The ETFMG Prime Cyber Security ETF (NYSEARCA:HACK) offers targeted exposure to the theme with undeniably paramount importance, namely cyber defense architecture & application providers, which have an essential role in the global economy amid the mounting challenges of the digital era.
In its October article, McKinsey & Company shared a forecast that the global cybersecurity total addressable market could increase up to $2 trillion, a 10x size of the vended market, citing “more attacks targeting smaller companies” and “the impetus from regulation” amongst the key drivers. So even though approximately $150 billion were poured by organizations into cybersecurity in 2021, a solid figure, more investments are necessary to tackle emerging challenges.
However, though the opportunity seems truly enormous, it should not be regarded as the reason to hastily buy into HACK or any other similar ETF, be it Global X Cybersecurity ETF (BUG), First Trust Nasdaq CEA Cybersecurity ETF (CIBR), or iShares Cybersecurity and Tech ETF (IHAK), etc.
The issue with this growth theme is that like most of the digital economy-related pandemic winners, it has seen a steep reduction in trading multiples reflecting a higher cost of capital globally amid painful inflation and interest rates designed to remove excess liquidity from the economy and tame spiraling prices. So while investors were flocking to value stocks in this environment, the generously priced pandemic winners were watching their multiples compressing and market value plummeting. Uncoincidentally, HACK is down by ~25% YTD, with around 58% of its current holdings suffering a 20% decline and worse, and in case the recent inflation relief rally does not last, there is a good chance 2022 will become HACK’s worst year to date, easily dwarfing a 2.2% decline in 2015, when it underperformed the Invesco QQQ ETF (QQQ) by 11.7%.
Today, I would like to review the critical factors necessary to have a better understanding of this niche ETF, namely its growth, value, and quality, also paying due attention to past performance, to arrive at a balanced conclusion of whether it is worth buying into it, especially considering there is yet again some exultancy in the markets owing to the CPI data demonstrating inflation is perhaps cooling down already.
HACK’s investment strategy
Incepted in November 2014, HACK is managed passively, with the Prime Cyber Defense Index designed to amalgamate cyber defense architecture & application providers lying at the crux of its strategy.
In line with the index methodology, the fund welcomes both U.S. and international companies. And though as of the end of October, more than 85% of the net assets were allocated to the U.S., the presence of the FX risk (e.g., the pound sterling and the yen exposure) is not to be overlooked.
As of November 7, HACK had a basket of 59 equities, with the top ten cohort’s weight of over 49%, which is a drag on its Risk rating. Among non-U.S. picks worth mentioning is BAE Systems (OTCPK:BAESY), a London-based aerospace & defense heavyweight, with the Cyber & Intelligence segment accounting for ~10.4% of its H1 2021 revenues; most of BAE’s revenues come from the Air and Electronic Systems segments, so its spectacular rally in 2022 is principally the consequence of geopolitics, not cybersecurity market trends.
The most generously valued name in the portfolio is Cisco (CSCO), an over $180 billion juggernaut with $51.56 billion in the last twelve months revenues; CSCO is HACK’s 7th largest holding with ~4.8% weight. Meanwhile, Fortinet (FTNT), a ~$43 billion California-based cybersecurity solutions provider with FortiGate among the key products, occupies the first place, with 5.3% of the net assets.
Amongst the smallest names is Israel-based Allot (ALLT), an around $156 million company with LTM revenues of just $143.8 million; its weight in HACK is around 6 bps.
Overall, partly owing to a larger exposure to mid- and small-caps (~32%), HACK’s weighted-average market cap stands at just $23.8 billion, so some submerged profitability issues typical for smaller companies might be uncovered upon deeper inspection.
Something to dislike about growth, quality credentials
HACK’s growth characteristics are not as spectacular as investors in the cybersecurity theme might expect. We see that over 36% of the holdings have a B- Quant Growth grade or better, which is a positive, yet the figure is not high enough to say HACK has its place in a growth investor’s portfolio. At the same time, just ~33% are forecast to increase their forward revenues by over 20%, and just ~27% have 20%+ 3-year CAGRs. At least 10% forward EPS growth could be achieved only by 10 companies (31%) in the 48-strong set I analyzed (over 97% of the net assets). The table below provides a look at the top 20 holdings and their key growth metrics as well as the Quant grades.
Please take notice that a few tickers were adjusted to ADRs by the author to enhance compatibility.
Turning to quality, the HACK portfolio scores comparatively well against the profitability indicators, with close to 76% having at least B- Profitability rating, yet there is room for criticism as well.
For example, over 28% of the portfolio has negative EBITDA; the share of loss-making companies is approaching 33%. Just 22%, namely six companies, managed to deliver a Return on Assets in excess of 10%. We also see that close to 68% of the holdings have above 50% Debt/Equity, which is uncomfortable in the higher interest era, depending on companies’ percentage of fixed-rate debt and repayment schedule.
Is HACK valued comfortably?
Unfortunately, here some of the comfort from the forecast blockbuster growth in the total addressable market dissipates. Looking from a few angles, there is a lot to dislike about HACK’s valuation, despite it losing over 25% since the beginning of the year.
First and foremost, almost 56% have a D- Valuation grade or worse, a strong sign these names are priced too generously for some reason. But remember, this is a mid-caps-heavy portfolio, so we cannot explain this tilt toward expensive names by the size & quality premia only.
To additionally illustrate how the HACK portfolio is valued I should mention that its weighted-average Price/sales at ~6.76x, as per my calculations, while the share of holdings with above 20% forward revenue growth, as mentioned above, is only around 33%, so there are not that many hyper-growth stories under the hood (like Cloudflare (NET)), and the mid-single-digit sales multiple is clearly excessive.
We can apply other methods, e.g., the earnings yield and its debt-adjusted alternative. More specifically, the DA earnings yield (the sum of all holdings’ EBITDA including negative figures divided by the total portfolio EV) is only a modest 4.8%. Tech investors would likely note here the median for the sector is around 7.5% (13.36x LTM EV/EBITDA). Next, the earnings yield is at 2.6% (the inverse P/E), while the QQQ investors could get a yield in excess of 4.8%. In this regard, we could cautiously assume that even the Nasdaq 100 ETF is valued better than HACK, but please do not that the P/E calculation methodologies differ.
Launched in 2014, HACK was amongst the first cybersecurity-themed funds. In 2015, CIBR followed the suit. In 2019, IHAK and BUG were presented. It should be noted that BUG has the most concentrated portfolio amongst its peers, featuring just 24 names from the Indxx Cybersecurity Index.
Its peer funds also have a year to forget, though QQQ underperformed all of them.
In sum, I highlight that there is no denying that cybersecurity has a pivotal role in the digital age, and the potential for the global total addressable market amid mounting threats is truly immense. Yet HACK is valued at a premium to QQQ, has a few vulnerabilities on the quality side, and barely spectacular short-term growth.
Another issue worth mentioning is that HACK grossly underperformed QQQ in the past, delivering just 8.4% CAGR (December 2014 – October 2022) vs. the Nasdaq 100 ETF’s 13.9%, with higher volatility (a standard deviation of 21% vs. 18.8%). In this regard, it does not deserve a Buy rating.