Cybersecurity - Turning threats into investment opportunities
WHITE PAPER June 2018
Vera KrückelTrends Analyst Steef Bergakker Trends Analyst & Portfolio Manager
For professional investors
Introduction The incidence and severity of cyberattacks has accelerated over the last couple of years. In response, spending on cybersecurity has been stepped up by governments, private enterprises and individuals alike. With the advent of tighter data privacy regulation, a rapidly expanding attack surface and a growing army of resourceful hackers, spending is likely to shift into an even higher gear.
Investors can profit from this dynamic growth market by employing a strategy consisting of a core of established players with durable competitive advantages, supplemented with a basket of young challengers who are the first in employing the latest technologies.
2 | Cybersecurity - Turning threats into investment opportunities
Contents Intro 2
Executive summary 5
Cybercrime - the downside of digitization 8
Market overview 16
Structural developments 19
Investing in cybersecurity 26
Active Investor Engagement in cybersecurity 32
Appendix 36
4 | Cybersecurity - Turning threats into investment opportunities
Executive summary
Without a doubt cybersecurity is a growth market. High single- to low double-digit growth rates of security spending are highly likely over the next five to ten years. Investing in the extra-ordinarily dynamic cybersecurity space is no easy pickings, however. We recommend a core-satellite approach.
Cybersecurity - Turning threats into investment opportunities | 5
Cybercrime is estimated to be a USD 445bn industry. Cybersecurity USD 92bn. The most lucrative business on the internet nowadays is fraud.
By 2021 there will be an estimated 3.5m unfilled cybersecurity positions worldwide.
The first computer worm was created by Robert Morris in 1981.
25% of all breaches are caused by internal actors.
The Target breach cost the company USD 160m, while Anthem faced a bill of USD 100m.
Malicious actors are inside companies’ infrastructure a median number of 205 days.
Approximately 1,600 companies are active in the cybersecurity market.
USD 19bn – the US government cybersecurity budget.
Cybercrime detracts 20% of the value creation of the internet, a cost that could build up to USD 3tn by 2020.
The average IOT device was attacked once every 2 minutes in 2017.
Interesting stats & figures
6 | Cybersecurity - Turning threats into investment opportunities
Cyberincidents accelerating and becoming a major concernDigitization and connectivity have greatly boosted economic and social prosperity as more
people than ever before can now interact commercially or socially and gain access to the
accumulating knowledge base of humanity through a handheld device. Unfortunately, this
unprecedented boon also has a significant downside: malevolent actors have seized the
opportunities offered by digitization and connectivity as well. Cybercrime is on the rise.
Spending on cybersecurity to step upThe world has not stood idly by. Spending on cybersecurity has been high for many
years and is likely to be stepped up as the number and severity of cyberattacks increase.
Reputable market forecasters like IDC and Gartner are expecting high single- to low double-
digit increases in cybersecurity spend in the years to come. Drivers do not only include
a rapidly expanding attack surface and growing hacker sophistication, but also tighter
government regulation of data privacy, as exemplified by the General Data Protection
Regulation (GDPR) that was introduced in Europe in May 2018.
Cybersecurity offers investment opportunities aplenty, but caution is required While the high-growth cybersecurity market presents many opportunities for investment
success, it is not an easy place to invest in. The cybersecurity space is extremely dynamic
and has shifted course many times in the past as cyberthreats morphed, offering
opportunities for new players with new solutions but also leaving many fleeting former
success stories in its wake. Building a sustainable competitive advantage has proven
difficult, even for the most agile operators. The current move from on-premise to cloud
computing is presenting the latest, and a particularly challenging, directional market
shift, as cloud-based security requires very different solutions from on-premise security.
Opportunity knocks, but investors should tread carefully, in our view.
We recommend a core-satellite approachGiven the challenges of a rapidly changing cybersecurity environment and the difficulty
of pinpointing future long-term winners, prudent investors should seek exposure to this
market through a core of established companies with strong competitive advantages and
a proven ability to generate economic profits, in our view. While to date mostly active in
the slower growing on-premise part of the cybersecurity market, these companies are
best positioned to build the multi-threat security platforms that are or will be increasingly
demanded by clients. To capture the higher growth from cloud-based security solutions,
we recommend to supplement this core with a satellite basket of fast growing challenger
companies that invent new technologies and currently are mostly active in cloud-based
security solutions.
‘A balanced approach of combining established players with proven track records with a basket of fast growing challengers is recommended’
Cybersecurity - Turning threats into investment opportunities | 7
Cybercrime -the downside
of digitization and connectivity
2017 marks the year in which cybercrime came of age, as several high-profile hacks made the headlines. Cybersecurity is now high on both the public and private agenda. Spending on cybersecurity is likely to pick up pace in the years ahead as regulation tightens, the attack surface expands and hackers become more resourceful.
8 | Cybersecurity - Turning threats into investment opportunities
Cybercrime makes it to the headlinesWhether it is foreign governments meddling with elections, shady cyber-extortionists
employing ransomware or the wholesale loss of sensitive client data, the public at large
is increasingly being confronted with something that cyberexperts have been seriously
concerned with for a long time: cybercrime. The attempts of Russian hackers to influence
the 2016 American presidential elections probably appeal strongest to the general public’s
imagination in that respect. However, last year an unprecedented number of other
cyberattacks made headlines as well. The threat landscape is diverse and dynamic; from
wide-ranging and hugely costly ransomware attacks like WannaCry and NotPetya to the
shocking revelation that bureau Equifax, one of the largest credit bureaus in the US, had
experienced a data breach that exposed personal information of a whopping 143 million
people: cybercrime suddenly seemed to be all over the news.
The figure below outlines the most common categories of cyberthreats today.
Figure 1: Today’s cybersecurity threat landscape
Source: IBM
In addition, while technically certainly not a cybercrime, the recent Facebook / Cambridge
Analytica row concerning the exploitation of user data has put the whole issue of data
ownership and related security issues firmly on the political agenda. Clearly, a public raw
nerve has been touched.
Cybersecurity - Turning threats into investment opportunities | 9
Public concern backed up by worrisome numbersThe recent rapidly growing public concern with cybersecurity is not based on a whim, but
backed up by a host of worrisome numbers:
– Research from cybersecurity firm Symantec shows that ransomware attacks worldwide
increased by 36 percent in 2017.
– Also according to Symantec, 1 in 123 emails is infected by malware.
– In 2017, 6.5% of cyber-active people were victims of identity fraud with fraudsters
stealing USD 16bn according to Javelin Strategy & Research.
The graph below vividly shows the recent acceleration in data breaches in the US.
Figure 2: Data breaches accelerating
Source:Identity Theft Resource Center; CyberScout
The reported cost of cybercrime has been growing at a staggering rateNot surprisingly, the cost of cybercrime has gone through the roof. The graph below shows
that the cost of cybercrime as reported to IC3, the Internet Complaint Center, has exploded
from USD 17.8m to 1,330m from 2001 to 2016. That is a staggering compound annual
growth rate (CAGR) of 31%.
