The scale of the cyber-security problem is immense, with cyber-crime costing $US1 trillion in 2018 alone, and forecasts suggesting that losses will grow to $US6 trillion as soon as 2021.
In Australia, the government says cyber-security incidents cost Australian businesses up to $29 billion per year, with cybercrime events affecting almost one in three Australian adults in 2018.
Chinese tech giant Huawei recently admitted that it endures about a million cyber-attacks on its computers and networks every day. Cyber-security consultant Tony Barnes, director of Cyber Research Group, told me recently, “When you switch servers on, they’re like magnets in the way they attract attacks.” Barnes said that showing companies the scale of the constant attacks on them is a penny-dropping moment: “When people visualise it, it scares the pants off them,” he said.
And what really worries the cyber-security community is that innovation in cybersecurity is falling behind innovation by the global hacker community.
“As long as humans remain predisposed to click on interesting emails, rely on easy (or no) passwords, or browse to places we shouldn’t, the hackers will have the edge,” says Saumitra Das, chief technology officer and co-founder of deep-learning cyber-security platform Blue Hexagon.
Of course, cyber-security is a great business opportunity for those with the products and systems that can help governments, companies, organisations and individuals get ahead of the bad guys. According to the Australian Cyber Security Growth Network, the global cyber-security market is currently worth about US$131 billion, and is set to increase to US$248 billion by 2026.
Looking at the Australian stock market, though, you would not know that cyber-security is a growth business.
The ASX does host cyber-security companies, but sadly, it is a desert in terms of investment success. Is this because of the technology offerings being lacking in some way, or the relative lack of specialist investors to pick-up on the opportunities being presented, and give them some market support and impetus? That appears to be a big problem.
For example, the highly promising Australian cyber-security firm VeroGuard Systems, which says it is the “first and only platform to make indisputable verification possible in online use,” is considering an offshore listing, to maximise its likelihood of reaching the specialist investors that would be the cornerstones of its share register – although the company’s hardware security modules (which make possible the ultra-secure authentication, encryption and communications at both ends of every online transaction) will be manufactured in Adelaide.
Here are four interesting candidates in the ASX-listed cyber-security world – but be warned, all of these have severely tested their investors’ patience.
Tesserent (TNT, 4.6 cents)
Market capitalisation: $2 million
One-year total return: –33.3%
Three-year total return: –34% a year
Listed in 2016, Tesserent can be considered a pure-play cyber-security stock: it provides “Internet security-as-a-service” for a customer’s computer infrastructure, including firewall, authentication, anti-virus, anti-malware/spyware, intrusion detection, and security event management, typically provided on a subscription basis. Its customers – both Australian and international – come from the government, corporate and education fields.
Earlier this month, Tesserent bought the security division of ICT (information and communications technology) and digital consulting organisation PS&C Limited (PSZ), an acquisition the company says will make Tesserent Australia’s largest listed dedicated cybersecurity firm, with more than $30 million revenue forecast in FY20. Even before buying PS&C’s security arm, Tesserent had told its shareholders that it was on track to achieve cashflow positivity and profitability in FY20.
The integration of the PS&C Security business will give Tesserent full cyber-security capabilities including security advisory, penetration testing, deployment and management of security infrastructure and secure application development. The customer footprint of the combined business covers Australia, Asia and the UK. PS&C Security brings a strong and growing financial history to Tesserent, having delivered revenue of $16.4 million in FY19 (up 33% on FY18) and normalised EBITDA (earnings before interest, tax, depreciation and amortisation) of $3.1 million (up 11% on FY18).
Senetas Corporation (SEN, 7.7 cents)
Market capitalisation: $83 million
FY19 EPS (earnings per share): 0.14 cents
FY20 analysts’ consensus expected EPS: 0.4 cents
One-year total return: –14.7%
Three-year total return: –13.7% a year
Five-year total return: 9.9% a year
Senetas Corporation is also a pure-play cyber-security company: it provides data encryption hardware, engineered for high-speed networks, to major corporations and governments. Senetas’ encryptors now protect network transmitted data in more than 30 countries, and are used by customers ranging from government organisations with highly sensitive information, for example, the US defence forces, to commercial and industrial organisations, banks and global financial transactions systems providers, cloud service providers and small businesses.
