Last Thursday is what I would call a reset for CyberArk (CYBR). The reset is two-fold: First, expectations for companies requiring this kind of security needing it immediately with little scrutiny, and second a share price reset. These combined are allowing the market to readjust expectations but at the same time open an opportunity when these new expectations are exceeded in the future.
In the last 12 months, shares have been range bound between $45 and $55 – a good swing trading vehicle for those who are into that but a rather boring see-saw and not much enticement for investors looking for long-term appreciation. However, with a company first occurring last week in the form of a pre-announcement readjusting guidance under the expected range, shares have become interesting again.
Industry Expectations Reset
Much of the focus was on the 7% downward revision from original mid-point to readjusted mid-point. However, assumptions have run rampant because of some commentary on the pre-release earnings call as well as a lack of understanding with this method of business and risk versus compliance customers.
CEO Udi Mokady mentioned the UK and northern Europe as the primary countries and regions it is having an issue with closing deals in time – and this will be important in a minute – but the most notable comment on the call was from CFO Josh Siegel where he answered an analyst by saying:
In addition to looking at the execution side of the house and understanding which piece comes from execution and which piece comes from really just on the market customer side of elongating the pipeline deals, I will have to re-evaluate some of my assumptions in terms of understanding the deal timing and deal flow.
To many, this now sounds like CyberArk and team are going to change their guidance and full-year expectations and we should hit the brakes and get out when the vehicle comes to a stop. I’m not seeing this commentary as a sign that reads: “WARNING: Company will drastically reduce guidance ahead.”
That would be a quick-to-analyze, off the cuff assessment without taking proper context into consideration regarding the landscape of the industry. There’s much more to it than just a CFO saying he needs to reevaluate. Just what is he getting at should be the next question. Thankfully Josh adds more to this than just a supposed bearish comment.
The good news is the pipeline is growing and so we’re able to track all the opportunities but you are right I will have to adjust my view in terms of getting the comfort level for deal closure within a particular period. I mean until now for, I think, the last 11 quarters since we’ve IPO’d we’ve been very successful in being able to look at our pipeline, evaluate our transactions small and large each quarter and be able to meet or beat our forecasts, our guidance. And I would remind you and the people on this call that actually every quarter in the last 11 quarters we’ve had several large deals – our over 100K deals have been growing consistently and we also, it’s very common to have 7 figure deals on a quarterly basis, so. This isn’t new information this isn’t new territory for us but we are seeing a bit of a shift where we, where I need to evaluate it carefully.
I want to focus on the bold emphasis I’ve added “seeing a bit of a shift.” What exactly is this shift? Well, that’s what we should be digging into. This shift is primarily dealing with Europe where there is a difference between it and other regions such as the US and Americas. Much of the Americas have been on the prowl securing their network borders and minimizing damage if an attacker were to find their way in – these are called risk-driven customers. I have a risk, I must close it.
Europe, on the other hand, is a different animal in terms of its profile. The landscape is seeing a change from risk driven to compliance driven. Compliance in what exactly? Compliance in the European Union’s GDPR regulation. This regulation is set to be fully enforced in May 2018 and, much like other regulations we see in the US (HIPAA anyone?), it deals with customer privacy and information sharing. But the key to these regulations have little to do with the intent but rather the enforceable aspects. The key word in much of this EU regulation is “breach.” A breach is defined as “any incident that results in unauthorized access of data.” When an intruder enters a network and uses administrative passwords to gain unauthorized access to information it is considered a reportable breach. CyberArk’s software is built to maintain these administrative passwords and not let these critical keys hang out on the network for easy grabbing.
So what’s the point you ask? The point is there is less than a year for EU companies (and really companies who do business in the EU) to find, buy, integrate, and deploy a software which meets these regulations. This is where my expertise in implementing compliance driven, security based software comes to the forefront.
Up until last year, I worked at a major teaching hospital integrating and maintaining end-user based software. This software managed secure access to end points (the devices doctors and nurses used) as well as the security around prescribing narcotic drugs at the time of signing. This latter functionality was compliance driven and pushed us to implement and deploy faster than we would have otherwise.