10 | Cybersecurity - Turning threats into investment opportunities
Figure 3: Monetary damage caused by cybercrime reported to the IC3
Source: FBI; IC3; US Department of Justice
Reported cost is just the tip of the icebergIt is well known that reported numbers of cybercrime incidence are an underestimation of
the true numbers. Affected companies are naturally reluctant to disclose such incidents,
which may dent their reputation and, consequently, hurt their commercial operations.
Moreover, the reported commercial damage is likely to be significantly understated as well.
A study by Deloitte suggests that the indirect and less tangible costs of cyberattacks may
well represent the bulk of the total cost of cybercrime. Deloitte distinguishes 14 cyberattack
impact factors; 7 well-known cyberincident costs (above the surface) and 7 hidden or less
visible costs (beneath the surface).
Table 1: Deloitte’s 14 cyberattack impact factors
Above the surface Beneath the surface
Technical investigation costs Insurance premium increases
Customer breach notification costs Increased cost to raise debt
Post-breach customer protection costs Impact of operational disruption or destruction
Regulatory compliance costs Lost value of customer relationships
Attorney fees and litigation costs Value of lost contract revenue
Estimated cost of cybersecurity improvements Devaluation of trade name
Public relations costs Loss of intellectual property
Source: Deloitte
Cybersecurity - Turning threats into investment opportunities | 11
According to the study, the beneath-the-surface costs can amount to 90 percent of the total
impact on an organization and will most likely be experienced two years or more after the
incident. Typically, the reputational damage as reflected in the devaluation of a trade name
leads to loss of customer relationships and lost contract value. Over longer time periods,
these hidden cost categories inflict the greatest damage to an organization. Taking the true
cost of cyberincidents into account, potentially increasing the already impressive tally of
reported costs by a factor of ten, clearly highlights the extent of the cybercrime problem.
Global spending on cybersecurity to exceed USD 100bn by 2019The growing number of cyberattacks has prompted a veritable spending spree on products
to counter the cyberthreat among governments, private enterprises and individuals alike. In
the US alone, spending on cybersecurity has grown by roughly 12% per annum since 2010.
Figure 4 : Spending on cybersecurity in the US from 2010 - 2018e
Source: TIA (Telecommunications Industry Association)
While the size of the global market is difficult to estimate due to the proliferation of new
products and services offered by hundreds of new market entrants, reputable market
forecasters Gartner and IDC both put the current size at around USD 80 - 90bn. Gartner has
predicted worldwide security spending will increase by eight percent in 2018, to reach a
value of USD 96 billion by the end of the year, while IDC forecasts that spending will reach
USD 120bn in 2021. While the discrepancy of the forecasts is already an indication of how
immature and dynamic the market still is, it seems safe to expect that global spending on
cybersecurity will exceed USD 100bn in 2019. Three overarching trends are driving security
spending:
12 | Cybersecurity - Turning threats into investment opportunities
1. A dynamic threat landscape
2. Increasing regulatory pressures
3. An expanding attack surface
1. A dynamic threat landscape: Cyberattackers and defenders are locked in an arms
race
As the graph below illustrates, the sophistication of cyberattacks has been rising steadily
through time, while the required sophistication of the attackers has been declining
as the availability of easy-to-use cyberattack tools has proliferated. This has forced the
cybersecurity community to respond with ever more sophisticated products to keep the
threats at bay. Effectively, cyberattackers and defenders are locked in an arms race the
end of which is nowhere in sight. This arms race is one of the major drivers of increasing
cybersecurity spend.
Figure 5 : Trend of technical intruder knowledge vs. attack complexity
Source: Researchgate; Cynthia Wagner; Security and network monitoring based on internet flow measurements (Mar 2012)
‘As with many burdensome regulations, the playing field is likely to be tilted in favor of large companies that have the means and resources to comply with them.’
Cybersecurity - Turning threats into investment opportunities | 13
2. Increasing regulatory pressures: European regulators are stepping up cybersecurity
requirements
In Europe new regulations will be implemented in 2018 including the General Data
Protection Regulation (GDPR) and Network and Information Security (NIS) Directive. GDPR
tightens rules on EU citizens’ personal data protection and usage for commercial purposes
while the NIS Directive sets cybersecurity standards for operators of essential digital services
like search engines, cloud services and online marketplaces. Among other stipulations,
companies will be required to report cyberattacks and data leaks within 72 hours or face
fines of EUR 20m or 4% of global revenue, whichever is bigger. The regulations apply to all
companies with business activities in Europe, which in a practical sense extends the reach
of these regulations to global proportions. Obviously, companies are highly motivated
to protect themselves against the growing risks of cyberattack and data loss as these
regulations go live. It is to be expected that cybersecurity spending will receive a boost from
these regulations.
The figure below illustrates the challenges companies face in implementing GDPR
compliance.
Figure 6 : Checklist for GDPR compliance
Source: Lepide.com
3. An expanding attack surface: Increased connectivity equals increased cyberthreats
equals increased cybersecurity spending
Growth in data generation and data traffic is the ultimate driver of the growing need for
cybersecurity as cybercriminals are provided with an ever expanding number of human and
digital targets. Similarly, increased connectivity expands the attack surface - driven by a still
14 | Cybersecurity - Turning threats into investment opportunities
rapidly growing number of internet users and, vastly more significantly, by the connection
of sensors, machines and wearable devices to the internet. Estimates of a ‘big data bang’
vary, but it is absolutely clear that the world’s digital content will explode in the coming
years. Cisco estimates more than 50 billion objects will be connected by 2020.
Figure 7 : Cisco’s projections for the Internet of Things
Source: Cisco
In view of this hugely expanding attack surface many observers think that current forecasts
for cybersecurity spending are too low. For example, Cybersecurity Ventures, a private
research and market intelligence outfit, projects 12%-15% annual cybersecurity market
growth through 2021 amounting to cumulative spend on cybersecurity exceeding USD 1
trillion from 2017 to 2021.
Cybersecurity - Turning threats into investment opportunities | 15
A market overview
The cybersecurity world is ever-changing with new sub-segments forming and disappearing continuously. Accordingly, the underlying dynamics of the different sub-segments can vary dramatically.
16 | Cybersecurity - Turning threats into investment opportunities
An ever-changing universe with many different ways to slice and dice into sub-segments So far the ‘magic bullet’ has not been found and most corporations revert to a ‘defense in
depth approach’ to cybersecurity. This effectively means putting several layers of defense
on top of each other. Many solutions are complementary, but often enough there is some
overlap. Below we provide an overview of the main segments. This slicing and dicing
exercise is meant to bring some structure to the ever-shifting and therefore often confusing
cyberspace. Segment distinctions are by no means set in stone - to the contrary, as the
space is very dynamic, many segments are overlapping, and more importantly, merging
over time.
A rising tide lifts all boats – yet it pays to be selective Network security – mainly firewalls - is the largest segment, followed by endpoint security,
identity and access management and security and vulnerability management. Growth
rates, the level of consolidation and differentiation vary widely between the different
segments as well as over time. The table below gives an overview of the main segments.
