It has happened often enough that it's basically a cliche at this point: Shares of security tech stocks get bid higher after a big malware attack occurs or a major data breach is disclosed, as investors bet that the bad news will spur companies and institutions to up their security IT spending. And in some cases, perhaps, overspend on security as CIOs and others in charge of a firm's IT security worry that their jobs could be at risk if their firm falls victim to a major attack.
But this time around, equity markets haven't responded much to a new high-profile ransomware attack. This likely has a lot to do with how much was priced in last month following the WannaCry ransomware breakout, as well as how easy it is to secure systems against the particular exploit that both attacks rely on.
On Tuesday, June 27, various European companies and government agencies reported being hit by a form of ransomware known as Petya or Petrwrap. Ukraine has been hit particularly hard, with the country's central bank, utilities and transportation agencies all reporting attacks. Other casualties include British ad giant WPP, Russian oil giant Rosneft and packaged food giant Mondelez International Inc. (MDLZ) - Get Report .
Like WannaCry, Petya relies on a Windows vulnerability known as EternalBlue. The exploit takes over a PC's master boot record, and then tries to either encrypt its master file table or simply encrypt all the files on a PC's hard drive. Users typically have to pay a $300 Bitcoin ransom to decrypt their files.
It's easy to see why something like this could be a major headache for a company or agency infected on a large scale, and could frighten CIOs at firms that haven't been hit into making sure that they won't be next. Nonetheless, the PureFunds ISE Cyber Security ETF finished the day down 1.2%, nearly matching the Nasdaq's 1.6% decline.
The story was very different in May after WannaCry infected several hundred thousand PCs. Then, the PureFunds ETF rallied to fresh 52-week highs as shares of security tech names, many of which had already posted strong March quarter reports, were bid up en masse.
Notable gainers included FireEye Inc. (FEYE) - Get Report , which among other things provides software to protect endpoints and forensics services that determine how an attack occurred. Others included e-mail and database protection software firm Proofpoint Inc. (PFPT) - Get Report , security appliance vendor Barracuda Networks Inc. and firewall vendors Palo Alto Networks Inc. (PANW) - Get Report and Fortinet Inc (FTNT) - Get Report .
Aside from the fact that markets had already accounted for CIOs potentially upping their security spend to protect against ransomware attacks, investors might not be reacting much to Petya because Microsoft Corp. (MSFT) - Get Report released a Windows patch in March that addressed EternalBlue. Since then, the company has also patched older versions of Windows that it no longer officially supports, such as Windows XP.
In other words, WannaCry and Petya infected PCs that either hadn't installed a freely-available security patch that Microsoft had pushed to Windows users, or in some cases ran outdated versions of Windows. This by itself isn't a problem that requires big cybersecurity investments to address. However, companies wanting to protect themselves against potential future exploits might invest in things such as better endpoint security and malware-detection software, as well as in data backup software and services.
Either way, as the strong earnings reports released since April by Palo Alto, Fortinet, Proofpoint and several other security tech plays show, security was already a strong point in an IT spending environment where cloud app and infrastructure adoption is causing major upheaval. Last October, IDC estimated global security hardware, software and services spending would grow at an 8.3% compound annual rate from 2016 to 2020, reaching $101.6 billion. Gartner has also released upbeat forecasts for security IT spending.
Thus, while the ransomware hype cycle may have played out its course with security tech stocks, the backdrop against which it played out still looks pretty good.