Cybersecurity - Turning threats into investment opportunities€¦ · success, it is not an easy place to invest in. The cybersecurity space is extremely dynamic and has shifted course

Cybersecurity - Turning threats into investment opportunities

WHITE PAPER June 2018

Vera KrückelTrends Analyst Steef Bergakker Trends Analyst & Portfolio Manager

For professional investors

Introduction The incidence and severity of cyberattacks has accelerated over the last couple of years. In response, spending on cybersecurity has been stepped up by governments, private enterprises and individuals alike. With the advent of tighter data privacy regulation, a rapidly expanding attack surface and a growing army of resourceful hackers, spending is likely to shift into an even higher gear.

Investors can profit from this dynamic growth market by employing a strategy consisting of a core of established players with durable competitive advantages, supplemented with a basket of young challengers who are the first in employing the latest technologies.

2 | Cybersecurity - Turning threats into investment opportunities

Contents Intro 2

Executive summary 5

Cybercrime - the downside of digitization 8

Market overview 16

Structural developments 19

Investing in cybersecurity 26

Active Investor Engagement in cybersecurity 32

Appendix 36


Executive summary

Without a doubt cybersecurity is a growth market. High single- to low double-digit growth rates of security spending are highly likely over the next five to ten years. Investing in the extra-ordinarily dynamic cybersecurity space is no easy pickings, however. We recommend a core-satellite approach.

Cybersecurity - Turning threats into investment opportunities | 5

Cybercrime is estimated to be a USD 445bn industry. Cybersecurity USD 92bn. The most lucrative business on the internet nowadays is fraud.

By 2021 there will be an estimated 3.5m unfilled cybersecurity positions worldwide.

The first computer worm was created by Robert Morris in 1981.

25% of all breaches are caused by internal actors.

The Target breach cost the company USD 160m, while Anthem faced a bill of USD 100m.

Malicious actors are inside companies’ infrastructure a median number of 205 days.

Approximately 1,600 companies are active in the cybersecurity market.

USD 19bn – the US government cybersecurity budget.

Cybercrime detracts 20% of the value creation of the internet, a cost that could build up to USD 3tn by 2020.

The average IOT device was attacked once every 2 minutes in 2017.

Interesting stats & figures


Cyberincidents accelerating and becoming a major concernDigitization and connectivity have greatly boosted economic and social prosperity as more

people than ever before can now interact commercially or socially and gain access to the

accumulating knowledge base of humanity through a handheld device. Unfortunately, this

unprecedented boon also has a significant downside: malevolent actors have seized the

opportunities offered by digitization and connectivity as well. Cybercrime is on the rise.

Spending on cybersecurity to step upThe world has not stood idly by. Spending on cybersecurity has been high for many

years and is likely to be stepped up as the number and severity of cyberattacks increase.

Reputable market forecasters like IDC and Gartner are expecting high single- to low double-

digit increases in cybersecurity spend in the years to come. Drivers do not only include

a rapidly expanding attack surface and growing hacker sophistication, but also tighter

government regulation of data privacy, as exemplified by the General Data Protection

Regulation (GDPR) that was introduced in Europe in May 2018.

Cybersecurity offers investment opportunities aplenty, but caution is required While the high-growth cybersecurity market presents many opportunities for investment

success, it is not an easy place to invest in. The cybersecurity space is extremely dynamic

and has shifted course many times in the past as cyberthreats morphed, offering

opportunities for new players with new solutions but also leaving many fleeting former

success stories in its wake. Building a sustainable competitive advantage has proven

difficult, even for the most agile operators. The current move from on-premise to cloud

computing is presenting the latest, and a particularly challenging, directional market

shift, as cloud-based security requires very different solutions from on-premise security.

Opportunity knocks, but investors should tread carefully, in our view.

We recommend a core-satellite approachGiven the challenges of a rapidly changing cybersecurity environment and the difficulty

of pinpointing future long-term winners, prudent investors should seek exposure to this

market through a core of established companies with strong competitive advantages and

a proven ability to generate economic profits, in our view. While to date mostly active in

the slower growing on-premise part of the cybersecurity market, these companies are

best positioned to build the multi-threat security platforms that are or will be increasingly

demanded by clients. To capture the higher growth from cloud-based security solutions,

we recommend to supplement this core with a satellite basket of fast growing challenger

companies that invent new technologies and currently are mostly active in cloud-based

security solutions.

‘A balanced approach of combining established players with proven track records with a basket of fast growing challengers is recommended’


Cybercrime -the downside

of digitization and connectivity

2017 marks the year in which cybercrime came of age, as several high-profile hacks made the headlines. Cybersecurity is now high on both the public and private agenda. Spending on cybersecurity is likely to pick up pace in the years ahead as regulation tightens, the attack surface expands and hackers become more resourceful.


Cybercrime makes it to the headlinesWhether it is foreign governments meddling with elections, shady cyber-extortionists

employing ransomware or the wholesale loss of sensitive client data, the public at large

is increasingly being confronted with something that cyberexperts have been seriously

concerned with for a long time: cybercrime. The attempts of Russian hackers to influence

the 2016 American presidential elections probably appeal strongest to the general public’s

imagination in that respect. However, last year an unprecedented number of other

cyberattacks made headlines as well. The threat landscape is diverse and dynamic; from

wide-ranging and hugely costly ransomware attacks like WannaCry and NotPetya to the

shocking revelation that bureau Equifax, one of the largest credit bureaus in the US, had

experienced a data breach that exposed personal information of a whopping 143 million

people: cybercrime suddenly seemed to be all over the news.

The figure below outlines the most common categories of cyberthreats today.

Figure 1: Today’s cybersecurity threat landscape

Source: IBM

In addition, while technically certainly not a cybercrime, the recent Facebook / Cambridge

Analytica row concerning the exploitation of user data has put the whole issue of data

ownership and related security issues firmly on the political agenda. Clearly, a public raw

nerve has been touched.


Public concern backed up by worrisome numbersThe recent rapidly growing public concern with cybersecurity is not based on a whim, but

backed up by a host of worrisome numbers:

– Research from cybersecurity firm Symantec shows that ransomware attacks worldwide

increased by 36 percent in 2017.

– Also according to Symantec, 1 in 123 emails is infected by malware.

– In 2017, 6.5% of cyber-active people were victims of identity fraud with fraudsters

stealing USD 16bn according to Javelin Strategy & Research.

The graph below vividly shows the recent acceleration in data breaches in the US.

Figure 2: Data breaches accelerating

Source:Identity Theft Resource Center; CyberScout

The reported cost of cybercrime has been growing at a staggering rateNot surprisingly, the cost of cybercrime has gone through the roof. The graph below shows

that the cost of cybercrime as reported to IC3, the Internet Complaint Center, has exploded

from USD 17.8m to 1,330m from 2001 to 2016. That is a staggering compound annual

growth rate (CAGR) of 31%.