An alternative is to classify cybersecurity segments by function, which can deliver valuable
insights as well:
1. Organizations first of all must prevent or block cyberthreats
2. Quickly detect malicious activity
3. Respond in real time and show overall resilience
Security products need to work seamlessly across cloud, hybrid and on-premise environmentsOverall, we observe a move from spending on protection – blocking threats with e.g.
firewalls – towards detection and response – i.e. how to best detect and respond to
the inevitable breach. Segments such as identity & access management, security and
vulnerability management and regulatory advisory and analytics are therefore the flavor of
the day and are likely to show above industry level growth rates over the next years. To stay
relevant in the longer term however, we think the more important criteria are whether a
solution works seamlessly across on-premise, hybrid and cloud environments and is ‘open’
in the sense that it shares and integrates intelligence with other point solutions.
Cybersecurity - Turning threats into investment opportunities | 17
Segment Description Main developments Main players Market size Outlook
Network protection – Firewalls
Building thick and high walls in order to keep the bad guys out. Firewalls are the largest and most mature segment, comparatively consolidated and in the process of integrating more and more network security functionalities into the offering (for example intrusion prevention and encryption). This is termed next generation firewalls or Unified Threat Management.
Recently, the notion has come up that perimeter protection - where everything in the inside is trusted and everything on the outside is not - is outdated. This is because the perimeter becomes porous in a cloud environment and does not protect against insiders which have been involved in many high-profile breaches. Credentialing services, micro segmentation and sandboxing are therefore becoming more prevalent in network protection.
Checkpoint, Cisco, Palo Alto and Fortinet.
Estimated to be an USD 11bn market in 2016. Gartner estimates a CAGR of 9% through 2020.
We think incremental dollars will shift elsewhere, but firewalls will remain a significant part of the security architecture.
Endpoint threat Protection
Protecting the various end devices connected to a network such as PCs, servers, smartphones, tablets or IoT devices. The segment can be further subdivided into corporate and consumer endpoints.
We expect the endpoint to be the next segment that consolidates more functionalities into a next generation platform (largely detection & response tools). We think machine learning will also become a more important feature on endpoints, allowing defenders to deal with unknown threats.
Symantec, Intel, Trend Micro and Sophos.
A USD 10bn market in 2016, roughly equally split into consumer and corporate endpoints. Gartner estimates a CAGR of 4% through 2020.
We expect endpoint protection to witness a renaissance with more IoT endpoints needing protection.
Access control: identity and access management
Managing what a user has access to in an organization and what not. The right individuals are enabled to do the right things at the right point in time.
User management has become more important recently, after insiders have increasingly been involved in attacks. Privileged Access Management focuses on users with access to a company’s treasures, often on individuals with administrator rights.
IBM, EMC, Oracle and Cyber Ark.
Market size is estimated to be USD 5.4bn in 2016. Gartner estimates a CAGR of 8% through 2020.
Increasingly important as insiders have been a big part of the problem but limited total addressable market (TAM) opportunity.
Security & vulnerability with biggest segment Security Analytics (SIEM)
Aggregate and analyze all data from the network and endpoints. Monitor for unusual behavior in real time, be able to react much more quickly and deploy predictive analysis. Includes also forensics and testing for vulnerabilities.
Increasingly, the realization that there is no 100% protection and an attack can never completely be prevented, has shifted the focus to the response strategy after an organization has been breached. Hacks are becoming harder to detect – malware has often been inside an organization’s systems for months before detection. GDPR’s requirements regarding the publication of hacks and data loss will make this segment increasingly important.
IBM, Hewlett Packard, EMC, Splunk
SIEM was a USD 1.9bn market in 2015, the larger security & vulnerability market USD 6bn. Gartner estimates a CAGR of 12% through 2020.
Increasingly important; both diagnostic capabilities and integration of threat intelligence across vectors.
18 | Cybersecurity - Turning threats into investment opportunities
Structural developments
Change from the in- and outside: While the quest for integration will drive industry consolidation, the cloud and IoT will open the door to new and nimble industry entrants.
Cybersecurity - Turning threats into investment opportunities | 19
The story of cybersecurity is not just about a likely step-up in spending. It is also a story
about internal changes of the cybersecurity market. We see a number of structural trends
that shape the cybersecurity industry. New technologies such as the (hybrid) cloud, IoT
and machine learning (ML) bring tremendous change from the outside - but also internal
industry developments such as consolidation or limits around the so-called ‘defense in
depth’ approach will leave its marks over the years to come. We will outline the most
important developments below.
Cloud changes the technology…The era of cloud computing has completely changed the security game – and this is true
from both a technology and a business model perspective. Change is easier to deal with for
new players with no legacy and accordingly we have seen new industry entrants capturing
quite some market share in the cloud. In the old days, the name of the game was to protect
the walls of the castle with a firewall. However, in the distributed architecture of the cloud
there are simply no more walls to protect; the perimeter is blurring to say the least.
Rather than distinguishing between the inside and the outside, the industry is now using a
combination of techniques such as sandboxing or micro-segmentation (isolating threats)
to protect what’s valuable. Similarly, credentialing or authenticating tools control what is
allowed to whom, when and where. Finally, while security literally came in a box in the old
days – i.e. would run on dedicated hardware - the cloud knows virtualized environments,
requiring only software to be installed. The fact that no more dedicated hardware needs
to be installed through a lengthy process means that cloud-based solutions can be trialed
much more easily. We think this will accelerate the rate of change.
Outdated world: a broader security platform made up by separate hardware items for
each security application: we would hardly call that an integrated platform!
Source: Cisco
‘Sandboxing isolates programs preventing malware from damaging the rest of your computer as well. Micro-segmentation works according to a similar philosophy, but then in a data center’s virtualized environment.’
20 | Cybersecurity - Turning threats into investment opportunities
… as well as the business model: security as a service This also has an effect on the business model: before security vendors were selling a
piece of hardware with a license model, but now they are selling security(software) as
a service. From a financial perspective, this means revenues no longer consist of large
upfront payments for a license plus some maintenance fee, but of periodical rental fees in a
subscription-based model. While this might over time result in a higher value capture and
stability, initially it translates into optically lower revenues – in other words a very disruptive
and risky move for legacy players to make. This opens the door a bit wider for more nimble
‘cloud-native’ players.
IoT introduces a massive amount of new challengesThe internet of things (IoT) will significantly increase the attack surface: an estimated 50bn
devices will be online by 2020 – providing hackers with a multitude of new attack points: in
each case the device itself can be hacked, or the software or the data in transit can present
a vulnerability. All this comes with potentially severe consequences; just think of what
happens when connected cars, smart grids, smart traffic control, etc. get compromised.
In an IoT world cyberattacks become physical attacks – extending the risks from ‘only’
our data to pretty much everything. What makes matters worse is that those devices are
frequently ‘dumb’, implying there is no embedded security or intelligence as developers
want to keep the cost of devices contained. Security takes the backseat when competing
with cost, usability or time to market. What happens is that the computing power of IoT
devices is being misused for DDoS attacks - and their combined power can take down even
the biggest targets.
