HACK ETF: Is the ASX Cybersecurity Case Still Intact?

Global cybersecurity spending grew through the Global Financial Crisis, through COVID-19, and is forecast to reach US$377 billion by 2028. The sector has not experienced a meaningful contraction in over two decades. For Australian investors, the question is not whether cybersecurity will keep growing, but how to access that growth without concentrating risk on a single stock in a market where competitive leadership shifts rapidly. The Betashares Global Cybersecurity ETF (ASX: HACK) is the most established ASX-listed vehicle for that exposure, with approximately A$1.386 billion in funds under management. What follows is an assessment of the structural spending thesis, the earnings signals from three of HACK’s key holdings, the Australian regulatory context reinforcing demand, and whether the ETF itself is fit for purpose as a long-horizon thematic allocation.

Why cybersecurity budgets behave differently from the rest of IT

Most investors carry a reasonable assumption into technology: that it is cyclical, that budgets contract in downturns, and that enterprise software is among the first line items cut when a CFO is told to find savings. Cybersecurity breaks that pattern.

The reason is structural, not sentimental. The cost of not spending on cyber defence (regulatory penalty, operational disruption, reputational damage, ransomware payments) typically exceeds the cost of the software or service itself. That asymmetry makes security spending behave more like insurance than discretionary IT.

The historical evidence supports this. During the 2008 Global Financial Crisis, Gartner data showed security software spending grew 18.6%, even as broader IT budgets contracted.

Gartner data shows security software spending grew 18.6% in 2008, during the deepest global recession in a generation.

The forward outlook converges across every major analyst house:

• Gartner forecasts approximately 15% growth in global security spending for 2025
• IDC projects 12.2% worldwide security spending growth for 2025, with global spending reaching US$377 billion by 2028
• Forrester projects a 14.4% compound annual growth rate from 2024 through 2029, with the global market reaching US$302.5 billion by 2029
• Cybersecurity Ventures forecasts spending reaching US$1 trillion annually by 2031, assuming approximately 15% year-on-year growth

When four independent forecasters arrive at double-digit growth projections across overlapping timeframes, the signal is not a single analyst’s optimism. It is a consensus on structural demand. Understanding why that demand is structurally resilient, rather than simply observing that it is, gives investors the analytical foundation to hold a position through macro volatility rather than treating it as a momentum trade.

Australia’s regulatory environment has created a structural spending floor

The global thesis holds on its own terms, but Australian investors have an additional, locally specific reinforcement: a regulatory environment that makes cyber spending legally non-optional for a broad range of organisations.

Three overlapping frameworks drive this:

• Security of Critical Infrastructure (SOCI) Act 2018: Requires mandatory cyber security incident reporting to the Australian Signals Directorate (ASD) within 12 or 72 hours depending on severity. Entities designated as systems of national significance face enhanced obligations including incident response planning, vulnerability assessments, and system information disclosure. These requirements demand sustained investment in monitoring, detection, and reporting capability.
• Notifiable Data Breaches (NDB) scheme under the Privacy Act: The Office of the Australian Information Commissioner (OAIC) received 483 data breach notifications in the first half of 2024, with 57% caused by malicious or criminal attacks. The OAIC’s enforcement posture creates direct legal and reputational risk for organisations that fail to maintain adequate cyber controls.
• ACSC guidance and the 2023-2030 Australian Cyber Security Strategy: Ongoing policy pressure reinforces the direction toward stronger data protection obligations and baseline cyber resilience across all sectors.

What the threat data tells us about spending pressure

The Australian Cyber Security Centre’s 2023-24 Annual Cyber Threat Report received over 94,000 cybercrime reports, up 23% year-on-year. Ransomware and business email compromise remain the dominant attack types, with public sector, health, education, and critical infrastructure among the most targeted sectors.

The ACSC Annual Cyber Threat Report 2023-2024 recorded over 94,000 cybercrime reports in that period, with ransomware and business email compromise identified as the dominant attack types targeting critical infrastructure, health, and education sectors across Australia.

The ACSC reported that the average cost of cybercrime for small businesses rose to between $46,000 and $100,000 per incident in 2023-24.

Rising threat frequency and escalating per-incident costs create direct, measurable pressure on organisations to invest in detection, response, and resilience tooling. This is a demand floor set by regulation and threat reality, not by discretionary budget cycles.

AI-accelerated cyber threats add a further dimension to this structural demand floor: APRA formally identified frontier AI-enabled attacks as a systemic risk to Australia’s financial sector in April 2026, with CrowdStrike’s 2026 Global Threat Report recording an 89% surge in AI-enabled attacks and adversary breakout times falling to just 29 minutes.

What the earnings of HACK’s key holdings reveal about demand

The spending thesis is compelling in the abstract. Company earnings make it concrete. Three of HACK’s key holdings, each operating in a distinct segment of the cybersecurity market, reported results that collectively signal broad-based demand across the full spectrum of cyber spending.

Zscaler represents the high-growth enterprise cloud security segment. In FY24 (year ended 31 July 2024), total revenue reached US$2.33 billion, up 35% year-on-year. The first quarter of FY25 continued that trajectory, with revenue of US$763.5 million, up 30% year-on-year. Remaining performance obligations (RPO) of US$5.76 billion, up 32% year-on-year, indicate that future contracted demand is growing in line with current revenue, not decelerating.

Check Point Software Technologies represents the mature enterprise platform segment. FY24 total revenue reached US$2.68 billion, up 7% year-on-year, with security subscription revenue of US$1.19 billion growing at 14%. In Q1 2025, that subscription acceleration continued at 12%, with non-GAAP earnings per share of US$2.38, up 14%. This is a business where recurring, subscription-based demand is accelerating even within a mature revenue base.