Figure 3: Monetary damage caused by cybercrime reported to the IC3

Source: FBI; IC3; US Department of Justice

Reported cost is just the tip of the icebergIt is well known that reported numbers of cybercrime incidence are an underestimation of

the true numbers. Affected companies are naturally reluctant to disclose such incidents,

which may dent their reputation and, consequently, hurt their commercial operations.

Moreover, the reported commercial damage is likely to be significantly understated as well.

A study by Deloitte suggests that the indirect and less tangible costs of cyberattacks may

well represent the bulk of the total cost of cybercrime. Deloitte distinguishes 14 cyberattack

impact factors; 7 well-known cyberincident costs (above the surface) and 7 hidden or less

visible costs (beneath the surface).

Table 1: Deloitte’s 14 cyberattack impact factors

Above the surface Beneath the surface

Technical investigation costs Insurance premium increases

Customer breach notification costs Increased cost to raise debt

Post-breach customer protection costs Impact of operational disruption or destruction

Regulatory compliance costs Lost value of customer relationships

Attorney fees and litigation costs Value of lost contract revenue

Estimated cost of cybersecurity improvements Devaluation of trade name

Public relations costs Loss of intellectual property

Source: Deloitte


According to the study, the beneath-the-surface costs can amount to 90 percent of the total

impact on an organization and will most likely be experienced two years or more after the

incident. Typically, the reputational damage as reflected in the devaluation of a trade name

leads to loss of customer relationships and lost contract value. Over longer time periods,

these hidden cost categories inflict the greatest damage to an organization. Taking the true

cost of cyberincidents into account, potentially increasing the already impressive tally of

reported costs by a factor of ten, clearly highlights the extent of the cybercrime problem.

Global spending on cybersecurity to exceed USD 100bn by 2019The growing number of cyberattacks has prompted a veritable spending spree on products

to counter the cyberthreat among governments, private enterprises and individuals alike. In

the US alone, spending on cybersecurity has grown by roughly 12% per annum since 2010.

Figure 4 : Spending on cybersecurity in the US from 2010 - 2018e

Source: TIA (Telecommunications Industry Association)

While the size of the global market is difficult to estimate due to the proliferation of new

products and services offered by hundreds of new market entrants, reputable market

forecasters Gartner and IDC both put the current size at around USD 80 - 90bn. Gartner has

predicted worldwide security spending will increase by eight percent in 2018, to reach a

value of USD 96 billion by the end of the year, while IDC forecasts that spending will reach

USD 120bn in 2021. While the discrepancy of the forecasts is already an indication of how

immature and dynamic the market still is, it seems safe to expect that global spending on

cybersecurity will exceed USD 100bn in 2019. Three overarching trends are driving security

spending:


1. A dynamic threat landscape

2. Increasing regulatory pressures

3. An expanding attack surface

1. A dynamic threat landscape: Cyberattackers and defenders are locked in an arms

race

As the graph below illustrates, the sophistication of cyberattacks has been rising steadily

through time, while the required sophistication of the attackers has been declining

as the availability of easy-to-use cyberattack tools has proliferated. This has forced the

cybersecurity community to respond with ever more sophisticated products to keep the

threats at bay. Effectively, cyberattackers and defenders are locked in an arms race the

end of which is nowhere in sight. This arms race is one of the major drivers of increasing

cybersecurity spend.

Figure 5 : Trend of technical intruder knowledge vs. attack complexity

Source: Researchgate; Cynthia Wagner; Security and network monitoring based on internet flow measurements (Mar 2012)

‘As with many burdensome regulations, the playing field is likely to be tilted in favor of large companies that have the means and resources to comply with them.’


2. Increasing regulatory pressures: European regulators are stepping up cybersecurity

requirements

In Europe new regulations will be implemented in 2018 including the General Data

Protection Regulation (GDPR) and Network and Information Security (NIS) Directive. GDPR

tightens rules on EU citizens’ personal data protection and usage for commercial purposes

while the NIS Directive sets cybersecurity standards for operators of essential digital services

like search engines, cloud services and online marketplaces. Among other stipulations,

companies will be required to report cyberattacks and data leaks within 72 hours or face

fines of EUR 20m or 4% of global revenue, whichever is bigger. The regulations apply to all

companies with business activities in Europe, which in a practical sense extends the reach

of these regulations to global proportions. Obviously, companies are highly motivated

to protect themselves against the growing risks of cyberattack and data loss as these

regulations go live. It is to be expected that cybersecurity spending will receive a boost from

these regulations.

The figure below illustrates the challenges companies face in implementing GDPR

compliance.

Figure 6 : Checklist for GDPR compliance

Source: Lepide.com

3. An expanding attack surface: Increased connectivity equals increased cyberthreats

equals increased cybersecurity spending

Growth in data generation and data traffic is the ultimate driver of the growing need for

cybersecurity as cybercriminals are provided with an ever expanding number of human and

digital targets. Similarly, increased connectivity expands the attack surface - driven by a still


rapidly growing number of internet users and, vastly more significantly, by the connection

of sensors, machines and wearable devices to the internet. Estimates of a ‘big data bang’

vary, but it is absolutely clear that the world’s digital content will explode in the coming

years. Cisco estimates more than 50 billion objects will be connected by 2020.

Figure 7 : Cisco’s projections for the Internet of Things

Source: Cisco

In view of this hugely expanding attack surface many observers think that current forecasts

for cybersecurity spending are too low. For example, Cybersecurity Ventures, a private

research and market intelligence outfit, projects 12%-15% annual cybersecurity market

growth through 2021 amounting to cumulative spend on cybersecurity exceeding USD 1

trillion from 2017 to 2021.


A market overview

The cybersecurity world is ever-changing with new sub-segments forming and disappearing continuously. Accordingly, the underlying dynamics of the different sub-segments can vary dramatically.


An ever-changing universe with many different ways to slice and dice into sub-segments So far the ‘magic bullet’ has not been found and most corporations revert to a ‘defense in

depth approach’ to cybersecurity. This effectively means putting several layers of defense

on top of each other. Many solutions are complementary, but often enough there is some

overlap. Below we provide an overview of the main segments. This slicing and dicing

exercise is meant to bring some structure to the ever-shifting and therefore often confusing

cyberspace. Segment distinctions are by no means set in stone - to the contrary, as the

space is very dynamic, many segments are overlapping, and more importantly, merging

over time.

A rising tide lifts all boats – yet it pays to be selective Network security – mainly firewalls - is the largest segment, followed by endpoint security,

identity and access management and security and vulnerability management. Growth

rates, the level of consolidation and differentiation vary widely between the different

segments as well as over time. The table below gives an overview of the main segments.