Modular platforms will respond to customers’ quest for consolidation and integrationThere is a big quest for consolidation among security buyers. Historically the approach
has been what is termed ‘defense in depth’: trying to overcome the shortcomings of one
solution by creating redundancy and putting a number of security layers on top of each
other - in the hope that at least one layer will effectively fight the threat. We think this
layering architecture has reached its limits: the downside of the approach is that way too
many solutions have to be acquired which each need dedicated and costly hardware. This
has become expensive and inefficient at the same time: those various ‘point solutions’ do
not communicate with each other at all or if they do, they create a lot of latency, especially
in the cloud.
Cybersecurity - Turning threats into investment opportunities | 21
Lack of communication across point solutionsToo many point solutions create an oversight mess, as each application has its separate
interface. Security officers lose track of what is going on in their company, as they lack
one dashboard with which they can monitor all activity and threats. Most of all however,
valuable information gets lost along the way: sharing intelligence across end points
improves decisions and reduces false positives. What security officers yearn for is therefore
a comprehensive solution where threat intelligence from e.g. the endpoint is shared with
the network to improve the overall defense.
Figure 8 : Too many vendors create an oversight mess: the number of security vendors organizations use
Source: Cisco
Breaking down security silos: first moves towards modular security platformsWe see promising moves of incumbents towards building a security platform: many are
incorporating adjacent point solutions into their offering, and some are even making
bolder moves towards making ends meet; i.e. combining endpoint with network protection
solutions. We think over time offerings will become modular, with customers able to
turn modules on or off depending on their needs. Overall however, breadth is becoming
a more important decision criterion, both across solutions but importantly also across
environments (i.e. on premise, hybrid & cloud).
22 | Cybersecurity - Turning threats into investment opportunities
Figure 9 : Unified Threat Management: Example of consolidation in the network
Source: Credit Suisse Research
Cloud-based security will accelerate consolidationMore and more data workloads are moving to the cloud. While this clearly brings its own
and new cyber-risks, it also means companies automatically acquire some security via the
cloud architecture. In fact, the large and sophisticated cloud operators such as Google,
Microsoft and Amazon can offer security more effectively and efficiently than most small
or medium-sized companies could ever achieve with their own limited resources. In some
instances, this realization has been the very reason that some companies moved their
data workloads to the cloud. Cloud operators use a mixture of in-house security as well
as outside security vendors. While we do not expect them to become a major competitor
to security developers themselves, we do think their large purchasing power will be
deflationary and accelerate the consolidation in the market: we expect them to ask large
discounts from vendors in exchange for a broader part of the security pie.
Redundancy will never go away completelyWhile the ‘defense-in-depth’ approach is cost inefficient and at a certain point loses
effectiveness as too many layers create oversight issues, we think some degree of
redundancy will always be required. The industry joke goes that proposing a single security
supplier is the one definite way to get yourself fired as a chief technology officer. Choosing
to work with a single security supplier means opening yourself up to its vulnerabilities
in case the supplier gets compromised. Some degree of layering makes sense, as the
vulnerability left open by one vendor might be closed through another vendor. This
redundancy will come in the form of ‘best of breed’ products as we show next.
Unified Threat Management consolidates a number of network protection products into a ‘next generation platform’: the traditional firewall is combined with intrusion detection and prevention, anti virus software, etc.
Cybersecurity - Turning threats into investment opportunities | 23
Best of breed specialty expertise will remain relevantThe world of cybersecurity is highly complex and dynamic. As the general IT infrastructure
changes, new threat vectors develop, and new types of expertise will be required. Expertise
in one area does not necessarily translate to another. Just as new malicious actors are
always appearing on the play-ground, corresponding defenders will be evolving. For
example, the internet of things (IoT) will need a new type of security embedded in the chips
of IoT devices. This is a very different kind of game and likely to come out of the hands of
new, focused and specialized players. We think specialization – or best of breed - will forever
be relevant in a world where security and quality of product come first. As a platform with a
broad offering, it is hard to be the best at everything – which is why buyers will ‘top up’ with
best of breed.
The importance of scale as artificial intelligence enters securityHaving a large installed base has always been an important factor as switching costs in
the security industry are high. The transition to a new vendor bears a lot of risks, but the
incentive to change is low as upside is limited to often minor cost savings – at least as
long as your existing product also ‘does the job’. In addition, large players have a better
distribution reach and have already built credibility and familiarity with the important Value
Added Resellers (VARs) – advisors which are used by most buyers to find their way through
the security jungle.
Size will become even more important: artificial intelligence, or more specifically machine
learning, will help to assess behavioral patterns and make predictive analyses to detect
also previously unknown threats. Machine learning is based on big data, and the more you
see, the better your algorithm gets and hence the bigger your advantage is. This speaks
for covering as much of the security landscape as possible – e.g. from network to endpoint
– but also for having access to large databases of historical data which help to train your
algorithms. In other words, established players with a broad offering are better positioned
than smaller counterparts. Last but not least, those same incumbents have built substantial
financial power to ensure they stay on top of developments – either by spending heavily on
R&D or technical talent or through mergers & acquisitions.
24 | Cybersecurity - Turning threats into investment opportunities
Big hopes for machine learning in security: Traditional ‘signature-based protection’ builds
on a database of signatures containing all known threats which are consequently blocked.
The limitation is that you can only code what you know and you are not protected against
unknown threats – also called zero day threats. There is a constant race between defenders
and attackers – the former being required to constantly update their signature database
with new threats while the latter can just slightly deviate the signature to try to get through.
Machine learning will change that through the use of behavioral analysis to detect out-of-
the-ordinary behavior and hopefully also zero day threats.
Cybersecurity - Turning threats into investment opportunities | 25
Investing in cybersecurity
A core-satellite approach allows investors to benefit from the best of two worlds.
26 | Cybersecurity - Turning threats into investment opportunities
What do all these prospects for increased cybersecurity spending and changing internal
market dynamics mean for investors? The bright side is that the fast growth trajectory
of cybersecurity spending provides ample opportunities for solution providers to start
successful businesses in the land of cybersecurity - making it a dynamic and thriving market
place with lots of active players.
For listed equity investors, it pays to have exposure to the cybersecurity sector – not only
because of the high growth and cash generation stocks offer, but also because investing in
cybersecurity effectively provides a hedge in the portfolio against a negative impact from
cyberattacks on other holdings. However, with an ever increasing number of sub-segments
and players it is easy to get lost in the world of cybersecurity. Where in the industry is most
value generated and how sustainable are any competitive advantages gained? The figure
below shows that economic profit generation in the industry is skewed towards a few
players, is highly volatile and that in many cases economic profit is still negative.
Figure 10 : Cumulative Economic Profit Generation in the cybersec industry: volatile and historically dominated by a few players (Check Point, Symantec, Verisign, Trendmicro)
Source: HOLT, Robeco
In fact, while high market growth is providing a welcome tailwind for all players,
competition is fierce and success not guaranteed – especially not over longer time periods.
