At CyberGRX, we quantify and analyze the risk a third party poses to a company. We discuss their maturity, their coverage to certain attack vectors, their impact on a company - practically every confounding and contextual variable. However, there is a demonstrated lack of concentration on a third-party’s financial capability to provide a mature cybersecurity system. This article seeks to explain what drives funding for cybersecurity systems and companies in general, the current industry trends regarding its financing, and specific funding insights for third-party cyber risk management.
In 2004, the global cybersecurity market was worth $3.5 billion. Fast-forward 13 years, this number has increased 34-fold and the industry is regularly front-page news. Bank of America CEO Brian Moynihan said that the bank spent over $1 billion per year on cybersecurity, up from $300 million when he first became CEO 11 years ago. He famously said that the bank had an unlimited cybersecurity budget. One database predicts that global spending on cybersecurity products and services will exceed $1 trillion in the next few years. It is abundantly clear from the augmented spending on cybersecurity that it, and by proxy third-party cyber risk management, is increasingly a prevalent concern for companies in all business sectors.
What is driving this substantial increase in funding into cybersecurity companies and into individual company cybersecurity programs? There are a number of factors. Firstly, there has been an increase in the number of data breaches and lost records over the past few years. In 2016, there were 4,227 data breaches; in 2019, there were almost double that number. Similarly, in 2020 there were 37.2 million lost records whereas in the first half of 2021 there have been 18.8 billion lost records. These drastic numbers precipitate drastic reactions. The average corporate spend in internal cybersecurity programs has augmented in return, where US companies have spent almost a billion dollars more between 2019 and 2020 to protect themselves. Simultaneously, venture capital funding into seed-stage cybersecurity companies has also risen. 2020 was a record year for VC investments, with over $7.8 billion invested into the industry. $3.7 billion had already been invested into this market by March 2021, leading experts to believe it will far surpass the 2020 record.
Secondly, there has been an escalation in the financial tolls from ransomware and other cyber-attacks. One source predicts cybercrime will cost businesses more than $6 trillion annually. It anticipates financial consequences of ransomware damages to be over 57 times greater in 2021, $20 billion, than in 2015, where there were $325 million worth of damages. Furthermore, between 2020 and 2021, there has been a 10% increase in the average total cost of a breach, the largest single year cost increase in the past seven years. Because of these climbing numbers, there has been a heightened acknowledgement of cybersecurity in corporate c-suite meetings. The number of earnings calls which mentioned the term ‘cybersecurity’ rose from 200 mentions in the second quarter of 2016 to over 350 in the first quarter of 2021. There has also been an intensified focus on cybersecurity in governmental institutions, in response to nationwide cybersecurity breaches arising from companies like SolarWinds, Kaseya, and Colonial Pipeline. The US government is set to spend a $18.78 billion budget for cybersecurity in 2021, compared to $16.94 billion in 2019. In fact, the Singaporean government in 2018 formed the world’s first commercial cyber risk pool, a vehicle to provide cyber insurance to corporations, and has committed up to $1 billion in risk. The augmented consequence to a cybersecurity breach or attack has motivated governments and executives to invest more in cybersecurity companies and their own cybersecurity programs.
Finally, the COVID-19 pandemic has been a fundamental driver in cybersecurity financing. Due to the increased reliance on the cloud and other internet-based services, there have been more opportunities for malicious actors to hack or breach companies. One source notes that cybercrime has increased by 600% since the start of the pandemic, in March 2020. An IBM report created in conjunction with the Ponemon Institute found that in 17.5% of breaches, remote work was the factor which caused the breach. In these 17.5%, there was a $1.07 million average cost increase to reconciling the breach. Overall, remote work increased all data breach costs, whether they be because of remote work or not, in the US by around $137,000. This is partly due to the lengthened process in identifying and containing the breach. Although the remote-work effects on a breach will diminish as people return to the office, the digital transformation and rapid acceleration in reliance on technology, and thus the increase in opportunity for malicious actors, is irreversible.