An alternative is to classify cybersecurity segments by function, which can deliver valuable

insights as well:

1. Organizations first of all must prevent or block cyberthreats

2. Quickly detect malicious activity

3. Respond in real time and show overall resilience

Security products need to work seamlessly across cloud, hybrid and on-premise environmentsOverall, we observe a move from spending on protection – blocking threats with e.g.

firewalls – towards detection and response – i.e. how to best detect and respond to

the inevitable breach. Segments such as identity & access management, security and

vulnerability management and regulatory advisory and analytics are therefore the flavor of

the day and are likely to show above industry level growth rates over the next years. To stay

relevant in the longer term however, we think the more important criteria are whether a

solution works seamlessly across on-premise, hybrid and cloud environments and is ‘open’

in the sense that it shares and integrates intelligence with other point solutions.


Segment Description Main developments Main players Market size Outlook

Network protection – Firewalls

Building thick and high walls in order to keep the bad guys out. Firewalls are the largest and most mature segment, comparatively consolidated and in the process of integrating more and more network security functionalities into the offering (for example intrusion prevention and encryption). This is termed next generation firewalls or Unified Threat Management.

Recently, the notion has come up that perimeter protection - where everything in the inside is trusted and everything on the outside is not - is outdated. This is because the perimeter becomes porous in a cloud environment and does not protect against insiders which have been involved in many high-profile breaches. Credentialing services, micro segmentation and sandboxing are therefore becoming more prevalent in network protection.

Checkpoint, Cisco, Palo Alto and Fortinet.

Estimated to be an USD 11bn market in 2016. Gartner estimates a CAGR of 9% through 2020.

We think incremental dollars will shift elsewhere, but firewalls will remain a significant part of the security architecture.

Endpoint threat Protection

Protecting the various end devices connected to a network such as PCs, servers, smartphones, tablets or IoT devices. The segment can be further subdivided into corporate and consumer endpoints.

We expect the endpoint to be the next segment that consolidates more functionalities into a next generation platform (largely detection & response tools). We think machine learning will also become a more important feature on endpoints, allowing defenders to deal with unknown threats.

Symantec, Intel, Trend Micro and Sophos.

A USD 10bn market in 2016, roughly equally split into consumer and corporate endpoints. Gartner estimates a CAGR of 4% through 2020.

We expect endpoint protection to witness a renaissance with more IoT endpoints needing protection.

Access control: identity and access management

Managing what a user has access to in an organization and what not. The right individuals are enabled to do the right things at the right point in time.

User management has become more important recently, after insiders have increasingly been involved in attacks. Privileged Access Management focuses on users with access to a company’s treasures, often on individuals with administrator rights.

IBM, EMC, Oracle and Cyber Ark.

Market size is estimated to be USD 5.4bn in 2016. Gartner estimates a CAGR of 8% through 2020.

Increasingly important as insiders have been a big part of the problem but limited total addressable market (TAM) opportunity.

Security & vulnerability with biggest segment Security Analytics (SIEM)

Aggregate and analyze all data from the network and endpoints. Monitor for unusual behavior in real time, be able to react much more quickly and deploy predictive analysis. Includes also forensics and testing for vulnerabilities.

Increasingly, the realization that there is no 100% protection and an attack can never completely be prevented, has shifted the focus to the response strategy after an organization has been breached. Hacks are becoming harder to detect – malware has often been inside an organization’s systems for months before detection. GDPR’s requirements regarding the publication of hacks and data loss will make this segment increasingly important.

IBM, Hewlett Packard, EMC, Splunk

SIEM was a USD 1.9bn market in 2015, the larger security & vulnerability market USD 6bn. Gartner estimates a CAGR of 12% through 2020.

Increasingly important; both diagnostic capabilities and integration of threat intelligence across vectors.


Structural developments

Change from the in- and outside: While the quest for integration will drive industry consolidation, the cloud and IoT will open the door to new and nimble industry entrants.


The story of cybersecurity is not just about a likely step-up in spending. It is also a story

about internal changes of the cybersecurity market. We see a number of structural trends

that shape the cybersecurity industry. New technologies such as the (hybrid) cloud, IoT

and machine learning (ML) bring tremendous change from the outside - but also internal

industry developments such as consolidation or limits around the so-called ‘defense in

depth’ approach will leave its marks over the years to come. We will outline the most

important developments below.

Cloud changes the technology…The era of cloud computing has completely changed the security game – and this is true

from both a technology and a business model perspective. Change is easier to deal with for

new players with no legacy and accordingly we have seen new industry entrants capturing

quite some market share in the cloud. In the old days, the name of the game was to protect

the walls of the castle with a firewall. However, in the distributed architecture of the cloud

there are simply no more walls to protect; the perimeter is blurring to say the least.

Rather than distinguishing between the inside and the outside, the industry is now using a

combination of techniques such as sandboxing or micro-segmentation (isolating threats)

to protect what’s valuable. Similarly, credentialing or authenticating tools control what is

allowed to whom, when and where. Finally, while security literally came in a box in the old

days – i.e. would run on dedicated hardware - the cloud knows virtualized environments,

requiring only software to be installed. The fact that no more dedicated hardware needs

to be installed through a lengthy process means that cloud-based solutions can be trialed

much more easily. We think this will accelerate the rate of change.

Outdated world: a broader security platform made up by separate hardware items for

each security application: we would hardly call that an integrated platform!

Source: Cisco

‘Sandboxing isolates programs preventing malware from damaging the rest of your computer as well. Micro-segmentation works according to a similar philosophy, but then in a data center’s virtualized environment.’


… as well as the business model: security as a service This also has an effect on the business model: before security vendors were selling a

piece of hardware with a license model, but now they are selling security(software) as

a service. From a financial perspective, this means revenues no longer consist of large

upfront payments for a license plus some maintenance fee, but of periodical rental fees in a

subscription-based model. While this might over time result in a higher value capture and

stability, initially it translates into optically lower revenues – in other words a very disruptive

and risky move for legacy players to make. This opens the door a bit wider for more nimble

‘cloud-native’ players.

IoT introduces a massive amount of new challengesThe internet of things (IoT) will significantly increase the attack surface: an estimated 50bn

devices will be online by 2020 – providing hackers with a multitude of new attack points: in

each case the device itself can be hacked, or the software or the data in transit can present

a vulnerability. All this comes with potentially severe consequences; just think of what

happens when connected cars, smart grids, smart traffic control, etc. get compromised.

In an IoT world cyberattacks become physical attacks – extending the risks from ‘only’

our data to pretty much everything. What makes matters worse is that those devices are

frequently ‘dumb’, implying there is no embedded security or intelligence as developers

want to keep the cost of devices contained. Security takes the backseat when competing

with cost, usability or time to market. What happens is that the computing power of IoT

devices is being misused for DDoS attacks - and their combined power can take down even

the biggest targets.

