How is cyber security changing, and what does this mean for investors?

By: Aude Martin

Every passing day seems to bring news of another high-profile cyber attack. Meanwhile, terms such as ransomware, spear-phishing and advanced persistent threats are no longer the preserve of technical specialists – public awareness of the many different forms of cyber attack has never been greater.

Does this mean the cyber security industry has now reached a saturation point?

In a word, no. Despite the vast sums that are spent on cyber security every year – an estimated $160-170 billion in 2023 – it’s estimated the industry penetration rate is currently no more than 10%.[1] This should perhaps come as no surprise, given that the cyber security landscape constantly evolves, as both attackers and defenders race to deploy the latest technologies and stay ahead of the other side.

Revenues in the cyber security market are expected to grow to $183 billion in 2024, at a compound annual growth rate (CAGR) of 10.2%.[2] This headline growth figure, however, belies a more complex landscape, in which mature sub-segments are diminishing in importance while emerging segments are coming to the fore.

The cyber security solutions segment is expected to lead this growth in revenues, with an estimated 15.2% CAGR, whereas cyber security services are expected to slow down.[3] This is definitely a shift we have observed over time in our L&G Cyber Security UCITS ETF, where infrastructure providers today make up over 80% of the fund[4], while the total weight of cyber security service providers has been decreasing over time.

Cyber security in the age of AI

Artificial intelligence (AI) has become a hotly discussed topic in the mainstream press, raising hopes of increased labour productivity but also leading to fears around data privacy and misinformation. In the cyber security space, AI is similarly double-edged.

From the cyber attacker’s perspective, generative AI can be used to create data and help develop attack capabilities. An example of the former is bespoke phishing email content, aiming to target the weakest link in the cyber security chain: the end user.

Cyber security research group Rubrik Zero Labs has also noted the emergence of hacker-friendly generative AI chatbots such as FraudGPT and WormGPT, which are specifically designed to enable “even those with minimal technical” skills to launch sophisticated cyber attacks.[5]

AI also provides cyber security providers with new ways to identify potential attacks, enabling them to be stopped before they cause harm.

One example is the screening of potentially harmful email. Historically, this has been done by identifying and blocking specific email addresses, domains or email contents. While this allows known attacks to be blocked, these features are constantly being changed.

AI-powered screening technology is instead able to identify the underlying characteristics of emails (such as requests for identifiable information) to flag potentially dangerous content even when it originates from a source not previously blacklisted.[6]

What will drive the next wave of cyber security growth?

AI provides a useful reminder of how new technologies can radically shift the cyber security landscape. But this is just one example among many showing how the cyber attack surface has expanded in recent years.

Let’s not forget than just five years ago the market was disrupted by the pandemic, leading to a transformative shift to remote working and the rise in demand for cloud protection services.

Attacks have also become more sophisticated, and cyber solutions providers are constantly developing solutions to match the pace of new attacks. An everyday example of how this works in practice is the ‘unseen cyber’ work that happens in the background every time you open your email client: ad-blocking, AI tools and an array of other systems are all working together to protect the end-user from thousands of potentially damaging attacks.

More businesses, more cyber attacks

The acceleration of enterprise itself may emerge as the greatest driver of the cyber security industry in the decade ahead.

It’s estimated that 50% more new businesses per year are being created than five years ago.[7] This creates underlying unseen risks; if we take the example of digital businesses, cyber security is commonly overlooked. At the current rate of growth, it is estimated that cyber crime costs will reach about $10.5 trillion annually by 2025 – a 300% increase from 2015 levels.[8]

For large, established companies, the costs continue to rise. Banking giant JPMorgan Chase is suffering a wave of cyber attacks, with the bank’s head of asset and wealth management stating fraudsters are getting “smarter, savvier, quicker, more devious, more mischievous”. The company reportedly spends $15 billion on technology every year and employs 62,000 technologists, with many focused solely on combating the rise in cyber crime.[9]

[1] Source: What is cybersecurity? | McKinsey

[2] Source: Cybersecurity - Worldwide | Statista Market Forecast

[3] Source: ibid.

[4] Source: LGIM internal data as at 23rd April 2024
[5] Source: Is artificial intelligence the solution to cyber security threats? (ft.com)

[6] Source: https://darktrace.com/research/analysis-of-email-structure-to-detect-malicious-intent

[7] Source: Six misconceptions in cybersecurity risk management | McKinsey

[8] Source: Cybersecurity trends: Looking over the horizon | McKinsey

[9] Source: JPMorgan suffers wave of cyber attacks as fraudsters get ‘more devious’ (ft.com)

Important information

The information in this document is for professional investors and their advisers only.  This document is for information purposes only and we are not soliciting any action based on it. The information in this document is not an offer or recommendation to buy or sell securities or pursue a particular investment strategy and it does not constitute investment, legal or tax advice. Any investment decisions taken by you should be based on your own analysis and judgment (and/or that of your professional advisors) and not in reliance on us or the Information.