Trends demonstrate that there is an increase in financing to cybersecurity companies overall, yet there are fewer deals being conducted. On the one hand, seed-stage deals were at a 5-year low in 2020 and the number of IPOs and acquisitions also fell. On the other hand, there was a marked increase in deals worth over $100 million. In fact, by July of this year, the amount of money raised in 2021, $9 billion in 309 deals, has already surpassed the record-breaking $7.8 billion raised by security companies in 2020. Evidently, the cybersecurity industry is moving towards consolidation, where there are fewer, higher-profile deals and companies.
Moreover, there is a rise in funding specific company cybersecurity systems. Although there is expected to be a slow in overall IT spending, the prioritization of security means its financing will not cease. Even though the Fortune 500 companies have the most amount of money to spend, with companies like Microsoft investing more than $1 billion per year into cybersecurity and calling it the ‘central challenge of the digital age’, every organization is looking to improve their systems. Gartner estimated worldwide spending increased by 10.5% in 2019, and ESG conducted a study which demonstrated that 62% of surveyed businesses mentioned they would increase their cybersecurity spending. It is clear that all companies see cybersecurity as an important asset to their online environments and are allotting more and more of their budget accordingly.
Geographical patterns are also important to keep in mind. Industry experts mention monitoring Israel’s expanding role in the cybersecurity sphere. Israel has the largest year on year growth in the industry, with 4%. A third of the world’s cybersecurity unicorns are in Israel, and between January and July 2021, Israel’s tech sector has raised $10.5 billion, which matches the 2020 total. Having said this, the United States still maintains the greatest slice, 53%, with China, Israel and the United Kingdom together fueling 27% of the industry. Even though the US remains the most prominent, with the technological sector in Israel developing at the rate it is, it is definitely a region to watch.
“A company is only as strong as its weakest partner.” This is the ethos behind and motivation for third-party cyber risk management. The IBM and Ponemon Institute report boasted a number of interesting findings. One particularly important conclusion was the statistic that 51% of data breaches within the past 12 months were caused by a third party. An average of $7.5 million was needed to reconcile the data breach caused by said third party, compared to only $3.92 million to rectify a data breach directly affecting a company. There are many hidden costs involved, such as having to find another provider while the critical vendor is compromised, which are not taken into consideration. As companies spend more time thinking about cybersecurity, there will be a subsequent increased focus on managing their third-party risk as it becomes synonymous with their own internal cybersecurity maturity.
The world’s attention is on the cybersecurity industry. Forbes called it one of “2021’s Top Six Emerging Industries to Invest In.” And rightfully so. With the world’s expanding digitalization showing no signs of ceasing, cybersecurity is progressively more important.
Bursztynsky, J. “Bank of America spends over $1 Billion per year on cybersecurity, CEO Brian Moynihan says.” CNBC, 14 June, 2021.
Crunchbase, Report: The Rise of Global Cybersecurity Venture Funding. 30 March, 2021.
Er, C. “Singapore Sets Up World’s First Commercial Cyber Risk Pool.” Channel News Asia, 29 October, 2018
Firch, J. “10 Cyber Security Trends You Can’t Ignore in 2021.” PurpleSec. 29 April, 2021.
IBM Security and the Ponemon Institute. Cost of a Data Breach Report: 2021.
Johnson, J. “US Government: Proposed Cyber Security Spending in FY 2017-2021”. Statista, 25 January, 2021.
Leyes, K. “2021’s Top Six Emerging Industries to Invest In.” Forbes, 19 April, 2021.
Metinko, C. “Funding Pours Into Cybersecurity as Mid-Year 2021 Numbers Eclipse Last Year’s Total”. Crunchbase News. July 9, 2021.
Morgan, S. “Global Cybersecurity Spending Predicted to Exceed $1 Trillion from 2017-2021” Cybercrime Magazine. June 10, 2019.
The CB Insights Team, Cyber Defenders 2021
Yochay, T. “Israel’s tech industry is booming, growing pains and all.” Protocol, 15 July, 2021.