The stock market is rewarding tech companies that protect data more than ones that exploit it

Cyber heroes don’t always wear capes.
Cyber heroes don’t always wear capes.
Image: AP Photo/Andre Penner
We may earn a commission from links on this page.

Tech stocks are booming, despite concerns about how some of sector’s giants, like Google and Facebook, make money from personal data. Cyber security companies, meanwhile, have performed even better, as more of our lives are digitized and hacks become more common and sophisticated.

A popular cybersecurity exchange traded fund (ETF) has soared by 20% this year. That compares with 14% for one of the most widely traded tech ETFs, and 4.5% for a fund tracking the S&P 500 index of US stocks. Key constituents of the Prime Cyber Security ETF (which trades under the on-brand ticker HACK) include companies like Palo Alto Networks and Qualys, both of which have gained more than 40% in value so far this year.

Digital security companies are rallying amid a steady series of hacker intrusions. Mega exploits like those at Equifax and Yahoo are among the best known, but Ticketmaster UK and Adidas also disclosed breaches last month. One way criminals operate is by stealing troves of usernames, e-mail addresses, and passwords, and then using automated software to apply the credentials to bank accounts and other places where money is kept to gain access.

The known hacks are worrisome, but companies also tend to keep break-ins secret when possible. Firms successfully targeted by so-called ransomware sometimes have little choice but to pay up to regain access to data, according to cyber experts. In these hacks, the companies’ data and digital records are encrypted by criminals until the ransom, typically denominated in cryptocurrency like bitcoin, is paid. Executives often keep these payments quiet if they can.

Government regulations will make it harder to keep these things under wraps. The EU’s recently implemented data protection rules require companies to report data breaches within 72 hours and to maintain a vigorous detection program. Under the General Data Protection Regulation (GDPR), which applies to anyone dealing with European individuals or businesses, failing to report a data breach can result in a stiff fine.

Last year, Facebook CEO Mark Zuckerberg said the company is doubling its security staff and engineering efforts to head off cyber threats. (This week, Facebook was fined by the data protection watchdog in the UK for mishandling data.) “I’m dead serious about this,” Zuckerberg said during an earnings call in 2017. “I’ve directed our teams to invest so much in security—on top of the other investments we’re making—that it will significantly impact our profitability going forward.”

Harvesting data is a big business for hackers as well as legitimate enterprises. Companies like Facebook and Google have raked in cash by collecting, analyzing, and selling it. Investors are betting that protecting it may also be a lucrative enterprise.