A hacktivist group that opposes the Dakota Access Pipeline has commandeered the computer network of a major U.S. airline. The group has given executives just two hours to pay it $1 million; in the meantime, a slideshow that vividly depicts the impact of an oil spill on surrounding wildlife is playing on the airline’s televisions throughout its three airport hubs. The media jumps on the story, live-streaming the debacle to millions of viewers.
It’s a chaotic circus. Fortunately, it’s fake.
The airline-hack scenario is an example of the scripts that Emily Mossburg, principal in secure services at consultancy Deloitte, uses to war-game clients’ responses to a cyberattack. During the six-hour exercise, a client’s cybersecurity team, up to and including members of the C-suite, respond as if the hack were real, tweaking their strategies for dealing with a breach. Mossburg studies how much information the hacked company shares with customers, how quickly it reaches out to authorities, and how proactively it musters
The whole exercise is, above all, an effort to stem the financial fallout. Cyberattacks have become a sad fact of real life, and they can make an enduring dollars-and-cents impact, not least to a company’s stock price. Cybercrime costs the global economy between $450 billion and $600 billion a year. And recent events fit a familiar pattern: Hackers strike, and the victimized company’s stock falls. In May and June, WannaCry and a similar ransomware program attacked corporate servers worldwide and infected hundreds of thousands of computers. The biggest victims included food company Mondelez International and pharmaceutical giant Merck, and as of mid-August neither corporation had seen its stock price recover.
Even more unsettling to investors: Research suggests that the long-term impact of a breach on share values can be far greater than its immediate damage. According to a study of 24 hacked companies by consumer-review site Comparitech, a company’s stock fell, on average, 0.43% on the day an attack was publicly disclosed. But three years after an attack, the share price for companies in the study lagged the Nasdaq by an average of 40 percentage points.
Other factors besides the hacks undoubtedly contribute to the underperformance, and some companies shrug off hacking incidents with little damage. Still, the costs of addressing a breach can weigh down a company’s financial results for years. Consulting firm KPMG analyzed the impact of a 2013 theft of data from some 40 million credit card accounts from retailer Target. It estimated that the response by Target’s cybersecurity team, funding of credit monitoring for customers, and staffing for call centers cost $60 million. The “slow-burn” costs proved far larger, with nearly $200 million spent on systems upgrades and court settlements, plus serious but less tangible costs like the hit to the company’s reputation. Target had other challenges too, but the hack’s costs certainly didn’t help; and in the three years after the breach, Target’s stock returned 24%, trailing the Nasdaq and the S&P 500 alike.
The publicity that comes with “increased visibility of breaches” heightens the long-term costs, says KPMG director Matthew Martindale. For companies that operate in Europe, new rules due to take effect in May 2018 could make the problem even worse. The European Union’s General Data Protection Regulation (GDPR), which the U.K. also plans to adopt, will require companies to make a good faith effort to notify authorities of breaches within 72 hours. This could do more damage to stocks of companies that suffer a hack, explains Laila Khudairi, head of enterprise risk at insurance firm Tokio Marine Kiln, since many will have
to go public with news of an attack before they’ve defeated it. (The penalty for not speaking up: up to 2% of a company’s global revenue.) U.S. companies doing business in Europe are rushing to adjust, with 68% planning to spend between $1 million and $10 million on upgrades and 9% spending more than $10 million, according to consulting firm PwC.
It’s cybersecurity firms, of course, that benefit most from such upheaval. Spending in the space is expected to jump from an estimated $86 billion this year to $108 billion in 2020, according to research firm Gartner. As cyberdefense has grown in importance, scores of companies have joined the competition, from narrowly focused startups to tech giants to diversified consultancies like Deloitte. In that crowded field, we found these prominent names most intriguing.
A fairly new player among the cybersecurity elite, Palo Alto Networks (PANW) made a name for itself with a firewall that controls how data flows within and around a company’s corporate infrastructure, allowing a customer’s security team to control which applications connect and regulate traffic from other devices. “They’ve been the disrupter in the network security space,” says Saket Kalia, a Barclays analyst, and its sales have shown it: Palo Alto’s revenues jumped 248% between 2013 and 2016, to $1.4 billion.
The stock has been volatile, however, and it currently trades at 34% below its highs from the summer of 2015. A recent slump accelerated in February when Palo Alto missed
analysts’ revenue-growth expectations for the second quarter. One of the reasons for the stumble: The company is transitioning to a subscription model for its products. Previously, Palo Alto primarily licensed out software, so any given sale was a one-time affair. But under the subscription model, customers pay to remain on the platform and choose which Palo Alto products they need, a process the company hopes will create stickier customer relationships and enable it to become consistently profitable. Palo Alto’s subscription and service revenues have risen to 62% of sales, from 44% in 2014. And the stock’s recent slide gives investors the chance to buy at cheaper levels, notes Oppenheimer analyst Shaul Eyal.
Check Point Software Technologies (CHKP), an Israeli company that trades on the Nasdaq, was Palo Alto’s predecessor as the industry’s standard-bearer and also built its success on firewall technology. The company faces “the classic innovator’s dilemma,” says Morgan Stanley analyst Keith Weiss: With growth slowing, it needs to introduce next-generation technology, but it doesn’t want to do so too fast, lest it lose existing clients. That said, Check Point has a “large base of customers that are not going anywhere,” says William Blair analyst Jonathan Ho. In April, it launched Infinity, a security platform for enterprises that are moving more storage to the cloud. The stock is priced in line with the broader market, with a forward price-to-earnings ratio of 20.4; Ho believes it will merit a higher valuation as Infinity gains momentum.
The resurgence of Cisco Systems (CSCO) in cybersecurity has brought a new competitive wrinkle to the field. Cisco long viewed security as an afterthought, focusing primarily on hardware and leaving cyberdefense analysts “unimpressed with the company over the past decade,” says Needham & Co.’s Alex Henderson. But Cisco is now marketing products that take advantage of its scale and deep troves of data: Its latest security software claims to be more predictive in preventing threats—for example, by recognizing traffic patterns that could signal an attempted breach.
Cisco laid off 6,600 people over the past year in a reorganization designed in part to put more focus on security, and in June it announced a partnership with Apple to develop a tool that offers enterprise cybersecurity teams greater control over iOS devices. Cisco’s global supplier and customer base, meanwhile, could help it reap big benefits from the increased spending driven by Europe’s GDPR upgrades.
Cisco’s overall transition has undoubtedly involved a few bumps; last week, the company reported its seventh consecutive drop in quarterly revenue. Cybersecurity still accounts for only a sliver—4%—of its $49 billion in revenue, but it’s among its fastest-growing segments. Still, at a price of just 16 times earnings, Cisco is one of the field’s more enticingly affordable stocks.
A version of this article appears in the Sept. 1, 2017 issue of Fortune with the headline “A Big Payoff for Cybercop Stocks.”