CIBR ETF: Investing In Cybersecurity Is Not The Same As Cloud Software (NASDAQ:CIBR)

Investment Thesis

With Salesforce (CRM) reporting slower growth in their earnings report yesterday, any stock that has anything to do with cloud software, including cybersecurity stocks, is getting trashed in the dumpster. While parallels can be easily drawn between the larger cloud software space and cybersecurity stocks, simply due to the homogenous nature of the cybersecurity industry’s business model optics, growth metrics, industry acronyms, etc.

I argue that cybersecurity stocks have a unique set of tailwinds that distinguish this sector apart from the broader cloud software sector. Yes, the cybersecurity industry currently has some cross-currents that mix the outlook, but the long-term growth prospects are quite strong, in my opinion, given the rising threats from online adversaries that I mention below in my macro-outlook.

I am bullish on the cybersecurity space in general and believe the CIBR ETF (NASDAQ:CIBR) is the best way to gain exposure to a wide array of industry players. I rate CIBR as a Buy.

About the CIBR fund

First Trust’s NASDAQ Cybersecurity ETF is managed by the Wheaton, Illinois-based financial services and ETF firm. The ETF is designed to track the performance of the NASDAQ CTA Cybersecurity Index (NQCYBR). By tracking NASDAQ’s cybersecurity index, the fund aims to offer investors exposure to companies that are engaged in the cybersecurity segment of technology.

Per its fund documents, the companies that its capital is allocated to are “primarily involved in the building, implementation, and management of security protocols applied to private and public networks, computers, and mobile devices in order to provide protection of the integrity of data and network operations.”

For the companies to be included in the CIBR fund, they must be part of the underlying NQCYBR index and codified as a cybersecurity company as determined by the CTA (Consumer Technology Association). I’ve added some more details about index weightage below:

• Companies must have a market capitalization of $500 million, a minimum three-month average daily trading volume of $1 million, and a minimum free float of 20%. Plus, no security can exceed more than 6% of the weight of the index. This should keep the index fairly balanced across all index components.

• The index is evaluated semi-annually in March and September but rebalanced quarterly. However, if at any time during the year, outside of the index’s regular evaluation period, an index security no longer meets the eligibility criteria, the security is removed from the index and is not replaced.

I have added a chart below that shows the Top 15 Holdings vs. the Constitution of CIBR’s Funds by categories.

Peer Comparison

Here is how the CIBR ETF compares with some of its peers. The list below, in Exhibit B, is ordered by largest-to-smallest fund in terms of Assets Managed.

The first observation is that most cybersecurity ETFs are usually more expensive than the average ETF. On average, the expense fee is ~50 cents per $100 invested in most cybersecurity ETFs, as noted in Exhibit B. But CIBR is the largest and one of the oldest ETFs, providing exposure to the cybersecurity industry.

The CIBR fund is also the most actively traded ETF in the cybersecurity space while offering relatively higher levels of diversification, with around half of CIBR’s assets deployed towards its Top 10. I had mentioned earlier how the underlying index manages diversification by making sure no fund component grows beyond 6%.

Peer Performance

The CIBR fund has also performed relatively better than its peers if I compare it on a 3-5 year horizon, as seen in Exhibit B. I have also added the fund’s performance versus its peers in Exhibit C below over a three-year horizon. I looked at three years because I wanted to graph out how CIBR performs versus its peers over volatile time periods, such as the one seen during 2022, where CIBR again has relatively outperformed.

Moreover, when I compare First Trust’s NASDAQ Cybersecurity ETF to the broader markets, represented by the S&P 500 and the Nasdaq 100 indices, as well as its larger cloud software peer groups, the iShares Expanded Tech-Software Sector ETF (IGV) and First Trust’s own Cloud Computing ETF (SKYY), I see CIBR still outperforms almost all indices and larger peers.

Despite the volatility seen a couple of years ago, the performance demonstrated by CIBR shows the strength in the underlying stocks that are part of CIBR’s fund.

Outlook for Cybersecurity and Valuation

The reason I believe CIBR sets itself apart from its peers is due to its fund composition and diversification. As I noted in Exhibit A, CIBR allocates capital towards some of the strongest cybersecurity players in the industry that innovate at the forefront of cybersecurity. Companies like CrowdStrike (CRWD) and Palo Alto Networks (PANW) operate in emerging cybersecurity markets such as Endpoint Security and Secure Access Service Edge.

Other companies, such as Zscaler (ZS), operate in one of the fastest-growing cybersecurity markets, CASB (cloud access security broker), and ZTNA (Zero Trust Network Access) while Okta (OKTA) operates in the IAM (Identity Access Management).

IDC’s recent survey showed how cloud security, identity access, and security incident management and response are some of the top priorities for enterprises today. I have added this to Exhibit E. Gartner’s document, which also points to key security areas that have become crucial for enterprises to bulk up on. These areas such as IAM and Security Incident Management are even more crucial in the age of GenAI today.

Another study by Gartner shows how total cybersecurity spending is projected to grow by 14.3% in FY24. But within the projected increase in spending, areas such as IAM, Cloud Security, Data Privacy and Security are all expected to outpace the overall growth of cybersecurity spending. Plus, overall cybersecurity spending is projected to be higher than the projected 13.9% increase in software spending in FY24.

Finally, cybersecurity spending is expected to rapidly increase, posting strong double-digit growth through 2027, as compared to cloud software projected growth over the same period, which is expected to grow 13.8% through FY27. This also shows that the cybersecurity complex of cloud stocks should not be treated the same as cloud stocks since it has a different set of tailwinds.

Given this double-digit growth-oriented, bright outlook that cybersecurity companies in CIBR can collectively demonstrate, I believe the fund’s earnings valuation multiple of 30x looks very reasonable to me.

Risks to Bull Thesis

There are two risks that may currently create headwinds for my outlook regarding CIBR.

First, macroeconomic forces may force enterprises to alter their budgets, impacting the outlook for companies in CIBR. But as I demonstrated in Exhibits C and D, CIBR should be able to outperform the markets over a longer period of time. This is solely because, in the short term, there may be volatility, but long-term growth prospects continue to remain intact in the cybersecurity space.

Second, since I mentioned short-term volatility, I must also note that the industry is currently in the midst of certain cross-currents, with mixed commentary coming from the management teams of different players. While Palo Alto Networks’ management believes that they are seeing some levels of slowdown in cybersecurity enterprise spending due to “cybersecurity spending fatigue,” CrowdStrike’s management took the opposite side of the fence, saying there are “clearly no signs of slowdown or fatigue.” But note that Palo Alto Networks’ management said “fatigue,” which to me indicates enterprises are pausing due to months of spending in the space and pausing. With rising threats at all-time highs, I expect spending to resume across the industry at some point.

Takeaways

As noted in my research note, I believe the cybersecurity space is poised to remain resilient in the face of the perceived uncertainty that exists today. With attacks from online adversaries increasing exponentially, industry-leading cybersecurity companies, as represented by the CIBR fund, stand to be the biggest beneficiaries.

Despite its relatively higher perceived valuation levels, I recommend buying CIBR on any pullbacks.