However, the part which was not so speedy was the determination of the project scope, understanding how many end users we’d impact, and the cost and contract negotiations. The problem with going ahead with a few loose assumptions on a compliance-based purchase is they could have disastrous effects later on. If we didn’t purchase enough licenses, purchase the right modules and hardware, or purchase the proper support contract for when we went live, then fines, non-compliant doctors (a big no no), and ultimately a loss of patients due to lack of prescription ability would be the consequence. Any mistakes would cost us and bring us over the regulation deadline. Thankfully we took our time on the front end of the purchase (scope and contract) and were fully implemented two months ahead of our compliance deadline because there was no need to adjust or pivot our purchase.
Now, Imprivata (IMPR), whose software I was purchasing and implementing at this job, was covered extensively by me here on Seeking Alpha. Not only this but what’s coincidental about this CyberArk guidance warning is Imprivata also went through an identical situation – deals not closing in time for the quarter’s end and issuing a pre-announcement about lower revenue. In fact, even the 7% miss in revenue is identical in both instances.
I wrote in great detail how the revenue miss was merely timing and the overall revenue for the year would be unchanged:
I expect (the revenue) to show up in Q4 and probably even bloat Q4 numbers a little as revenue gets shifted forward to the time the deals can be closed. In the overall picture, the revenue for the year will still be there but just not in the quarters analysts – and the company – were expecting.
My call turned out to be spot on as I wrote a follow-up article about how the revenue shifted and made the company issue another pre-announcement, this time for exceeding guidance.
As expected Imprivata’s revenue recovered nicely and expects to exceed their guidance and likely put them back at the original estimates set before the Q3 earnings call.
I see this as an extremely similar situation with slightly varying reasons for the underlying shift in revenue (scrutiny for compliance versus lack of IT resources) and one where the opportunity lies at the bottom of a stock free-fall – which is where CYBR is at or headed to shortly. Either reason for the underlying shift still creates revenue, just not at the time initially anticipated.
With less than a year for EU companies to be compliant, CISOs and CIOs will scrutinize all of their purchases so they not only meet regulations but confirm the software works effectively while getting it for the best value. When IT departments need time to think about purchases they use all of that time – to the chagrin of vendors – which is happening here.
This shift in customer motivation is what caught management off guard as they expected deals to close as fast as they have been, especially with large attacks like WannaCry focused primarily on Europe. Simply changing this expectation does not eliminate revenue -it requires more understanding of where it’s going to be placed – this quarter or next quarter?
Share Price Reset
The reason this reset creates opportunity is because the market expects this to be the new normal going forward. This expectation has caused shares to correct almost 17% – for a 7% revenue miss which will be pushed into another quarter. This slight miss in revenue for just the quarter has contracted price-to-sales multiples to the lowest they have ever been for the company, meaning downside is becoming more limited while growth is still present.
Because CyberArk not only sells its software in a very similar manner as Imprivata, it is seeing the very same issue Imprivata once had but overcame. In fact, a commenter on my assessment of the Imprivata miss had similar fears to many who are commenting on CyberArk today: a company whose business or regions are shrinking (otherwise known as growth in jeopardy) and this could be the beginning of the end. Turns out those fears were put to rest not only after the revenue recovered but also after the company was acquired for a 95% premium to my call to action price of $10.
This doesn’t mean I have a thesis to say CyberArk will be acquired – in fact, I’m on the side of arguing against it due to the negative stance management has taken on the subject in the past. But I am saying the company may very well have misjudged when this shift would occur instead of this being the beginning of the end.
Considering the exaggerated drop in share price relative to the guidance adjustment, the risk versus reward has been skewed toward reward as multiples have contracted. My assessment says this is, in fact, a timing of deals closing and not a harbinger of things to come. CyberArk management has executed very well and is one of the only profitable companies in its field. It will reassess its sales for Europe specifically and understand what it needs to do to provide assurance for its customers.
If you’d like to be made aware of my opinion and analysis in the future on CyberArk, along with other tech and cyber security companies, then I encourage you to follow me by clicking the “Follow” link at the top of this page next to my name.
Disclosure: I/we have no positions in any stocks mentioned, but may initiate a long position in CYBR over the next 72 hours.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.