Senetas’ encryptors are the world’s only products of their type certified by all four leading international certification authorities – the US government’s FIPS (Federal Information Processing Standards) certification, Common Criteria (required by Australian government and defence organisations), Communications-Electronics Security Group (CAPS) for its Ethernet IG product in the UK (the first up-to-1GB encryptor for government data networks ever certified by CAPS) and the NATO (North Atlantic Treaty Organisation) information security product certification, which covers the 28 NATO member states. Global digital security heavyweight Thales is Senetas’ exclusive global distributor.
In 2018, Senetas bought a major stake in Israeli cyber-security company Votiro Cybersec Global, which has 400 global customers and 1.5 million users. Senetas sees a major growth opportunity with Votiro, whose content disarm and reconstruction (CDR) technology protects against content-based threats from all communication channels and represents a significant global market opportunity. Founded by a team of senior cyber-security experts who served with the elite intelligence unit of the Israel Defence Forces, Votiro’s CDR platform is a patented solution that automatically scans and sanitises each and every file sent or shared with the organisation, and reconstructs a fully functional, threat-free file in less than a second.
In FY19, Senetas grew its revenue by 12.3%, to $21.3 million, and lifted underlying net profit by 28%, to $4.8 million (it reported a net loss of $463,000). The company has a strong balance sheet, with no debt, and cash/cash equivalents on hand of $17.9 million. Analysts expect further profit growth – and reported net profit – in FY20, which would be welcomed by long-suffering shareholders.
WhiteHawk (WHK, 7.2 cents)
Market capitalisation: $11 million
One-year total return: 64.3%
Three-year total return: n/a
Listed in January 2018 at 25 cents, WhiteHawk bills itself as the first global cloud-based cyber-security exchange, enabling small-to-medium enterprises (SMEs) to discover their major cyber-business risks, then decide on, and buy, the cyber-security solutions that directly mitigate these risks. The platform conducts virtual consultations and artificial intelligence cyber-risk profiles, that immediately match SME customers to tailored ‘solutions on demand. WhiteHawk’s 360 Cyber Risk Framework includes continuous monitoring, alerting and mitigation of business and cyber risks for supply chain and vendor companies in real time.
Although developed for small business, the company is expanding the range of its business upward: this year, it has signed contracts with a “top ten US financial institution,” a “top 12 Defense Industrial Base (DIB) company” and “a US federal government department Chief Information Office (CIO).”
In addition, WhiteHawk says it is currently testing “proof of value” of its 360 Cyber Risk Framework with what it describes as a “multi-billion-dollar international insurance group, in the top 100 listed companies globally,” and is also on a shortlist for face-to-face demonstration with the US Department of Defense Cyber-Procurement arm, US Cyber Command (USCYBERCOM). Success in this venture could open up significant opportunity in future US Defense Department contracts. Again, disappointed shareholders need to see a continued flow of good news.
archTIS (AR9, 12.5 cents)
Market capitalisation: $15 million
One-year total return: –16.7%
Listed in September 2018, Canberra-based archTIS has developed a cloud-based software-as-a-service (SaaS) security and collaboration platform called Kojensi, which arose out of a solution built for the Australian Department of Defence, and further developed in trials involving a number of Australian Federal Government agencies, including the Commonwealth Attorney General’s Department (AGD) and the federal Aged Care Royal Commission. Subsequently, in September, the Attorney General’s Department signed on as the platform’s first customer.
Kojensi Gov is hosted within a protected cloud environment accredited by the Australian Signals Directorate (ASD), and offers in-built government-compliant data classification (the Australian government’s Protective Security Policy Framework, or PSPF) and meets information management standards and security (ISM) requirements. The unique selling point of the platform is that it allows collaboration between government and industry in working on information classified at the “Protected” level.
The platform is being marketed as a secure content and collaboration cloud service, which offers a combination of enterprise content management capabilities, collaboration tools and workflows. Instead of using passwords, the Kojensi platform creates an electronic “fingerprint” on the data or documents, determining who can access the material, where, and when. While testing and the first sale took place at a government level, archTIS says any organisation concerned about protecting the security of their information is a potential customer.
Important: This content has been prepared without taking account of the objectives, financial situation or needs of any particular individual. It does not constitute formal advice. Consider the appropriateness of the information in regard to your circumstances.