Modular platforms will respond to customers’ quest for consolidation and integrationThere is a big quest for consolidation among security buyers. Historically the approach

has been what is termed ‘defense in depth’: trying to overcome the shortcomings of one

solution by creating redundancy and putting a number of security layers on top of each

other - in the hope that at least one layer will effectively fight the threat. We think this

layering architecture has reached its limits: the downside of the approach is that way too

many solutions have to be acquired which each need dedicated and costly hardware. This

has become expensive and inefficient at the same time: those various ‘point solutions’ do

not communicate with each other at all or if they do, they create a lot of latency, especially

in the cloud.


Lack of communication across point solutionsToo many point solutions create an oversight mess, as each application has its separate

interface. Security officers lose track of what is going on in their company, as they lack

one dashboard with which they can monitor all activity and threats. Most of all however,

valuable information gets lost along the way: sharing intelligence across end points

improves decisions and reduces false positives. What security officers yearn for is therefore

a comprehensive solution where threat intelligence from e.g. the endpoint is shared with

the network to improve the overall defense.

Figure 8 : Too many vendors create an oversight mess: the number of security vendors organizations use

Source: Cisco

Breaking down security silos: first moves towards modular security platformsWe see promising moves of incumbents towards building a security platform: many are

incorporating adjacent point solutions into their offering, and some are even making

bolder moves towards making ends meet; i.e. combining endpoint with network protection

solutions. We think over time offerings will become modular, with customers able to

turn modules on or off depending on their needs. Overall however, breadth is becoming

a more important decision criterion, both across solutions but importantly also across

environments (i.e. on premise, hybrid & cloud).


Figure 9 : Unified Threat Management: Example of consolidation in the network

Source: Credit Suisse Research

Cloud-based security will accelerate consolidationMore and more data workloads are moving to the cloud. While this clearly brings its own

and new cyber-risks, it also means companies automatically acquire some security via the

cloud architecture. In fact, the large and sophisticated cloud operators such as Google,

Microsoft and Amazon can offer security more effectively and efficiently than most small

or medium-sized companies could ever achieve with their own limited resources. In some

instances, this realization has been the very reason that some companies moved their

data workloads to the cloud. Cloud operators use a mixture of in-house security as well

as outside security vendors. While we do not expect them to become a major competitor

to security developers themselves, we do think their large purchasing power will be

deflationary and accelerate the consolidation in the market: we expect them to ask large

discounts from vendors in exchange for a broader part of the security pie.

Redundancy will never go away completelyWhile the ‘defense-in-depth’ approach is cost inefficient and at a certain point loses

effectiveness as too many layers create oversight issues, we think some degree of

redundancy will always be required. The industry joke goes that proposing a single security

supplier is the one definite way to get yourself fired as a chief technology officer. Choosing

to work with a single security supplier means opening yourself up to its vulnerabilities

in case the supplier gets compromised. Some degree of layering makes sense, as the

vulnerability left open by one vendor might be closed through another vendor. This

redundancy will come in the form of ‘best of breed’ products as we show next.

Unified Threat Management consolidates a number of network protection products into a ‘next generation platform’: the traditional firewall is combined with intrusion detection and prevention, anti virus software, etc.


Best of breed specialty expertise will remain relevantThe world of cybersecurity is highly complex and dynamic. As the general IT infrastructure

changes, new threat vectors develop, and new types of expertise will be required. Expertise

in one area does not necessarily translate to another. Just as new malicious actors are

always appearing on the play-ground, corresponding defenders will be evolving. For

example, the internet of things (IoT) will need a new type of security embedded in the chips

of IoT devices. This is a very different kind of game and likely to come out of the hands of

new, focused and specialized players. We think specialization – or best of breed - will forever

be relevant in a world where security and quality of product come first. As a platform with a

broad offering, it is hard to be the best at everything – which is why buyers will ‘top up’ with

best of breed.

The importance of scale as artificial intelligence enters securityHaving a large installed base has always been an important factor as switching costs in

the security industry are high. The transition to a new vendor bears a lot of risks, but the

incentive to change is low as upside is limited to often minor cost savings – at least as

long as your existing product also ‘does the job’. In addition, large players have a better

distribution reach and have already built credibility and familiarity with the important Value

Added Resellers (VARs) – advisors which are used by most buyers to find their way through

the security jungle.

Size will become even more important: artificial intelligence, or more specifically machine

learning, will help to assess behavioral patterns and make predictive analyses to detect

also previously unknown threats. Machine learning is based on big data, and the more you

see, the better your algorithm gets and hence the bigger your advantage is. This speaks

for covering as much of the security landscape as possible – e.g. from network to endpoint

– but also for having access to large databases of historical data which help to train your

algorithms. In other words, established players with a broad offering are better positioned

than smaller counterparts. Last but not least, those same incumbents have built substantial

financial power to ensure they stay on top of developments – either by spending heavily on

R&D or technical talent or through mergers & acquisitions.


Big hopes for machine learning in security: Traditional ‘signature-based protection’ builds

on a database of signatures containing all known threats which are consequently blocked.

The limitation is that you can only code what you know and you are not protected against

unknown threats – also called zero day threats. There is a constant race between defenders

and attackers – the former being required to constantly update their signature database

with new threats while the latter can just slightly deviate the signature to try to get through.

Machine learning will change that through the use of behavioral analysis to detect out-of-

the-ordinary behavior and hopefully also zero day threats.


Investing in cybersecurity

A core-satellite approach allows investors to benefit from the best of two worlds.


What do all these prospects for increased cybersecurity spending and changing internal

market dynamics mean for investors? The bright side is that the fast growth trajectory

of cybersecurity spending provides ample opportunities for solution providers to start

successful businesses in the land of cybersecurity - making it a dynamic and thriving market

place with lots of active players.

For listed equity investors, it pays to have exposure to the cybersecurity sector – not only

because of the high growth and cash generation stocks offer, but also because investing in

cybersecurity effectively provides a hedge in the portfolio against a negative impact from

cyberattacks on other holdings. However, with an ever increasing number of sub-segments

and players it is easy to get lost in the world of cybersecurity. Where in the industry is most

value generated and how sustainable are any competitive advantages gained? The figure

below shows that economic profit generation in the industry is skewed towards a few

players, is highly volatile and that in many cases economic profit is still negative.

Figure 10 : Cumulative Economic Profit Generation in the cybersec industry: volatile and historically dominated by a few players (Check Point, Symantec, Verisign, Trendmicro)

Source: HOLT, Robeco

In fact, while high market growth is providing a welcome tailwind for all players,

competition is fierce and success not guaranteed – especially not over longer time periods.

