Amplify Cybersecurity ETF (HACK)
Cybersecurity as a commercial industry barely existed before the 2000s. Banks and defense contractors had security teams, but cybersecurity was a cost center, not a business. Today it is a multi-hundred-billion-dollar industry, driven by the relentless rise in digital services, the shifting of business operations to the cloud, the explosion of data being collected and stored, and the persistent threat of data theft, ransomware, and system compromise. Amplify Cybersecurity ETF (HACK) is built on a simple premise: invest in the companies selling the tools, services, and expertise that defend against these threats.
The emergence of cybersecurity as an industry (early 2000s–2010)
Before 2000, security in the technology world was an afterthought. Operating systems and applications were built for convenience and speed, not defense. Viruses and worms existed (the Morris Worm of 1988, the Melissa virus of 1999) but were treated as isolated crises, not systemic threats.
The rapid rise of the Internet, the emergence of e-commerce, and the September 11, 2001 attacks changed the calculus. Companies began losing data to hackers; websites were defaced by vandals; governments realized that critical infrastructure (power grids, financial systems) could be targets of cyberattacks. Spending on security tools accelerated. Vendors like Symantec, which had built an antivirus business, expanded into broader security solutions. New pure-play security companies (Verisign, ISS, Qualys) emerged. By the mid-2000s, cybersecurity was recognized as a distinct market segment.
In the 2008–2010 period, even as the overall tech market crashed, cybersecurity budgets held firm or grew—a sign of how central security had become to corporate IT decision-making. The Great Recession did not kill the industry; it legitimized it.
The driving forces behind security spending (2010–2020)
The 2010s saw explosive growth in cybersecurity spending, driven by several converging factors:
Cloud migration. Companies moved workloads from private data centers to AWS, Azure, and Google Cloud. This created new security challenges: protecting systems and data that were no longer under the company’s direct physical control. Cloud-security companies (CrowdStrike, Palo Alto Networks) flourished.
Mobile explosion. Smartphones became ubiquitous. Enterprises had to secure not just networks but now millions of personal and company-owned devices. Mobile security and endpoint protection became massive categories.
Regulatory mandates. Regulations like HIPAA (healthcare), PCI-DSS (payment cards), and eventually GDPR (Europe, 2018) required companies to implement security controls. Regulatory compliance was now a legal mandate, not just a best practice. Security vendors thrived by offering compliance solutions.
Ransomware. The proliferation of ransomware attacks (where hackers encrypt a company’s files and demand payment for the key) made cybersecurity a business survival issue. Companies that had been indifferent to security suddenly budgeted millions for ransomware defense.
Data breaches and reputation damage. High-profile breaches (Target, Home Depot, Yahoo) demonstrated that data theft could destroy shareholder value and customer trust. Executives began viewing security as a fiduciary responsibility.
By 2020, the global cybersecurity market was worth more than $150 billion annually, with double-digit growth rates. It was one of the fastest-growing IT sectors.
The taxonomy of cybersecurity companies
HACK’s holdings fall into several categories:
Endpoint protection. These companies (Crowdstrike, Sentinelone, Microsoft, Cisco) protect individual computers and devices from malware, ransomware, and unauthorized access. Endpoint detection and response (EDR) is one of the most valuable categories—it is installed on every computer and provides visibility into threats.
Network and perimeter defense. Firewalls, intrusion detection systems, and web application firewalls (Palo Alto Networks, Fortinet, Cloudflare) sit at the edge of networks and filter malicious traffic.
Identity and access management. These companies (Okta, Ping Identity) manage who gets access to what systems, crucial as remote work and cloud adoption make traditional network perimeters irrelevant.
Data protection and privacy. Companies (Varonis, Digital Guardian) focus on protecting sensitive data from theft or misuse.
Security information and event management (SIEM). Splunk, IBM, and others aggregate and analyze security logs to detect anomalies and breaches.
Cloud and application security. Aqua Security, Snyk, and others secure containerized applications and cloud-native infrastructure.
Threat intelligence and managed services. Companies offering intelligence on emerging threats or managed security services (operating security operations centers on behalf of clients).
HACK holds a mix of these, weighted by market capitalization. The largest holdings are typically the diversified mega-cap tech companies that have security divisions (Microsoft, Intel, Cisco) and the pure-play cybersecurity leaders (Palo Alto Networks, Crowdstrike, Fortinet).
The business model: recurring revenue and high margins
Most cybersecurity software is sold as a subscription. A company buys a firewall license for a year, or an endpoint-protection subscription for an organization’s computers, and pays annually or monthly. This recurring revenue model is highly valued by the market because it is predictable and sticky—once a security tool is embedded in a company’s infrastructure, switching costs are high.