Investing in cybersecurity is tricky: competitive advantages and innovative technologies
generally do not last long. Defenders find themselves in a constant battle with a huge
number of attackers and have to make sure they stay ahead of new threats. Showing
1.000
500
0
500
1.000
1.500
2.000
2.500
3.000
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018e
USD
thou
sand
s
Check Point So�ware Verisign Symantec Trendmicro Cyberark So�ware For�net Qualys
Sophos Keyw holding Mimecast SecureWorks Proofpoint ServiceNow Rapid7Imperva Palo Alto Splunk Hortonworks FireEye
Cybersecurity - Turning threats into investment opportunities | 27
nimbleness and responding quickly to the inevitable eventual breach is key. In a way, the
attackers are setting the agenda of defenders, which results in a certain ad-hoc nature of
the industry.
The challenge of sustainable innovation in the cybersecurity industry
In contrast to many other industries, plotting a course of sustainable innovation in the
cybersecurity industry presents a major challenge. The dynamic and reactive nature of the
market environment, where malicious actors set the pace and determine the course of
innovation, is largely to blame. In mainstream IT markets, technology companies can take
charge of their destiny by incrementally improving their product and value proposition
as the technology employed becomes faster, better and easier to use; i.e. sustainable
innovation Christensen-style. In the cybersecurity market it is always the latest threat, like
a game of whack-a-mole, that is dictating the innovation roadmap while improvement
of the value proposition (absence of serious breaches) is difficult to demonstrate, making
sustainable innovation a much more challenged endeavor.
Cybersecurity industry overview: a large and fragmented market
Source: Digital Guardian
28 | Cybersecurity - Turning threats into investment opportunities
Listed equity investor dilemmaFor listed equity investors there are incremental complications; small, nimble companies
develop innovative next generation solutions best suited for today’s cloud infrastructure
and therefore show high growth profiles. But they are not always listed or offer sufficient
trading liquidity. Not all of them have proven business models and clear paths to
profitability. In addition, in this dynamic and fast-moving industry, today’s winners might
be tomorrow’s losers. The larger, more established players on the other hand, offer the
desired stability and profitability but might lack innovative power and frequently grow at
sub-market rates.
Figure 11 : A wide range of growth rates and margins in cybersecurity – and hinting to a negative relationship between the two!
Source: Bloomberg, Robeco
Investing in cybersecurity with a ‘core-satellite’ strategy In our view, a prudent way to gain exposure to cybersecurity’s most attractive parts, is
to buy a basket of listed companies in the fastest growing segments of the cybersecurity
landscape around a core of established legacy players. The latter offer longer term
sustainable competitive advantages and a proven track record of generating economic
profit. We would term this a ‘core-satellite’ approach. We think there are opposing forces
at work which in a way keep each other in check and will ensure that while the big,
established platforms will get bigger, there will always be some room for small innovative
entrants into the industry.
PALO ALTO
CHECK POINT
FIREEYE
FORTINET
PROOFPOINT
SYMANTEC
SOPHOS
MIMECAST
SPLUNK
GEMALTO
CYBERARK
IMPERVA
QUALYS
SECUREWORKS
RAPID7
Trend Micro
HORTONWORKS
-5%
0%
5%
10%
15%
20%
25%
30%
35%
-40% -30% -20% -10% 0% 10% 20% 30% 40% 50% 60% 70%
2018
Blo
om
berg
co
nsen
sus
gro
wth
exp
ecta
tio
n
2018 Bloomberg consensus EBIT Margin expectation
Cybersecurity - Turning threats into investment opportunities | 29
Figure 12: Even in the most mature and consolidated sub-segment of cybersecurity – the network - market share shifts can be dramatic
Source: IDC, Credit Suisse Research
The core of the portfolio – the strength of the incumbentsWe think the core of a portfolio should consist of more established players, who we think
will ultimately succeed in creating an integral and holistic platform to security. While
their growth rates are not always something to write home about, we like their margin
structures and their strong cash flow generation gives them ample strategic options.
Importantly, this will allow them to become industry consolidators over time, as they will
integrate now separate offerings into a one-stop shop offering for security. In this way, they
generate substantial value for their customers and create a moat around their businesses.
The innovative power of new entrantsWhile some incumbents are fast followers and capable of integrating new functionalities
into their platform offerings, the real innovation in the industry generally comes from small
players or completely new entrants. Capable of reacting with agility to the drastic changes
the cloud brought to the IT architecture, these legacy-free new entrants attract with cloud-
native solutions. While obviously coming with a higher risk profile, their innovation activity
translates into high growth rates, making them attractive and complementary additions to
the portfolio.
‘Established players create platforms which integrate more and more services into their one-stop offering. At the same time, new solutions are developed. Over time, they too will get absorbed into platforms. And so it will continue.’
30 | Cybersecurity - Turning threats into investment opportunities
Table 2: Summary of advantages of incumbents and new entrants
Advantages of incumbents Advantages of new entrants
Scale and size benefits (distribution, machine
learning, financial spending power)
Agility, nimbleness, fast response to new trends
Possibility to consolidate functionality/
provide a one-stop offering
Best of breed, specific expertise
High switching costs protect the installed base Not constraint by legacy
Cloud-induced consolidation Cloud-native in both technology and business model
Source:Robeco
Cybersecurity - Turning threats into investment opportunities | 31
Active investor engagement on
cybersecurity
Investors benefit from engaging in an active dialogue with portfolio holdings on their cyber- readiness. Best practices should involve both technological and procedural aspects.
32 | Cybersecurity - Turning threats into investment opportunities
Active investor engagement on cybersecurity a mustWhile there is a lot of opportunity to invest in attractive cybersecurity segments, there is
a flip side of the coin as well: spending on cybersecurity is a fast growing cost item for the
vast majority of businesses; a clear negative. For the moment however, this is unlikely to
impact profit margins too severely. At less than 5% of total IT spending for most companies,
the cost of protecting against cyber insecurity can still be absorbed relatively easily. What is
less predictable and potentially much more devastating is of course the cost associated with
a successful breach – more and more reflected in sharp share price declines such as after
the Equifax breach. It is therefore in investors’ best interest to encourage companies to up
their cybergame via active engagements. Importantly, on top of technological factors, this
investor engagement should comprise behavioral aspects with a focus on internal policies
and controls. Without the right people even the best IT infrastructure is of limited value.
The human factor, scalability and the valuation implication
Cybersecurity hard- and software devices, including artificial intelligence, are indispensable
tools in the combat against cyberattacks. Without them, the volume of cyberthreats would
simply overwhelm any human line of defense. Unfortunately, these devices also generate
a lot of false alarms. False alarms, in fact, outnumber valid alarms by a wide margin.
This is a serious problem, since tracking down false alarms uses up valuable and scarce
resources. The Ponemon Institute, for instance, recently reported that over 20 percent of
endpoint security investigation spending was wasted on these false alarms. In addition,
corporate productivity may suffer as uninfected applications are shut down on suspicion of
being infected with malware. According to a Barkly survey of IT administrators, 42 percent
of companies believe that their users lost productivity as a result of false positive results.