Investing in cybersecurity is tricky: competitive advantages and innovative technologies

generally do not last long. Defenders find themselves in a constant battle with a huge

number of attackers and have to make sure they stay ahead of new threats. Showing

1.000

500

0

500

1.000

1.500

2.000

2.500

3.000

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018e

USD

thou

sand

s

Check Point So�ware Verisign Symantec Trendmicro Cyberark So�ware For�net Qualys

Sophos Keyw holding Mimecast SecureWorks Proofpoint ServiceNow Rapid7Imperva Palo Alto Splunk Hortonworks FireEye


nimbleness and responding quickly to the inevitable eventual breach is key. In a way, the

attackers are setting the agenda of defenders, which results in a certain ad-hoc nature of

the industry.

The challenge of sustainable innovation in the cybersecurity industry

In contrast to many other industries, plotting a course of sustainable innovation in the

cybersecurity industry presents a major challenge. The dynamic and reactive nature of the

market environment, where malicious actors set the pace and determine the course of

innovation, is largely to blame. In mainstream IT markets, technology companies can take

charge of their destiny by incrementally improving their product and value proposition

as the technology employed becomes faster, better and easier to use; i.e. sustainable

innovation Christensen-style. In the cybersecurity market it is always the latest threat, like

a game of whack-a-mole, that is dictating the innovation roadmap while improvement

of the value proposition (absence of serious breaches) is difficult to demonstrate, making

sustainable innovation a much more challenged endeavor.

Cybersecurity industry overview: a large and fragmented market

Source: Digital Guardian


Listed equity investor dilemmaFor listed equity investors there are incremental complications; small, nimble companies

develop innovative next generation solutions best suited for today’s cloud infrastructure

and therefore show high growth profiles. But they are not always listed or offer sufficient

trading liquidity. Not all of them have proven business models and clear paths to

profitability. In addition, in this dynamic and fast-moving industry, today’s winners might

be tomorrow’s losers. The larger, more established players on the other hand, offer the

desired stability and profitability but might lack innovative power and frequently grow at

sub-market rates.

Figure 11 : A wide range of growth rates and margins in cybersecurity – and hinting to a negative relationship between the two!

Source: Bloomberg, Robeco

Investing in cybersecurity with a ‘core-satellite’ strategy In our view, a prudent way to gain exposure to cybersecurity’s most attractive parts, is

to buy a basket of listed companies in the fastest growing segments of the cybersecurity

landscape around a core of established legacy players. The latter offer longer term

sustainable competitive advantages and a proven track record of generating economic

profit. We would term this a ‘core-satellite’ approach. We think there are opposing forces

at work which in a way keep each other in check and will ensure that while the big,

established platforms will get bigger, there will always be some room for small innovative

entrants into the industry.

PALO ALTO

CHECK POINT

FIREEYE

FORTINET

PROOFPOINT

SYMANTEC

SOPHOS

MIMECAST

SPLUNK

GEMALTO

CYBERARK

IMPERVA

QUALYS

SECUREWORKS

RAPID7

Trend Micro

HORTONWORKS

-5%

0%

5%

10%

15%

20%

25%

30%

35%

-40% -30% -20% -10% 0% 10% 20% 30% 40% 50% 60% 70%

2018

Blo

om

berg

co

nsen

sus

gro

wth

exp

ecta

tio

n

2018 Bloomberg consensus EBIT Margin expectation


Figure 12: Even in the most mature and consolidated sub-segment of cybersecurity – the network - market share shifts can be dramatic

Source: IDC, Credit Suisse Research

The core of the portfolio – the strength of the incumbentsWe think the core of a portfolio should consist of more established players, who we think

will ultimately succeed in creating an integral and holistic platform to security. While

their growth rates are not always something to write home about, we like their margin

structures and their strong cash flow generation gives them ample strategic options.

Importantly, this will allow them to become industry consolidators over time, as they will

integrate now separate offerings into a one-stop shop offering for security. In this way, they

generate substantial value for their customers and create a moat around their businesses.

The innovative power of new entrantsWhile some incumbents are fast followers and capable of integrating new functionalities

into their platform offerings, the real innovation in the industry generally comes from small

players or completely new entrants. Capable of reacting with agility to the drastic changes

the cloud brought to the IT architecture, these legacy-free new entrants attract with cloud-

native solutions. While obviously coming with a higher risk profile, their innovation activity

translates into high growth rates, making them attractive and complementary additions to

the portfolio.

‘Established players create platforms which integrate more and more services into their one-stop offering. At the same time, new solutions are developed. Over time, they too will get absorbed into platforms. And so it will continue.’


Table 2: Summary of advantages of incumbents and new entrants

Advantages of incumbents Advantages of new entrants

Scale and size benefits (distribution, machine

learning, financial spending power)

Agility, nimbleness, fast response to new trends

Possibility to consolidate functionality/

provide a one-stop offering

Best of breed, specific expertise

High switching costs protect the installed base Not constraint by legacy

Cloud-induced consolidation Cloud-native in both technology and business model

Source:Robeco


Active investor engagement on

cybersecurity

Investors benefit from engaging in an active dialogue with portfolio holdings on their cyber- readiness. Best practices should involve both technological and procedural aspects.


Active investor engagement on cybersecurity a mustWhile there is a lot of opportunity to invest in attractive cybersecurity segments, there is

a flip side of the coin as well: spending on cybersecurity is a fast growing cost item for the

vast majority of businesses; a clear negative. For the moment however, this is unlikely to

impact profit margins too severely. At less than 5% of total IT spending for most companies,

the cost of protecting against cyber insecurity can still be absorbed relatively easily. What is

less predictable and potentially much more devastating is of course the cost associated with

a successful breach – more and more reflected in sharp share price declines such as after

the Equifax breach. It is therefore in investors’ best interest to encourage companies to up

their cybergame via active engagements. Importantly, on top of technological factors, this

investor engagement should comprise behavioral aspects with a focus on internal policies

and controls. Without the right people even the best IT infrastructure is of limited value.

The human factor, scalability and the valuation implication

Cybersecurity hard- and software devices, including artificial intelligence, are indispensable

tools in the combat against cyberattacks. Without them, the volume of cyberthreats would

simply overwhelm any human line of defense. Unfortunately, these devices also generate

a lot of false alarms. False alarms, in fact, outnumber valid alarms by a wide margin.

This is a serious problem, since tracking down false alarms uses up valuable and scarce

resources. The Ponemon Institute, for instance, recently reported that over 20 percent of

endpoint security investigation spending was wasted on these false alarms. In addition,

corporate productivity may suffer as uninfected applications are shut down on suspicion of

being infected with malware. According to a Barkly survey of IT administrators, 42 percent

of companies believe that their users lost productivity as a result of false positive results.

Human intervention by highly skilled cybersecurity experts is, therefore, often necessary to

determine whether perceived threats are real or false. In addition, the course of action to

be followed after a legitimate threat has been discovered, almost always requires human

judgement or supervision as well; if only because the solution needs to be company-

specific in most instances.