The software vendors operate with high gross margins (70–85%) because once the software is written, the incremental cost of serving additional customers is low. The challenge is customer acquisition: selling security is complex, sales cycles are long (three months to a year is normal), and the sales force must be large and skilled. This creates high S&M (sales and marketing) expenses that compete with the high gross margins.
Over time, successful security companies achieve scale economies: customer acquisition costs decline as a percentage of revenue, and operating margins expand. Companies like Palo Alto Networks have made this transition; younger companies like Crowdstrike are in the early phase of margin expansion.
Growth drivers and the future (2020 onwards)
Cybersecurity growth has continued post-2020, driven by:
Remote work adoption. The pandemic accelerated work-from-home, making it harder for companies to protect data and systems when employees are scattered and using personal networks. VPN, zero-trust access, and endpoint security became urgent priorities.
Ransomware escalation. Ransomware attacks have grown in sophistication and economic impact. The average ransom demand has risen from thousands to millions of dollars. Companies scramble to defend and to buy cyber insurance, which drives demand for security and breach-response services.
Artificial intelligence. Modern security tools use machine learning to detect anomalous behavior and predict threats. Security vendors are investing heavily in AI-driven detection and response, which is a new competitive frontier.
Regulatory tightening. New regulations (SEC cybersecurity disclosure rules, EU regulations, sectoral mandates) have forced higher security budgets.
M&A consolidation. Larger tech companies (Microsoft, Cisco, Amazon) have acquired smaller security firms to expand their offerings. Some pure-play security vendors (like VMware’s Broadcom acquisition) are being folded into diversified tech companies.
Risks and challenges for HACK holdings
Commoditization. As security practices mature and become embedded in mainstream platforms, specialized security vendors may see their products commoditized or subsumed into broader platforms. Microsoft’s expansion into security (through acquisitions and organic development) has cannibalized revenue for some pure-play vendors.
Concentration. The largest holdings in HACK are mega-cap tech companies (Microsoft, Intel, Cisco, Apple) that have security arms but are not primarily security companies. Pure-play security companies represent a smaller slice, creating exposure risk if one of the mega-caps shifts strategy.
Valuation. Cybersecurity stocks have historically traded at premium valuations (high P/E ratios) because of strong growth and margin potential. Economic slowdowns or disappointing guidance can trigger sharp repricing.
Consolidation. The pace of M&A means that acquisition targets’ valuations often pause or decline in the months before an acquisition, creating volatility.
Talent costs. Specialized security talent is scarce and expensive. Companies compete aggressively for engineers and security researchers, driving up payroll costs and potentially limiting margin expansion.
HACK’s performance and positioning
HACK was launched in 2014, making it one of the longer-running thematic ETFs focused on an industry trend. Its performance has been strong during periods of cybersecurity concern and elevated spending (2015–2018, 2021–2022) and weaker during periods of indifference or when mega-cap tech underperforms.
The fund concentrates on a narrower theme than broad technology exposure (GXPT or similar), so its returns are more volatile and more directly tied to cybersecurity spending cycles and sentiment. It outperforms when the cybersecurity narrative is in focus and underperforms when investors focus on other technology themes or when risk-off sentiment hits growth stocks broadly.
How to research HACK
Start with the fund’s prospectus and the ISE Cybersecurity Index methodology, which defines which companies are considered cybersecurity companies and how they are weighted. The fact sheet breaks down the top holdings and the weighting scheme.
Review the top 10–15 holdings and assess their cybersecurity relevance. Some holdings may be conglomerates with only a small security division; others may be pure-play security companies. Understanding this mix helps assess the fund’s true exposure.
Monitor cybersecurity spending trends and breach statistics (number and severity of major breaches, ransom amounts, regulatory actions). When breach activity is high, security spending tends to accelerate, benefiting HACK. When breach activity is low or obscured by favorable headlines, security stocks can lag.
Follow earnings reports from the largest pure-play security companies (Crowdstrike, Palo Alto Networks, Fortinet, Okta) for insights into spending and pricing trends. Watch for large contract wins or losses, customer churn, and guidance changes.
Assess whether cybersecurity spending is growing faster than IT budgets overall. If security is just shifting budget share from other IT categories (not accelerating overall IT spend), HACK may not get the boost investors expect.
Compare HACK against other thematic security or tech ETFs and against the broader tech sector to understand whether the cybersecurity theme is driving outperformance or underperformance. Thematic funds work only if the theme is firing; when the theme is out of favor, they lag.