Human intervention by highly skilled cybersecurity experts is, therefore, often necessary to
determine whether perceived threats are real or false. In addition, the course of action to
be followed after a legitimate threat has been discovered, almost always requires human
judgement or supervision as well; if only because the solution needs to be company-
specific in most instances.
In short, while the arsenal of automated cybersecurity tools is growing prodigiously, no
fully automated response to all cyberthreats exists and the unavoidable employment of
scarce human resources puts a cap on the scalability of cybersecurity solutions. Capped
scalability of cybersecurity solutions due to limited availability of human resources may
have implications for cybersecurity firms’ growth potential and, consequently, for valuation
as well. An interesting Deloitte research paper finds that services businesses, where growth
potential is determined by the availability of human labor, on average sell at about half the
revenue multiple as service companies which produce intellectual property, like software,
Cybersecurity - Turning threats into investment opportunities | 33
and that do not suffer from this restraint. Being positioned somewhere between these
ends of the spectrum, this would imply that cybersecurity firms should sell at a discount in
terms of revenue multiple to pure software companies, but at a premium to pure services
companies.
Humans often remain the weakest linkNo matter what companies spend on technical cybersecurity solutions, in the end success
hinges on the judicious and disciplined implementation of cybersecurity policies. In most
cyberincidents, negligent and / or risky behavior, disregard for and / or ignorance of
procedures and sloppy implementation of security policies by company employees lie at
the root of the problem. People are the weakest link in any organization’s cybersecurity
armor. The recent Equifax breach provides a poignant example. The company had already
been informed about the technical fix for the weakness that was eventually exploited
well before the breach happened. It needed to implement a tool called Apache Struts, yet
Equifax failed to do so fully in a timely manner. Nothing would have happened if the right
processes had been in place and followed diligently. We are not claiming that this is always
an easy task; the large number of false positives are troublesome for CTOs: due to the sheer
number of them, a mere and shocking 4% of alerts are actually investigated. As a side note,
we think the value of an integrated platform would exactly be to bring the number of alerts
down to the relevant threats.
Figure 13: Number and status of malware alerts in a week
Source: Bernstein, Ponemon Institute
34 | Cybersecurity - Turning threats into investment opportunities
Nevertheless, a lot, therefore, depends on an organization’s culture, explicit policies and
agility in developing resilience to cyberthreats. It is rapidly becoming an important part
of an organization’s governance profile. To ensure that companies have the right culture
and policies in place, investors have to be vigilant that companies follow procedures, train
their workforce and keep up with the latest developments. Active engagement on the
topic of cybersecurity by investors can play a vital part in fostering the right culture to keep
cybersecurity risks at a minimum.
Extensive ESG integration and engagement around cybersecurity at RobecoRobeco is therefore starting an extensive engagement trajectory on cybersecurity with
a number of selected holdings. We are working together with industry experts to assess
the cyber-resilience of an organization based on factors such as IT structures, protocols
and controls, but also an organization’s cyberstrategy and culture. In addition, Robeco
will increasingly include its assessment of cyber-resilience in its sustainability analysis
of investment candidates and portfolio holdings. We will follow up in due time with the
findings from our cybersecurity engagement and integration in a separate publication.
Cybersecurity - Turning threats into investment opportunities | 35
APPENDIX | Who’s who in cyber-land?
Appendix 1: The attackers: main actors
Actors (est. % of attacks) Main motivations Characteristics Typical type of attacks
Individual cybercriminals (50%) Monetary Sophisticated Ransomware
Nation state hackers (~18%) Cyberespionage Highly
sophisticated
Advanced Persistent
Threats (APT)
Cyberactivists (~7%) Political agenda,
ideology, revenge
Not necessarily
cyberexperts
DDoS, Botnets
(Disgruntled) insiders (~25%)
Revenge, financial
or simply human
error
Even without
sophistication
highly harmful
Various
Source: Robeco, Verizon
Appendix 2: The defenders: Listed equity cybersecurity universe (size represents market cap)
Source: Robeco, Bloomberg data
Appendix 3: A short word on blockchain and cybersecurity
Until now blockchain – or rather its application bitcoin - has been more of a tool of the
attackers: bitcoin made ransom payments easier to transact and more difficult to track.
Over time, however, market participants expect blockchain to contribute significantly and
36 | Cybersecurity - Turning threats into investment opportunities
APPENDIX | Who’s who in cyber-land?
positively to cybersafety. First and foremost this is due to the decentralized architecture
of the blockchain. There is simply no central archive anymore that could be hacked. To
compromise an account, the hacker would have to attack all nodes in the network at the
same time rather than only a single computer. In addition, it is more difficult to falsify
information due to the decentralized storage and the consensus required to alter data.
What will this mean for the cybersecurity industry from an investment perspective? It is very
early days and therefore hard to tell with certainty, but our guess would be that endpoint
security would probably be better positioned than network security: parameter protection
just becomes less relevant in a decentralized world, while all the various endpoints in
the decentralized blockchain need protection. Technologies like sandboxing and micro
segmentation come to mind as well.