In short, while the arsenal of automated cybersecurity tools is growing prodigiously, no

fully automated response to all cyberthreats exists and the unavoidable employment of

scarce human resources puts a cap on the scalability of cybersecurity solutions. Capped

scalability of cybersecurity solutions due to limited availability of human resources may

have implications for cybersecurity firms’ growth potential and, consequently, for valuation

as well. An interesting Deloitte research paper finds that services businesses, where growth

potential is determined by the availability of human labor, on average sell at about half the

revenue multiple as service companies which produce intellectual property, like software,


and that do not suffer from this restraint. Being positioned somewhere between these

ends of the spectrum, this would imply that cybersecurity firms should sell at a discount in

terms of revenue multiple to pure software companies, but at a premium to pure services

companies.

Humans often remain the weakest linkNo matter what companies spend on technical cybersecurity solutions, in the end success

hinges on the judicious and disciplined implementation of cybersecurity policies. In most

cyberincidents, negligent and / or risky behavior, disregard for and / or ignorance of

procedures and sloppy implementation of security policies by company employees lie at

the root of the problem. People are the weakest link in any organization’s cybersecurity

armor. The recent Equifax breach provides a poignant example. The company had already

been informed about the technical fix for the weakness that was eventually exploited

well before the breach happened. It needed to implement a tool called Apache Struts, yet

Equifax failed to do so fully in a timely manner. Nothing would have happened if the right

processes had been in place and followed diligently. We are not claiming that this is always

an easy task; the large number of false positives are troublesome for CTOs: due to the sheer

number of them, a mere and shocking 4% of alerts are actually investigated. As a side note,

we think the value of an integrated platform would exactly be to bring the number of alerts

down to the relevant threats.

Figure 13: Number and status of malware alerts in a week

Source: Bernstein, Ponemon Institute


Nevertheless, a lot, therefore, depends on an organization’s culture, explicit policies and

agility in developing resilience to cyberthreats. It is rapidly becoming an important part

of an organization’s governance profile. To ensure that companies have the right culture

and policies in place, investors have to be vigilant that companies follow procedures, train

their workforce and keep up with the latest developments. Active engagement on the

topic of cybersecurity by investors can play a vital part in fostering the right culture to keep

cybersecurity risks at a minimum.

Extensive ESG integration and engagement around cybersecurity at RobecoRobeco is therefore starting an extensive engagement trajectory on cybersecurity with

a number of selected holdings. We are working together with industry experts to assess

the cyber-resilience of an organization based on factors such as IT structures, protocols

and controls, but also an organization’s cyberstrategy and culture. In addition, Robeco

will increasingly include its assessment of cyber-resilience in its sustainability analysis

of investment candidates and portfolio holdings. We will follow up in due time with the

findings from our cybersecurity engagement and integration in a separate publication.


APPENDIX | Who’s who in cyber-land?

Appendix 1: The attackers: main actors

Actors (est. % of attacks) Main motivations Characteristics Typical type of attacks

Individual cybercriminals (50%) Monetary Sophisticated Ransomware

Nation state hackers (~18%) Cyberespionage Highly

sophisticated

Advanced Persistent

Threats (APT)

Cyberactivists (~7%) Political agenda,

ideology, revenge

Not necessarily

cyberexperts

DDoS, Botnets

(Disgruntled) insiders (~25%)

Revenge, financial

or simply human

error

Even without

sophistication

highly harmful

Various

Source: Robeco, Verizon

Appendix 2: The defenders: Listed equity cybersecurity universe (size represents market cap)

Source: Robeco, Bloomberg data

Appendix 3: A short word on blockchain and cybersecurity

Until now blockchain – or rather its application bitcoin - has been more of a tool of the

attackers: bitcoin made ransom payments easier to transact and more difficult to track.

Over time, however, market participants expect blockchain to contribute significantly and


APPENDIX | Who’s who in cyber-land?

positively to cybersafety. First and foremost this is due to the decentralized architecture

of the blockchain. There is simply no central archive anymore that could be hacked. To

compromise an account, the hacker would have to attack all nodes in the network at the

same time rather than only a single computer. In addition, it is more difficult to falsify

information due to the decentralized storage and the consensus required to alter data.

What will this mean for the cybersecurity industry from an investment perspective? It is very

early days and therefore hard to tell with certainty, but our guess would be that endpoint

security would probably be better positioned than network security: parameter protection

just becomes less relevant in a decentralized world, while all the various endpoints in

the decentralized blockchain need protection. Technologies like sandboxing and micro

segmentation come to mind as well.

Literature – Jeroen van Oerle, Frank van der Spek, Patrick Lemmens, Vaulting financial technology,

December 2015

– Ponemon Institute, 2017 Cost of Data Breach Study, June 2017

– IBM, Transforming the approach to phishing detection and protection, March 2017

– ITRC, 2018 Data Breach Report, January 2018

– FBI, IC3 2016 Internet Crime Report, June 2017

– Deloitte, Take the lead on cyber risk, 2017

– TIA Cybersecurity Report, February 2015

– Researchgate; Cynthia Wagner, Security and network monitoring based on internal flow

measurements, March 2012

– www.lepide.com/blog/the-lepide-checklist-for-gdpr-compliance/, March 2017

– Cisco, Midyear Cybersecurity Report, July 2017

– digitalguardian.com/information-security-industryscape, November 2014

– IDC FutureScape: Worldwide Security Products and Services 2017 Predictions, IDC Web

