CyberArk (CYBR) – My Quarter-End Review
Who is CyberArk?
CyberArk was founded in 1999, had its IPO in Sept, 2014, and is headquartered in Israel. Their US headquarters is in Newton, Mass. It reports in US dollars, and trades on the Nasdaq, so there is no problem with foreign currency, etc. Its market cap is over $1.4 billion, so this is a substantial business. Its average volume is about a million shares/day so it has plenty of liquidity. Its IPO was at $16, and it started trading in the range of $29-$30. In the past 52 weeks it’s been as high as $76.30 (before the summer sell-off) and as low as $31.50, and is currently about $42.50, plus or minus.
What does it do?
It develops, markets, and sells software-based IT security solutions that protect organizations from cyber attacks in the US and internationally. The company offers privileged account security to secure, manage, and monitor account access and activities.
Its privileged account security solution consists of:
Enterprise Password Vault that provides a tool to manage and protect physical, virtual, or cloud-based assets;
SSH Key Manager to store, rotate, and control access to SSH keys for preventing unauthorized access to privileged accounts;
Privileged Session Manager that protects servers, applications, databases, and hypervisors from malware; and
Privileged Threat Analytics that profiles and analyzes individual privileged user behavior and creates prioritized alerts when abnormal activity is detected. The company also provides
Application Identity Manager, which addresses the challenges of hard-coded, embedded credentials, and cryptographic keys being hijacked and exploited by malicious insiders or external cyber attackers;
And that’s not all. There’s a bunch of additional products (that you can look up on their website), as well as sensitive information management solutions, software maintenance and support, and consulting services.
What does all that mean? There are a ton of security companies. What does CyberArk do that’s special?
That’s the key. They really do something very special. Here is the way I understand it: The days of a hacker being some kid trying to prove he can get into the network, or a virus just writing dirty words across your documents, are long gone. Now the issue is hackers who want to get confidential information, steal trade secrets, or military secrets, etc.
The standard security approach is to build a firewall around the company’s network. That’s what most security companies provide.
But what if someone gets inside the firewall? By stealing someone’s password, just for instance. Or what if someone in a large company who has access, starts going where he shouldn’t have access to steal information, etc.
Here’s an example. You’ll remember that Home Depot had a huge security breach a year and a half or so ago. Apparently the hackers got in using the username and password of a third party vendor to get inside the firewall. Then they were home free. They managed to hack through and steal millions of credit card and other bits of information.
That’s the security that CYBR provides, the security inside the firewall. Their software analyzes normal patterns of access in these accounts and picks up suspicious patterns. They also know what an individual’s normal patterns are and if someone else enters with his password and goes off to other areas, it is immediately stopped and security is alerted. Note from above: analyzes individual privileged user behavior and creates prioritized alerts when abnormal activity is detected. They call it protecting the crown jewels, and its name is privileged account security.
And it has become absolutely crucial in the modern world. Just a few days ago it announced approval from the US Department of Defense, which seems amazing to me, as this is actually a foreign company although the majority of its business is in the US. It says to me that the Dept of Defense thinks this is absolutely crucial security to have, and that CyberArk is miles ahead of any US vendor. (Just my opinion or guess there).
Who needs and buys security like that?
Let’s see! Big companies: banks, financial institutions, technology companies, telecommunications companies, government and military, manufacturers, healthcare, utilities, energy, retail companies like Home Depot, etc, etc, etc. They have a lot of big companies (40 of the Fortune 100), and companies like Skechers, Pfizer, Hershey, ConAgra, Fannie Mae, Time, Regal Cinemas, Qualcomm, Barclays, and Novartis.
What are privileged accounts?
All the key stuff for a company: financial date, IT structure, operational data, etc. And this stuff is often poorly protected, just for example with a dozen trusted employees having the same password to an important account. CyberArk says there are often two or three times as many privileged accounts as there are employees using them.
What is your history with CyberArk?
This time, I’ve been a stockholder for roughly two weeks now. They are one of my tiny, try-out, positions. I have also had positions with them in the past.
Well, HOW ARE THEY DOING? Let’s see:
Revenue growth - This is in millions of dollars, rounded off.
2013 - 66
2014 - 103
2015 – 161
Thus, revenue was up approximately 56%, each of the last two years. The revenue seems to be almost all renewable income, as the majority is licenses. In fact that part grows year to year as companies that buy one product one year, can be cross sold another the next year. Most actually now start larger and buy two or three the first year. The rest of their income is service and maintenance, which is also renewable.
Gross Margins are about 86%.
They have positive Cash Flow.
They have a lot of Cash and No Debt.
Operating Margins were about 22% in spite of rapid growth.
Adjusted EPS (in cents), as I calculated it.
2013 - 24
2014 - 44
2015 - 100
That’s why I’m very skeptical when they estimate 85 cents in earnings in 2016. Who are they kidding? Maybe earnings growth will slow down from 125% in 2015 to 50%, or even 30%, but down year over year? No way, unless they are planning a big bonfire with their profits.
PE Ratio - Of course, those 2015 earnings of 100 cents gives them a PE of about 42.5, which is awfully high, unless they have a very good moat.
Well do they have a moat?
Once CyberArk gets in with a company and is running their internal security it’s hard for me to imagine the company tearing all that out and starting with another cyber security firm just to save a few dollars. There would have to be something really wrong. CYBR’s moat is that they have the best system, with the most features. They are the dominant player in the niche. However if a big company like Checkpoint decided to compete with them, it might become a considerable headwind for them.
How About Insider Ownership – Still run by one of the co-founders, who owns 3% of the stock (or over $40 million dollars worth). I couldn’t find any insider sales in the past twelve months.
Long Runway and Long Way to Grow – They figure there are about 10,000 companies who could pay a million dollars each annually for this kind of security. That comes to $10 billion, and CYBR’s little $161 million in revenue this year comes to less than 2% of that addressable market.
Absence of Debt – They have about $238 million in Cash and equivalents, and No Debt.
Easy to Follow, Covered by the Fool – Yep, but very few posts on the CYBR board.
Reasonable PE – They flunk on that one.
WHAT ARE THE RISKS? Let’s see.
Earnings really stall and the PE drops to 20.
A larger security company comes along and competes with them? Their niche may be too small for competitors to bother. For example, a company like Checkpoint might have 100,000 customers while CyberArk sees their total addressable market of companies large enough to need their kind of security as 10,000.
Everybody quits hacking into networks and the need for security goes away? Uh….
Conclusion
Growing very fast, quite profitable, good margins, but high PE and strangely low estimates for 2016.
Best,
Saul
For Knowledgebase for this board,
please go to Post #17774, 17775 and 17776.
We had to post it in three parts this time.
A link to the Knowledgebase is also at the top of the Announcements column
on the right side of every page on this board
For Knowledgebase for this board
please go to Post #15056.
A link to the Knowledgebase is also at the top of the Announcements column
on the right side of every page on this board