Literature – Jeroen van Oerle, Frank van der Spek, Patrick Lemmens, Vaulting financial technology,
December 2015
– Ponemon Institute, 2017 Cost of Data Breach Study, June 2017
– IBM, Transforming the approach to phishing detection and protection, March 2017
– ITRC, 2018 Data Breach Report, January 2018
– FBI, IC3 2016 Internet Crime Report, June 2017
– Deloitte, Take the lead on cyber risk, 2017
– TIA Cybersecurity Report, February 2015
– Researchgate; Cynthia Wagner, Security and network monitoring based on internal flow
measurements, March 2012
– www.lepide.com/blog/the-lepide-checklist-for-gdpr-compliance/, March 2017
– Cisco, Midyear Cybersecurity Report, July 2017
– digitalguardian.com/information-security-industryscape, November 2014
– IDC FutureScape: Worldwide Security Products and Services 2017 Predictions, IDC Web
Conference, December 2016
Cybersecurity - Turning threats into investment opportunities | 37
Important Information Robeco Institutional Asset Management B.V. has a license as manager of Undertakings for Collective Investment in Transferable Securities (UCITS) and Alternative Investment Funds (AIFs) (“Fund(s)”) from The Netherlands Authority for the Financial Markets in Amsterdam. This document is solely intended for professional investors, defined as investors qualifying as professional clients, have requested to be treated as professional clients or are authorized to receive such information under any applicable laws. Robeco Institutional Asset Management B.V and/or its related, affiliated and subsidiary companies, (“Robeco”), will not be liable for any damages arising out of the use of this document. Users of this information who provide investment services in the European Union have their own responsibility to assess whether they are allowed to receive the information in accordance with MiFID II regulations. To the extent this information qualifies as a reasonable and appropriate minor non-monetary benefit under MiFID II, users that provide investment services in the European Union are responsible to comply with applicable recordkeeping and disclosure requirements. The content of this document is based upon sources of information believed to be reliable and comes without warranties of any kind. Without further explanation this document cannot be considered complete. Any opinions, estimates or forecasts may be changed at any time without prior warning. If in doubt, please seek independent advice. It is intended to provide the professional investor with general information on Robeco’s specific capabilities, but has not been prepared by Robeco as investment research and does not constitute an investment recommendation or advice to buy or sell certain securities or investment products and/or to adopt any investment strategy and/or legal, accounting or tax advice. All rights relating to the information in this document are and will remain the property of Robeco. This material may not be copied or used with the public. No part of this document may be reproduced, or published in any form or by any means without Robeco’s prior written permission. Investment involves risks. Before investing, please note the initial capital is not guaranteed. Investors should ensure that they fully understand the risk associated with any Robeco product or service offered in their country of domicile (“Funds”). Investors should also consider their own investment objective and risk tolerance level. Historical returns are provided for illustrative purposes only. The price of units may go down as well as up and the past performance is not indicative of future performance. If the currency in which the past performance is displayed differs from the currency of the country in which you reside, then you should be aware that due to exchange rate fluctuations the performance shown may increase or decrease if converted into your local currency. The performance data do not take account of the commissions and costs incurred on trading securities in client portfolios or on the issue and redemption of units. Unless otherwise stated, the prices used for the performance figures of the Luxembourg-based Funds are the end-of-month transaction prices net of fees up to 4 August 2010. From 4 August 2010, the transaction prices net of fees will be those of the first business day of the month. Return figures versus the benchmark show the investment management result before management and/or performance fees; the Fund returns are with dividends reinvested and based on net asset values with prices and exchange rates of the valuation moment of the benchmark. Please refer to the prospectus of the Funds for further details. Performance is quoted net of investment management fees. The ongoing charges mentioned in this document are the ones stated in the Fund’s latest annual report at closing date of the last calendar year. This document is not directed to, or intended for distribution to or use by any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, document, availability or use would be contrary to law or regulation or which would subject any Fund or Robeco Institutional Asset Management B.V. to any registration or licensing requirement within such jurisdiction. Any decision to subscribe for interests in a Fund offered in a particular jurisdiction must be made solely on the basis of information contained in the prospectus, which information may be different from the information contained in this document. Prospective applicants for shares should inform themselves as to legal requirements also applying and any applicable exchange control regulations and applicable taxes in the countries of their respective citizenship, residence or domicile. The Fund information, if any, contained in this document is qualified in its entirety by reference to the prospectus, and this document should, at all times, be read in conjunction with the prospectus. Detailed information on the Fund and associated risks is contained in the prospectus. The prospectus and the Key Investor Information Document for the Robeco Funds can all be obtained free of charge at www.robeco.com.
Additional Information for US investorsNeither Robeco Institutional Asset Management B.V. nor the Robeco Capital Growth Funds have been registered under the United States Federal Securities Laws, including the Investment Company Act of 1940, as amended, the United States Securities Act of 1933, as amended, or the Investment Advisers Act of 1940. No Fund shares may be offered or sold, directly or indirectly, in the United States or to any US Person. A US Person is defined as (a) any individual who is a citizen or resident of the United States for federal income tax purposes; (b) a corporation, partnership or other entity created or organized under the laws of or existing in the United States; (c) an estate or trust the income of which is subject to United States federal income tax regardless of whether such income is effectively connected with a United States trade or business. Robeco Institutional Asset Management US Inc. (“RIAM US”), an Investment Adviser registered with the Securities and Exchange Commission under the Investment Advisers Act of 1940, is a wholly owned subsidiary of ORIX Corporation Europe N.V. and offers investment advisory services to institutional clients in the US. In connection with these advisory services, RIAM US will utilize shared personnel of its affiliates, Robeco Nederland B.V. and Robeco Institutional Asset Management B.V., for the provision of investment, research, operational and administrative services.
Additional Information for investors with residence or seat in Australia and New ZealandThis document is distributed in Australia by Robeco Hong Kong Limited (ARBN 156 512 659) (“Robeco”), which is exempt from the requirement to hold an Australian financial services license under the Corporations Act 2001 (Cth) pursuant to ASIC Class Order 03/1103. Robeco is regulated by the Securities and Futures Commission under the laws of Hong Kong and those laws may differ from Australian laws. This document is distributed only to “wholesale clients” as that term is defined under the Corporations Act 2001 (Cth). This document is not for distribution or dissemination, directly or indirectly, to any other class of persons. In New Zealand, this document is only available to wholesale investors within the meaning of clause 3(2) of Schedule 1 of the Financial Markets Conduct Act 2013 (‘FMCA’). This document is not for public distribution in Australia and New Zealand.
Additional Information for investors with residence or seat in AustriaThis information is solely intended for professional investors or eligible counterparties in the meaning of the Austrian Securities Oversight Act.
Additional Information for investors with residence or seat in BrazilThe Fund may not be offered or sold to the public in Brazil. Accordingly, the Fund has not been nor will be registered with the Brazilian Securities Commission – CVM, nor has it been submitted to the foregoing agency for approval. Documents relating to the Fund, as well as the information contained therein, may not be supplied to the public in Brazil, as the offering of the Fund is not a public offering of securities in Brazil, nor may they be used in connection with any offer for subscription or sale of securities to the public in Brazil.
Additional Information for investors with residence or seat in CanadaNo securities commission or similar authority in Canada has reviewed or in any way passed upon this document or the merits of the securities described herein, and any representation to the contrary is an offence. Robeco Institutional Asset Management B.V. is relying on the international dealer and international adviser exemption in Quebec and has appointed McCarthy Tétrault LLP as its agent for service in Quebec.
Additional Information for investors with residence or seat in ColombiaThis document does not constitute a public offer in the Republic of Colombia. The offer of the Fund is addressed to less than one hundred specifically identified investors. The Fund may not be promoted or marketed in Colombia or to Colombian residents, unless such promotion and marketing is made in compliance with Decree 2555 of 2010 and other applicable rules and regulations related to the promotion of foreign Funds in Colombia.
Additional Information for investors with residence or seat in the Dubai International Financial Centre (DIFC), United Arab EmiratesThis material is being distributed by Robeco Institutional Asset Management B.V. (Dubai Office) located at Office 209, Level 2, Gate Village Building 7, Dubai International Financial Centre, Dubai, PO Box 482060, UAE. Robeco Institutional Asset Management B.V. (Dubai office) is regulated by the Dubai Financial Services Authority (“DFSA”) and only deals with Professional Clients or Market Counterparties and does not deal with Retail Clients as defined by the DFSA.
Additional Information for investors with residence or seat in FranceRobeco is at liberty to provide services in France. Robeco France (only authorized to offer investment advice service to professional investors) has been approved under registry number 10683 by the French prudential control and resolution authority (formerly ACP, now the ACPR) as an investment firm since 28 September 2012.
Additional Information for investors with residence or seat in GermanyThis information is solely intended for professional investors or eligible counterparties in the meaning of the German Securities Trading Act.