Conference, December 2016


Important Information Robeco Institutional Asset Management B.V. has a license as manager of Undertakings for Collective Investment in Transferable Securities (UCITS) and Alternative Investment Funds (AIFs) (“Fund(s)”) from The Netherlands Authority for the Financial Markets in Amsterdam. This document is solely intended for professional investors, defined as investors qualifying as professional clients, have requested to be treated as professional clients or are authorized to receive such information under any applicable laws. Robeco Institutional Asset Management B.V and/or its related, affiliated and subsidiary companies, (“Robeco”), will not be liable for any damages arising out of the use of this document. Users of this information who provide investment services in the European Union have their own responsibility to assess whether they are allowed to receive the information in accordance with MiFID II regulations. To the extent this information qualifies as a reasonable and appropriate minor non-monetary benefit under MiFID II, users that provide investment services in the European Union are responsible to comply with applicable recordkeeping and disclosure requirements. The content of this document is based upon sources of information believed to be reliable and comes without warranties of any kind. Without further explanation this document cannot be considered complete. Any opinions, estimates or forecasts may be changed at any time without prior warning. If in doubt, please seek independent advice. It is intended to provide the professional investor with general information on Robeco’s specific capabilities, but has not been prepared by Robeco as investment research and does not constitute an investment recommendation or advice to buy or sell certain securities or investment products and/or to adopt any investment strategy and/or legal, accounting or tax advice. All rights relating to the information in this document are and will remain the property of Robeco. This material may not be copied or used with the public. No part of this document may be reproduced, or published in any form or by any means without Robeco’s prior written permission. Investment involves risks. Before investing, please note the initial capital is not guaranteed. Investors should ensure that they fully understand the risk associated with any Robeco product or service offered in their country of domicile (“Funds”). Investors should also consider their own investment objective and risk tolerance level. Historical returns are provided for illustrative purposes only. The price of units may go down as well as up and the past performance is not indicative of future performance. If the currency in which the past performance is displayed differs from the currency of the country in which you reside, then you should be aware that due to exchange rate fluctuations the performance shown may increase or decrease if converted into your local currency. The performance data do not take account of the commissions and costs incurred on trading securities in client portfolios or on the issue and redemption of units. Unless otherwise stated, the prices used for the performance figures of the Luxembourg-based Funds are the end-of-month transaction prices net of fees up to 4 August 2010. From 4 August 2010, the transaction prices net of fees will be those of the first business day of the month. Return figures versus the benchmark show the investment management result before management and/or performance fees; the Fund returns are with dividends reinvested and based on net asset values with prices and exchange rates of the valuation moment of the benchmark. Please refer to the prospectus of the Funds for further details. Performance is quoted net of investment management fees. The ongoing charges mentioned in this document are the ones stated in the Fund’s latest annual report at closing date of the last calendar year. This document is not directed to, or intended for distribution to or use by any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, document, availability or use would be contrary to law or regulation or which would subject any Fund or Robeco Institutional Asset Management B.V. to any registration or licensing requirement within such jurisdiction. Any decision to subscribe for interests in a Fund offered in a particular jurisdiction must be made solely on the basis of information contained in the prospectus, which information may be different from the information contained in this document. Prospective applicants for shares should inform themselves as to legal requirements also applying and any applicable exchange control regulations and applicable taxes in the countries of their respective citizenship, residence or domicile. The Fund information, if any, contained in this document is qualified in its entirety by reference to the prospectus, and this document should, at all times, be read in conjunction with the prospectus. Detailed information on the Fund and associated risks is contained in the prospectus. The prospectus and the Key Investor Information Document for the Robeco Funds can all be obtained free of charge at www.robeco.com.

Additional Information for US investorsNeither Robeco Institutional Asset Management B.V. nor the Robeco Capital Growth Funds have been registered under the United States Federal Securities Laws, including the Investment Company Act of 1940, as amended, the United States Securities Act of 1933, as amended, or the Investment Advisers Act of 1940. No Fund shares may be offered or sold, directly or indirectly, in the United States or to any US Person. A US Person is defined as (a) any individual who is a citizen or resident of the United States for federal income tax purposes; (b) a corporation, partnership or other entity created or organized under the laws of or existing in the United States; (c) an estate or trust the income of which is subject to United States federal income tax regardless of whether such income is effectively connected with a United States trade or business. Robeco Institutional Asset Management US Inc. (“RIAM US”), an Investment Adviser registered with the Securities and Exchange Commission under the Investment Advisers Act of 1940, is a wholly owned subsidiary of ORIX Corporation Europe N.V. and offers investment advisory services to institutional clients in the US. In connection with these advisory services, RIAM US will utilize shared personnel of its affiliates, Robeco Nederland B.V. and Robeco Institutional Asset Management B.V., for the provision of investment, research, operational and administrative services.

Additional Information for investors with residence or seat in Australia and New ZealandThis document is distributed in Australia by Robeco Hong Kong Limited (ARBN 156 512 659) (“Robeco”), which is exempt from the requirement to hold an Australian financial services license under the Corporations Act 2001 (Cth) pursuant to ASIC Class Order 03/1103. Robeco is regulated by the Securities and Futures Commission under the laws of Hong Kong and those laws may differ from Australian laws. This document is distributed only to “wholesale clients” as that term is defined under the Corporations Act 2001 (Cth). This document is not for distribution or dissemination, directly or indirectly, to any other class of persons. In New Zealand, this document is only available to wholesale investors within the meaning of clause 3(2) of Schedule 1 of the Financial Markets Conduct Act 2013 (‘FMCA’). This document is not for public distribution in Australia and New Zealand.

Additional Information for investors with residence or seat in AustriaThis information is solely intended for professional investors or eligible counterparties in the meaning of the Austrian Securities Oversight Act.

Additional Information for investors with residence or seat in BrazilThe Fund may not be offered or sold to the public in Brazil. Accordingly, the Fund has not been nor will be registered with the Brazilian Securities Commission – CVM, nor has it been submitted to the foregoing agency for approval. Documents relating to the Fund, as well as the information contained therein, may not be supplied to the public in Brazil, as the offering of the Fund is not a public offering of securities in Brazil, nor may they be used in connection with any offer for subscription or sale of securities to the public in Brazil.

Additional Information for investors with residence or seat in CanadaNo securities commission or similar authority in Canada has reviewed or in any way passed upon this document or the merits of the securities described herein, and any representation to the contrary is an offence. Robeco Institutional Asset Management B.V. is relying on the international dealer and international adviser exemption in Quebec and has appointed McCarthy Tétrault LLP as its agent for service in Quebec.

Additional Information for investors with residence or seat in ColombiaThis document does not constitute a public offer in the Republic of Colombia. The offer of the Fund is addressed to less than one hundred specifically identified investors. The Fund may not be promoted or marketed in Colombia or to Colombian residents, unless such promotion and marketing is made in compliance with Decree 2555 of 2010 and other applicable rules and regulations related to the promotion of foreign Funds in Colombia.

Additional Information for investors with residence or seat in the Dubai International Financial Centre (DIFC), United Arab EmiratesThis material is being distributed by Robeco Institutional Asset Management B.V. (Dubai Office) located at Office 209, Level 2, Gate Village Building 7, Dubai International Financial Centre, Dubai, PO Box 482060, UAE. Robeco Institutional Asset Management B.V. (Dubai office) is regulated by the Dubai Financial Services Authority (“DFSA”) and only deals with Professional Clients or Market Counterparties and does not deal with Retail Clients as defined by the DFSA.

Additional Information for investors with residence or seat in FranceRobeco is at liberty to provide services in France. Robeco France (only authorized to offer investment advice service to professional investors) has been approved under registry number 10683 by the French prudential control and resolution authority (formerly ACP, now the ACPR) as an investment firm since 28 September 2012.

Additional Information for investors with residence or seat in GermanyThis information is solely intended for professional investors or eligible counterparties in the meaning of the German Securities Trading Act.

Additional Information for investors with residence or seat in Hong Kong The contents of this document have not been reviewed by the Securities and Futures Commission (“SFC”) in Hong Kong. If you are in any doubt about any of the contents of this document, you should obtain independent professional advice. This document has been distributed by Robeco Hong Kong Limited (“Robeco”). Robeco is regulated by the SFC in Hong Kong.

