PureFunds Cyber Security ETF: Troubling Inconsistencies And Specific-Holding Concerns Should Make Investors Think Twice
Summary Due to increased investor interest in the cyber security space, the PureFunds Cyber Security ETF has grown rapidly since its launch in November 2014, with assets now exceeding $1.2B. Its track record has been impressive, returning nearly 22% since inception. Our tracking of the recent semi-annual reconstitution, however, raises some troubling questions about the validity of the data that this ETF is reporting. Specifically, reported changes in positions on reconstitution that occurred this past Monday, in several instances, seem to be impossible to have been executed based on that day’s trading volume data. Finally, we are concerned about the high level of ownership the ETF now has in several small cap names, and would caution investors regarding risks in owning these names. Background The PureFunds Cyber Security ETF (NYSEARCA: HACK ) was launched in November 2014 to track the ISE Cyber Security Index, and seeks to provide investors with exposure to the hot cyber security technology sector. The index (and ETF) provide exposure to large, well-known cyber security plays, such as Palo Alto Networks (NYSE: PANW ) and FireEye (NASDAQ: FEYE ), in addition to other large cap technology companies such as Cisco (NASDAQ: CSCO ) and Juniper Networks (NYSE: JNPR ) that, while not pure plays, are deemed to be relevant to cyber security. At a high level, the index owns companies that fall into either the cyber security infrastructure, or cyber security services sub-categories, with the infrastructure group making up the overwhelming majority of the index. One of the lesser understood features of the index, however, is that it seeks to equal weight its components within the infrastructure and services sub-categories. A complete explanation of the index’s construction methodology can be found here . This unique index construction means that small-cap (and even micro-cap) stocks are weighted similarly in many cases to large-cap stocks. Herein lies some issues that we recently came across when analyzing this past Monday’s index/ETF reconstitution. Recent Index/ETF Reconstitution According to ISE index methodology and the HACK ETF methodology , components are re-weighted twice annually, on market close on the third Friday in December and June (and become effective the following Monday), the most recent reconstitution of ISE Cyber Security index having occured on this past Friday’s market close, June 19. The index weighting changes were announced after the close on that date. The HACK ETF, in order to track the underlying index, must then adjust their holdings, i.e. buy/sell the individual stocks held, in this most recent case on Monday, June 22 to realign themselves with the index. PureFunds posts its daily holdings in HACK as of the close each day, along with the ETF’s underlying Net Asset Value (or NAV), total assets, etc. Thus holdings can be tracked on a daily basis. As expected, there were large changes in the end of day holdings reported in HACK between Friday, June 19 and Monday, June 22, with the changes being inline with the newly announced stock weightings of the underlying ISE index. Below we show the reported holdings as of each close on these two dates in HACK, as obtained directly from their site (linked above) along with analysis of shares bought/sold on June 22 (note that we only did the analysis for US-listed stocks): (click to enlarge) (Source: PureFunds site for daily share ownership, Yahoo for June 22 trading volume) As can be seen from the data above, there are several stocks for which the supposed buy/sell volume from HACK exceeded 100% of the June 22 total trading volume in that stock. We have highlighted in bold in the table above the stocks we are referring to. Clearly, this raises some troubling questions as clearly HACK could not have traded more than 100% of the day’s total volume: Is HACK accurately reporting their end of day holdings in the ETF? Is the end of day reported NAV therefore accurate? If these shares were in fact traded on either 1) different days than June 22, 2) across multiple trading days, or 3) yet to be fully traded, then why were the end of day share holdings reported as the above by PureFunds? We do not profess to know the answers to these questions, despite our attempts to understand their trading/reporting methodology through reading their prospectus linked above. We, nonetheless, find the inconsistency of their reported data to be troubling and thus would be cautious in relying on both claimed share holdings AND reported NAV, which investors in HACK rely on to assess the fair market value of the ETF. Note that we have contacted PureFunds, sent them this data, and asked for an explanation, but have received no response . If we do get a response from them, we will certainly share it with our readers. Ownership concentration in small cap names As noted above, the HACK ETF (and underlying index) have an unusual equal-weighting (rather than market cap weighting) structure that causes the ETF to have outsized ownership of certain small cap names. The two that we’d highlight specifically, for which the ETF has the highest percentage ownership of shares outstanding are below: Company Ticker HACK shares owned 6/23 S/O from latest 10-Q HACK % ownership Widepoint Corp WYY 7,532,622 82,135,803 9.2% KEYW Holding Corp KEYW 3,463,191 38,222,484 9.1% We highlight Widepoint (NYSEMKT: WYY ) and KEYW Holding (NASDAQ: KEYW ) specifically because they are the two stocks that HACK has the highest percentage ownership (both now approaching 10%), though there are other small-cap names for which HACK ownership is now 5.0% or greater, namely Intralinks (NYSE: IL ), Guidance Software (NASDAQ: GUID ), and Zix Corp (NASDAQ: ZIXI ). We specifically are concerned about these stocks because 1) they have all seen significant share price increases recently, we believe, driven primarily by fund flows into HACK, which disproportionately are allocated into these small cap names per the index methodology, 2) we question whether, even if HACK fund inflows remain robust, the ETF will be comfortable owning 10% or more of any individual stock (which would then require filings with the SEC as a ‘beneficial owner’ in the stock and Form 4 reporting within 2 business days of any buy/sell transaction, and perhaps, most importantly, potentially make the ETF subject to “Short-Swing” liabilities). For those not familiar with beneficial ownership reporting requirements, Short-Swing rules, etc, here is a useful summary presentation . We severely doubt that the HACK ETF would wish to exceed 10% ownership in any of these names. Therefore, we believe the recent appreciation in the names, driven primarily by HACK ETF buying, is likely nearing an end, thus leaving a sudden dearth of buying to support these names and making them very susceptible to pullbacks in the absence of the somewhat artificial buying from HACK. Conclusion We are troubled by the seeming inconsistency of the data reported by HACK and thus question both the accuracy of its reported share holdings on a day-to-day basis, and the reported NAV. We would thus avoid owning HACK as a means for gaining exposure to cyber security. Alternatively, we would suggest that an investor instead own individual cyber security stocks which they know and are comfortable with (we are long PANW, and have been for some time, as an example). We would also highly caution against owning and even encourage selling the small cap names which we highlighted above, that we believe have been temporarily, and somewhat artificially, bid up by the HACK ETF. We believe all could be subject to (potentially substantial) pullbacks before too long. We would be especially cautious in WYY and KEYW, where HACK ownership is already nearing the key 10% threshold. Disclosure: I am/we are long PANW. (More…) I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article. Additional disclosure: We may initiate long or short positions in any of the named securities at any point.