Additional Information for investors with residence or seat in Hong Kong The contents of this document have not been reviewed by the Securities and Futures Commission (“SFC”) in Hong Kong. If you are in any doubt about any of the contents of this document, you should obtain independent professional advice. This document has been distributed by Robeco Hong Kong Limited (“Robeco”). Robeco is regulated by the SFC in Hong Kong.
Additional Information for investors with residence or seat in ItalyThis document is considered for use solely by qualified investors and private professional clients (as defined in Article 26 (1) (b) and (d) of Consob Regulation No. 16190 dated 29 October 2007). If made available to Distributors and individuals authorized by Distributors to conduct promotion and marketing activity, it may only be used for the purpose for which it was conceived. The data and information contained in this document may not be used for communications with Supervisory Authorities. This document does not include any information to determine, in concrete terms, the investment inclination and, therefore, this document cannot and should not be the basis for making any investment decisions.
Additional Information for investors with residence or seat in PeruThe Fund has not been registered with the Superintendencia del Mercado de Valores (SMV) and is being placed by means of a private offer. SMV has not reviewed the information provided to the investor. This document is only for the exclusive use of institutional investors in Peru and is not for public distribution.
Additional Information for investors with residence or seat in ShanghaiThis material is prepared by Robeco Investment Management Advisory (Shanghai) Limited Company (“Robeco Shanghai”) and is only provided to the specific objects under the premise of confidentiality. Robeco Shanghai has not yet been registered as a private fund manager with the Asset Management Association of China. Robeco Shanghai is a wholly foreign-owned enterprise established in accordance with the PRC laws, which enjoys independent civil rights and civil obligations. The statements of the shareholders or affiliates in the material shall not be deemed to a promise or guarantee of the shareholders or affiliates of Robeco Shanghai, or be deemed to any obligations or liabilities imposed to the shareholders or affiliates of Robeco Shanghai.
Additional Information for investors with residence or seat in SingaporeThis document has not been registered with the Monetary Authority of Singapore (“MAS”). Accordingly, this document may not be circulated or distributed directly or indirectly to persons in Singapore other than (i) to an institutional investor under Section 304 of the SFA, (ii) to a relevant person pursuant to Section 305(1), or any person pursuant to Section 305(2), and in accordance with the conditions specified in Section 305, of the SFA, or (iii) otherwise pursuant to, and in accordance with the conditions of, any other applicable provision of the SFA. The contents of this document have not been reviewed by the MAS. Any decision to participate in the Fund should be made only after reviewing the sections regarding investment considerations, conflicts of interest, risk factors and the relevant Singapore selling restrictions (as described in the section entitled “Important Information for Singapore Investors”) contained in the prospectus. You should consult your professional adviser if you are in doubt about the stringent restrictions applicable to the use of this document, regulatory status of the Fund, applicable regulatory protection, associated risks and suitability of the Fund to your objectives. Investors should note that only the sub-funds listed in the appendix to the section entitled “Important Information for Singapore Investors” of the prospectus (“Sub-Funds”) are available to Singapore investors. The Sub-Funds are notified as restricted foreign schemes under the Securities and Futures Act, Chapter 289 of Singapore (“SFA”) and are invoking the exemptions from compliance with prospectus registration requirements pursuant to the exemptions under Section 304 and Section 305 of the SFA. The Sub-Funds are not authorized or recognized by the MAS and shares in the Sub-Funds are not allowed to be offered to the retail public in Singapore. The prospectus of the Fund is not a prospectus as defined in the SFA. Accordingly, statutory liability under the SFA in relation to the content of prospectuses would not apply. The Sub-Funds may only be promoted exclusively to persons who are sufficiently experienced and sophisticated to understand the risks involved in investing in such schemes, and who satisfy certain other criteria provided under Section 304, Section 305 or any other applicable provision of the SFA and the subsidiary legislation enacted thereunder. You should consider carefully whether the investment is suitable for you. Robeco Singapore Private Limited holds a capital markets services license for fund management issued by the MAS and is subject to certain clientele restrictions under such license.
Additional Information for investors with residence or seat in SpainThe Spanish branch Robeco Institutional Asset Management B.V., Sucursal en España, having its registered office at Paseo de la Castellana 42, 28046 Madrid, is registered with the Spanish Authority for the Financial Markets (CNMV) in Spain under registry number 24.
Additional Information for investors with residence or seat in SwitzerlandThis document is exclusively distributed in Switzerland to qualified investors as defined in the Swiss Collective Investment Schemes Act (CISA) by Robeco Switzerland AG which is authorized by the Swiss Financial Market Supervisory Authority FINMA as Swiss representative of foreign collective investment schemes, and UBS Switzerland AG, Bahnhofstrasse 45, 8001 Zurich, postal address: Europastrasse 2, P.O. Box, CH-8152 Opfikon, as Swiss paying agent. The prospectus, the Key Investor Information Documents (KIIDs), the articles of association, the annual and semi-annual reports of the Fund(s), as well as the list of the purchases and sales which the Fund(s) has undertaken during the financial year, may be obtained, on simple request and free of charge, at the office of the Swiss representative Robeco Switzerland AG, Josefstrasse 218, CH-8005 Zurich. The prospectuses are also available via the website www.robeco.ch.
Additional Information for investors with residence or seat in the United Arab EmiratesSome Funds referred to in this marketing material have been registered with the UAE Securities and Commodities Authority (the Authority). Details of all Registered Funds can be found on the Authority’s website. The Authority assumes no liability for the accuracy of the information set out in this material/document, nor for the failure of any persons engaged in the investment Fund in performing their duties and responsibilities.
Additional Information for investors with residence or seat in the United KingdomRobeco is subject to limited regulation in the UK by the Financial Conduct Authority. Details about the extent of our regulation by the Financial Conduct Authority are available from us on request.
Additional Information for investors with residence or seat in UruguayThe sale of the Fund qualifies as a private placement pursuant to section 2 of Uruguayan law 18,627. The Fund must not be offered or sold to the public in Uruguay, except in circumstances which do not constitute a public offering or distribution under Uruguayan laws and regulations. The Fund is not and will not be registered with the Financial Services Superintendency of the Central Bank of Uruguay. The Fund corresponds to investment funds that are not investment funds regulated by Uruguayan law 16,774 dated September 27, 1996, as amended.
Additional Information concerning RobecoSAM Collective Investment SchemesThe RobecoSAM collective investment schemes (“RobecoSAM Funds”) in scope are sub funds under the Undertakings for Collective Investment in Transferable Securities (UCITS) of MULTIPARTNER SICAV, managed by GAM (Luxembourg) S.A., (“Multipartner”). Multipartner SICAV is incorporated as a Société d’Investissement à Capital Variable which is governed by Luxembourg law. The custodian is State Street Bank Luxembourg S.C.A., 49, Avenue J. F. Kennedy, L-1855 Luxembourg. The prospectus, the Key Investor Information Documents (KIIDs), the articles of association, the annual and semi-annual reports of the RobecoSAM Funds, as well as the list of the purchases and sales which the RobecoSAM Fund(s) has undertaken during the financial year, may be obtained, on simple request and free of charge, via the website www.robecosam.com or www.funds.gam.com.
Version Q1/18