchase or sell securities. Opinions and estimates offered constitute our judgment and, along with other portfolio data, are subject to change without notice.
The opinions expressed are those of American Century Investments (or the portfolio manager) and are no guarantee of the future performance of any American Century Investments' portfolio. This material has been prepared for educational purposes only. It is not intended to provide, and should not be relied upon for, investment, accounting, legal or tax advice.