Stocks in cybersecurity stocks rose sharply in premarket trading May 15 on the heels of the WannaCry scam. Wall Street is buzzing about any company with tentacles in the business of fighting off cyber attacks, and as always, it’s creating a narrative-based rally that will soon dry up when reality hits.
WannaCry is ransomware that began infecting Windows-based PCs and networks last week, locking up files and demanding Bitcoin to release them. Its spread was slowed by the discovery of a “kill switch” — an unregistered domain a security researcher registered, telling the virus code to back off, but new versions are now reportedly out that don’t have that bug.
Microsoft Corporation (NASDAQ:MSFT) was made aware of the problem some time ago, and if you have patched your personal or corporate systems, WannaCry won’t get you. But many people have not done that.
The real problem is something security legend Bruce Schneier calls the “window of exposure” for computer bugs. Vulnerability rises quickly when a vulnerability is announced, peaks when a patch is released, but never goes back to zero because many don’t apply the patch.
Windows of Hype
This reality has created a “window of hype” around cybersecurity stocks. They jump when attention is paid to the subject, but come back to Earth once investors realize that they are not the answer.
Monday’s trading in leading computer security companies illustrates this. Palo Alto Networks Inc (NYSE:PANW) rose over 4% as trading opened. Shares in FireEye Inc (NASDAQ:FEYE), profiled here recently for changing its strategy from that of a product to a service, shot up over 7%. Symantec Corporation (NASDAQ:SYMC), best known for its antivirus products, gained almost 5%, and Proofpoint Inc (NASDAQ:PFPT), a “security as a service” vendor, was improving by more than 8%.
None of these moves are based on financial results, just the assumption that corporate security departments will panic as fast as their users do, delivering fat sales and big profits.
But reality usually does not match the hype.
Palo Alto, for instance, fell sharply after reporting earnings in early March, and the latest turn of the hype cycle still leaves it $30 per share below its Feb. 28 close. The chart of FireEye looks better, but it is still below the highs of last July. Proofpoint has never shown a profit, having gone public in 2012 and focusing on investing ahead of demand.
Smaller companies, which are naturally more volatile, are the best performers in the sector when the hype cycle hits. But Cisco Systems, Inc. (NASDAQ:CSCO), which has been investing heavily in computer security in recent years, is also up … just by a relatively meager 2.2%.
Hope for the Shorts
There is a way to make money from this, if you’re willing to go short.
It’s going to be discovered — probably within a month, possibly within a week — that the offerings of these companies are no protection against the latest threat, and that regular patching of systems is the best defense. At that point, the current bubble will deflate, possibly quickly.
Using options, based on prices returning to normal, on the more volatile issues like FireEye or Proofpoint should thus be an easy way to make money.
The problem is that this has not occurred to just me. Options on FEYE going out two weeks at prices of $14.50 to $15.50 are very popular right now while the stock is trading near $16.
The Investor Lesson
The key lesson for investors is not to get wound up in the hype. Don’t go chasing computer security stocks based on the news. Look at the fundamentals. Look for growth rates, look for profits and look for scale as your assurance that the financial news will follow the technical.
As an investor, then, Cisco is the play. CSCO is up 29% over the last year, not entirely due to computer security. And if I’m wrong, you’re still getting a dividend paying 3.4%.
Dana Blankenhorn is a financial and technology journalist. He is the author of the political polemic Saving Trumpistan, Restoring Democracy, available now at the Amazon Kindle store. Write him at firstname.lastname@example.org or follow him on Twitter at @danablankenhorn. As of this writing, he owned shares in MSFT.