Additional Information for investors with residence or seat in ItalyThis document is considered for use solely by qualified investors and private professional clients (as defined in Article 26 (1) (b) and (d) of Consob Regulation No. 16190 dated 29 October 2007). If made available to Distributors and individuals authorized by Distributors to conduct promotion and marketing activity, it may only be used for the purpose for which it was conceived. The data and information contained in this document may not be used for communications with Supervisory Authorities. This document does not include any information to determine, in concrete terms, the investment inclination and, therefore, this document cannot and should not be the basis for making any investment decisions.

Additional Information for investors with residence or seat in PeruThe Fund has not been registered with the Superintendencia del Mercado de Valores (SMV) and is being placed by means of a private offer. SMV has not reviewed the information provided to the investor. This document is only for the exclusive use of institutional investors in Peru and is not for public distribution.

Additional Information for investors with residence or seat in ShanghaiThis material is prepared by Robeco Investment Management Advisory (Shanghai) Limited Company (“Robeco Shanghai”) and is only provided to the specific objects under the premise of confidentiality. Robeco Shanghai has not yet been registered as a private fund manager with the Asset Management Association of China. Robeco Shanghai is a wholly foreign-owned enterprise established in accordance with the PRC laws, which enjoys independent civil rights and civil obligations. The statements of the shareholders or affiliates in the material shall not be deemed to a promise or guarantee of the shareholders or affiliates of Robeco Shanghai, or be deemed to any obligations or liabilities imposed to the shareholders or affiliates of Robeco Shanghai.

Additional Information for investors with residence or seat in SingaporeThis document has not been registered with the Monetary Authority of Singapore (“MAS”). Accordingly, this document may not be circulated or distributed directly or indirectly to persons in Singapore other than (i) to an institutional investor under Section 304 of the SFA, (ii) to a relevant person pursuant to Section 305(1), or any person pursuant to Section 305(2), and in accordance with the conditions specified in Section 305, of the SFA, or (iii) otherwise pursuant to, and in accordance with the conditions of, any other applicable provision of the SFA. The contents of this document have not been reviewed by the MAS. Any decision to participate in the Fund should be made only after reviewing the sections regarding investment considerations, conflicts of interest, risk factors and the relevant Singapore selling restrictions (as described in the section entitled “Important Information for Singapore Investors”) contained in the prospectus. You should consult your professional adviser if you are in doubt about the stringent restrictions applicable to the use of this document, regulatory status of the Fund, applicable regulatory protection, associated risks and suitability of the Fund to your objectives. Investors should note that only the sub-funds listed in the appendix to the section entitled “Important Information for Singapore Investors” of the prospectus (“Sub-Funds”) are available to Singapore investors. The Sub-Funds are notified as restricted foreign schemes under the Securities and Futures Act, Chapter 289 of Singapore (“SFA”) and are invoking the exemptions from compliance with prospectus registration requirements pursuant to the exemptions under Section 304 and Section 305 of the SFA. The Sub-Funds are not authorized or recognized by the MAS and shares in the Sub-Funds are not allowed to be offered to the retail public in Singapore. The prospectus of the Fund is not a prospectus as defined in the SFA. Accordingly, statutory liability under the SFA in relation to the content of prospectuses would not apply. The Sub-Funds may only be promoted exclusively to persons who are sufficiently experienced and sophisticated to understand the risks involved in investing in such schemes, and who satisfy certain other criteria provided under Section 304, Section 305 or any other applicable provision of the SFA and the subsidiary legislation enacted thereunder. You should consider carefully whether the investment is suitable for you. Robeco Singapore Private Limited holds a capital markets services license for fund management issued by the MAS and is subject to certain clientele restrictions under such license.

Additional Information for investors with residence or seat in SpainThe Spanish branch Robeco Institutional Asset Management B.V., Sucursal en España, having its registered office at Paseo de la Castellana 42, 28046 Madrid, is registered with the Spanish Authority for the Financial Markets (CNMV) in Spain under registry number 24.

Additional Information for investors with residence or seat in SwitzerlandThis document is exclusively distributed in Switzerland to qualified investors as defined in the Swiss Collective Investment Schemes Act (CISA) by Robeco Switzerland AG which is authorized by the Swiss Financial Market Supervisory Authority FINMA as Swiss representative of foreign collective investment schemes, and UBS Switzerland AG, Bahnhofstrasse 45, 8001 Zurich, postal address: Europastrasse 2, P.O. Box, CH-8152 Opfikon, as Swiss paying agent. The prospectus, the Key Investor Information Documents (KIIDs), the articles of association, the annual and semi-annual reports of the Fund(s), as well as the list of the purchases and sales which the Fund(s) has undertaken during the financial year, may be obtained, on simple request and free of charge, at the office of the Swiss representative Robeco Switzerland AG, Josefstrasse 218, CH-8005 Zurich. The prospectuses are also available via the website www.robeco.ch.

Additional Information for investors with residence or seat in the United Arab EmiratesSome Funds referred to in this marketing material have been registered with the UAE Securities and Commodities Authority (the Authority). Details of all Registered Funds can be found on the Authority’s website. The Authority assumes no liability for the accuracy of the information set out in this material/document, nor for the failure of any persons engaged in the investment Fund in performing their duties and responsibilities.

Additional Information for investors with residence or seat in the United KingdomRobeco is subject to limited regulation in the UK by the Financial Conduct Authority. Details about the extent of our regulation by the Financial Conduct Authority are available from us on request.

Additional Information for investors with residence or seat in UruguayThe sale of the Fund qualifies as a private placement pursuant to section 2 of Uruguayan law 18,627. The Fund must not be offered or sold to the public in Uruguay, except in circumstances which do not constitute a public offering or distribution under Uruguayan laws and regulations. The Fund is not and will not be registered with the Financial Services Superintendency of the Central Bank of Uruguay. The Fund corresponds to investment funds that are not investment funds regulated by Uruguayan law 16,774 dated September 27, 1996, as amended.

Additional Information concerning RobecoSAM Collective Investment SchemesThe RobecoSAM collective investment schemes (“RobecoSAM Funds”) in scope are sub funds under the Undertakings for Collective Investment in Transferable Securities (UCITS) of MULTIPARTNER SICAV, managed by GAM (Luxembourg) S.A., (“Multipartner”). Multipartner SICAV is incorporated as a Société d’Investissement à Capital Variable which is governed by Luxembourg law. The custodian is State Street Bank Luxembourg S.C.A., 49, Avenue J. F. Kennedy, L-1855 Luxembourg. The prospectus, the Key Investor Information Documents (KIIDs), the articles of association, the annual and semi-annual reports of the RobecoSAM Funds, as well as the list of the purchases and sales which the RobecoSAM Fund(s) has undertaken during the financial year, may be obtained, on simple request and free of charge, via the website www.robecosam.com or www.funds.gam.com.

Version Q1/18

ContactRobeco

P.O. Box 973

3000 AZ Rotterdam

The Netherlands

E [email protected]