A summary in English of investor rights associated with an investment in the fund is available from www.lgim.com/investor_rights.

The risks associated with each fund or investment strategy are set out in the key investor information document and prospectus or investment management agreement (as applicable).  These documents should be reviewed before making any investment decisions. A copy of the English version of the prospectus and the key investor information document for each fund is available at www.lgim.com and may also be obtained from your Client Relationship Manager. Where required under national rules, the key investor information document will also be available in the local language of the relevant EEA Member State.

A decision may be taken at any time to terminate the arrangements made for the marketing of the fund in any EEA Member State in which it is currently marketed. In such circumstances, shareholders in the affected EEA Member State will be notified of this decision and will be provided with the opportunity to redeem their shareholding in the fund free of any charges or deductions for at least 30 working days from the date of such notification.

Information on sustainability-related aspects on the funds is available on https://fundcentres.lgim.com/. The decision to invest in the funds should take into account all the characteristics or objectives of the fund as described in its prospectus and in the key investor information document relating to the fund.

This document has been prepared by Legal & General Investment Management Limited and/or their affiliates (‘Legal & General’, ‘we’ or ‘us’).  The information in this document is the property and/or confidential information of Legal & General and may not be reproduced in whole or in part or distributed or disclosed by you to any other person without the prior written consent of Legal & General.  Not for distribution to any person resident in any jurisdiction where such distribution would be contrary to local law or regulation.

No party shall have any right of action against Legal & General in relation to the accuracy or completeness of the information in this document.  The information and views expressed in this document are believed to be accurate and complete as at the date of publication, but they should not be relied upon and may be subject to change without notice. We are under no obligation to update or amend the information in this document.  Where this document contains third party data, we cannot guarantee the accuracy, completeness or reliability of such data and we accept no responsibility or liability whatsoever in respect of such data.

This financial promotion is issued by Legal & General Investment Management Limited.

In the European Economic Area, this document is issued by LGIM Managers (Europe) Limited, authorised and regulated by the Central Bank of Ireland as a UCITS management company (pursuant to European Communities (Undertakings for Collective Investment in Transferable Securities) Regulations, 2011 (as amended) and as an alternative investment fund manager (pursuant to the European Union (Alternative Investment Fund Managers) Regulations 2013 (as amended). LGIM Managers (Europe) Limited’s registered office is at 70 Sir John Rogerson’s Quay, Dublin, 2, Ireland and it is registered with the Irish Companies Registration Office under company no. 609677.

For investors in Switzerland only: This information provided herein does not constitute an offer of the Funds in Switzerland pursuant to the Swiss Federal Law on Financial Services ("FinSA") and its implementing ordinance. This is solely an advertisement pursuant to FinSA and its implementing ordinance for the Funds. (For all collective investment schemes with the exception of the Legal & General UCITS ETF PLC): Swiss Representative: Acolin Fund Services AG, Leutschenbachstraβe 50, 8050 Zurich, Switzerland. Swiss Paying Agent: NPB Neue Privat Bank AG, Limmatquai 1/am Bellevue, PO Box, 8024 Zurich, Switzerland. (For the Legal & General UCITS ETF PLC): Swiss Representative and Paying Agent: State Street Bank International GmbH Munich, Zurich Branch Beethovenstraβe 19, 8007 Zurich, Switzerland. Availability of Documents: The prospectus, Key Information Documents (KIDs), the instruments of incorporation, annual report and subsequent semi-annual report and additional relevant documentation of the above-mentioned collective investment schemes are available free of charge from the Swiss representative and from Legal & General Investment Management Limited, One Coleman Street, London, EC2R 5AA, GB.

LGIM Managers (Europe) Limited operates a branch network in the European Economic Area, which is subject to supervision by the Central Bank of Ireland. In Italy, the branch office of LGIM Managers (Europe) Limited is subject to limited supervision by the Commissione Nazionale per le società e la Borsa (“CONSOB”) and is registered with Banca d’Italia (no. 23978.0) with registered office at Piazza della Repubblica 3, 20121 - Milano (Companies’ Register no. MI - 2557936). In Sweden, the branch office of LGIM Managers (Europe) Limited is subject to limited supervision by the Swedish Financial Supervisory Authority (“SFSA”). In Germany, the branch office of LGIM Managers (Europe) Limited is subject to limited supervision by the German Federal Financial Supervisory Authority (“BaFin”). In the Netherlands, the branch office of LGIM Managers (Europe) Limited is subject to limited supervision by the Dutch Authority for the Financial Markets (“AFM“) and it is included in the register held by the AFM and registered with the trade register of the Chamber of Commerce under number 74481231. Details about the full extent of our relevant authorisations and permissions are available from us upon request.