Gen Digital represents the consumer and small-to-medium business segment. FY25 total revenue of US$3.94 billion, up 5% year-on-year, and adjusted earnings per share of US$2.36, up 10%, demonstrate that even non-enterprise cyber and identity protection tools are being treated as non-discretionary by individual consumers and smaller organisations.

Revenue and earnings growth across companies serving enterprise cloud, platform network security, and consumer markets simultaneously is the strongest available evidence that the non-discretionary spending thesis holds across the full demand spectrum, not in one high-growth niche alone.

Understanding HACK as an investment vehicle

Cybersecurity is a sector where competitive dynamics shift as new threat vectors emerge and incumbents face disruption from cloud-native challengers. That makes diversification across many companies structurally more defensible than single-stock selection over a multi-year horizon. The Betashares Global Cybersecurity ETF (ASX: HACK) is designed to address precisely that challenge.

The fund’s key metrics, as at 15 May 2026 (performance as at 30 April 2026):

• Funds under management: approximately A$1.386 billion
• Management expense ratio: 0.67% per annum
• NAV: $14.61 per unit
• 1-year return: -9.73%
• 5-year annualised return: 10.66%
• Key holdings include: Zscaler (ZS), Check Point Software Technologies (CHKP), Gen Digital (GEN)

The -9.73% one-year return warrants honest acknowledgement. However, the five-year annualised return of 10.66% provides a longer-duration reference point that better reflects the structural growth trajectory of the underlying sector. Short-term drawdowns in thematic ETFs are common and do not, on their own, indicate that the structural thesis has deteriorated.

With over A$1.3 billion in funds under management, HACK offers meaningful scale and liquidity for an ASX-listed thematic ETF, providing Australian retail investors with diversified global cybersecurity exposure without the concentration risk inherent in individual stock positions.

For investors weighing HACK against other thematic satellite positions, our dedicated guide to comparing HACK against ASX thematic peers examines RBTZ and ESPO side by side with HACK across one-year and long-run returns, fee structures, currency risk profiles, and portfolio overlap with broad-market holdings like A200 and VGS.

Why sector diversification matters more in cybersecurity than in most technology themes

The cybersecurity sector presents a specific paradox for investors. At the sector level, spending trends are remarkably stable: consistently growing, recession-resilient, and reinforced by regulatory obligation. At the company level, competitive positioning is far less stable: new threat categories emerge, cloud migration reshapes buying patterns, and point-solution vendors are regularly displaced by platform consolidators.

That gap between sector-level stability and company-level disruption is exactly where ETF investing adds structural value.

Concentration risk in technology mega-caps is the structural problem that broad-market tech ETFs share with single-stock selection: NDQ’s top 10 holdings represent approximately 50% or more of that fund’s portfolio, meaning investors seeking diversified technology exposure through a single product may still carry significant single-name concentration without realising it.

The earnings data from HACK’s holdings illustrate this directly. Three companies operating in the same broad sector report vastly different growth profiles:

1. Enterprise cloud security (Zscaler): Revenue growing at 30%-plus, driven by Zero Trust architecture adoption and large enterprise migration to cloud-delivered security
2. Network and platform security (Check Point): Total revenue growing at 6-7%, but subscription revenue accelerating at 12-14%, reflecting a mature installed base transitioning to recurring models
3. Consumer and SMB protection (Gen Digital): Revenue growing at 5-6%, with ARPU expansion indicating pricing power in a segment where cyber tools are increasingly treated as household utilities

According to Forrester, 69% of 2029 global security spending is projected to be on software, indicating continued product-category evolution that creates ongoing competitive disruption within the sector. An investor who selects the wrong individual stock in this environment may miss the sector’s growth entirely, even while the sector itself delivers double-digit expansion.

Diversified exposure across these sub-segments allows the portfolio to capture the sector’s structural growth without requiring the investor to predict which company will hold competitive leadership over the next five to ten years.

The long-term investment case holds, but short-term context matters

The structural elements of the cybersecurity investment case reinforce one another. Global spending is forecast to grow at double-digit rates through at least 2028, supported by independent projections from Gartner, IDC, and Forrester. Australian regulatory obligations under the SOCI Act, the NDB scheme, and rising ACSC-reported threat volumes create a domestic demand floor that operates independently of global macro conditions. Company earnings across enterprise, platform, and consumer segments confirm that the spending shows up in revenue and earnings growth, not just in analyst forecasts.

The -9.73% one-year return as at 30 April 2026 reflects near-term headwinds, whether from valuation compression, broader technology sector rotation, or macro sensitivity. It does not indicate a deterioration in the underlying demand thesis. The 10.66% five-year annualised return provides a more representative view of the sector’s compounding characteristics over a full market cycle.

Cybersecurity Ventures forecasts global cybersecurity spending could reach US$1 trillion annually by 2031, assuming approximately 15% year-on-year growth.

For Australian investors, HACK is best understood as a long-horizon thematic allocation within a diversified portfolio, not a short-term tactical position. The structural spending resilience, the regulatory demand floor, and the diversified company exposure provide the foundations for a durable thesis. The short-term return profile requires patience and appropriate position sizing, but it does not undermine the case for sustained sector-level growth.

For investors wanting to understand how a thematic satellite allocation like HACK fits within a broader portfolio construction framework, our full explainer on building portfolio resilience covers the three-tier adaptive portfolio model, dynamic asset allocation principles, and the role of sector ETFs as satellite positions alongside strategic core holdings.

This article is for informational purposes only and should not be considered financial advice. Investors should conduct their own research and consult with financial professionals before making investment decisions. Past performance does not guarantee future results. Financial projections referenced in this article are subject to market conditions and various risk factors.