CyberArk (CYBR) - My End-Quarter Review

CyberArk (CYBR) – My Quarter-End Review

Who is CyberArk?
CyberArk was founded in 1999, had its IPO in Sept, 2014, and is headquartered in Israel. Their US headquarters is in Newton, Mass. It reports in US dollars, and trades on the Nasdaq, so there is no problem with foreign currency, etc. Its market cap is over $1.4 billion, so this is a substantial business. Its average volume is about a million shares/day so it has plenty of liquidity. Its IPO was at $16, and it started trading in the range of $29-$30. In the past 52 weeks it’s been as high as $76.30 (before the summer sell-off) and as low as $31.50, and is currently about $42.50, plus or minus.

What does it do?
It develops, markets, and sells software-based IT security solutions that protect organizations from cyber attacks in the US and internationally. The company offers privileged account security to secure, manage, and monitor account access and activities.

Its privileged account security solution consists of:

Enterprise Password Vault that provides a tool to manage and protect physical, virtual, or cloud-based assets;
SSH Key Manager to store, rotate, and control access to SSH keys for preventing unauthorized access to privileged accounts;
Privileged Session Manager that protects servers, applications, databases, and hypervisors from malware; and
Privileged Threat Analytics that profiles and analyzes individual privileged user behavior and creates prioritized alerts when abnormal activity is detected. The company also provides
Application Identity Manager, which addresses the challenges of hard-coded, embedded credentials, and cryptographic keys being hijacked and exploited by malicious insiders or external cyber attackers;

And that’s not all. There’s a bunch of additional products (that you can look up on their website), as well as sensitive information management solutions, software maintenance and support, and consulting services.

What does all that mean? There are a ton of security companies. What does CyberArk do that’s special?
That’s the key. They really do something very special. Here is the way I understand it: The days of a hacker being some kid trying to prove he can get into the network, or a virus just writing dirty words across your documents, are long gone. Now the issue is hackers who want to get confidential information, steal trade secrets, or military secrets, etc.

The standard security approach is to build a firewall around the company’s network. That’s what most security companies provide.

But what if someone gets inside the firewall? By stealing someone’s password, just for instance. Or what if someone in a large company who has access, starts going where he shouldn’t have access to steal information, etc.

Here’s an example. You’ll remember that Home Depot had a huge security breach a year and a half or so ago. Apparently the hackers got in using the username and password of a third party vendor to get inside the firewall. Then they were home free. They managed to hack through and steal millions of credit card and other bits of information.

That’s the security that CYBR provides, the security inside the firewall. Their software analyzes normal patterns of access in these accounts and picks up suspicious patterns. They also know what an individual’s normal patterns are and if someone else enters with his password and goes off to other areas, it is immediately stopped and security is alerted. Note from above: analyzes individual privileged user behavior and creates prioritized alerts when abnormal activity is detected. They call it protecting the crown jewels, and its name is privileged account security.

And it has become absolutely crucial in the modern world. Just a few days ago it announced approval from the US Department of Defense, which seems amazing to me, as this is actually a foreign company although the majority of its business is in the US. It says to me that the Dept of Defense thinks this is absolutely crucial security to have, and that CyberArk is miles ahead of any US vendor. (Just my opinion or guess there).

Who needs and buys security like that?
Let’s see! Big companies: banks, financial institutions, technology companies, telecommunications companies, government and military, manufacturers, healthcare, utilities, energy, retail companies like Home Depot, etc, etc, etc. They have a lot of big companies (40 of the Fortune 100), and companies like Skechers, Pfizer, Hershey, ConAgra, Fannie Mae, Time, Regal Cinemas, Qualcomm, Barclays, and Novartis.

What are privileged accounts?
All the key stuff for a company: financial date, IT structure, operational data, etc. And this stuff is often poorly protected, just for example with a dozen trusted employees having the same password to an important account. CyberArk says there are often two or three times as many privileged accounts as there are employees using them.

What is your history with CyberArk?
This time, I’ve been a stockholder for roughly two weeks now. They are one of my tiny, try-out, positions. I have also had positions with them in the past.

Well, HOW ARE THEY DOING? Let’s see:

Revenue growth - This is in millions of dollars, rounded off.


2013 -   66
2014 -  103
2015 –  161

Thus, revenue was up approximately 56%, each of the last two years. The revenue seems to be almost all renewable income, as the majority is licenses. In fact that part grows year to year as companies that buy one product one year, can be cross sold another the next year. Most actually now start larger and buy two or three the first year. The rest of their income is service and maintenance, which is also renewable.

Gross Margins are about 86%.

They have positive Cash Flow.

They have a lot of Cash and No Debt.

Operating Margins were about 22% in spite of rapid growth.

Adjusted EPS (in cents), as I calculated it.


2013 -   24
2014 -   44
2015 -  100

That’s why I’m very skeptical when they estimate 85 cents in earnings in 2016. Who are they kidding? Maybe earnings growth will slow down from 125% in 2015 to 50%, or even 30%, but down year over year? No way, unless they are planning a big bonfire with their profits.

PE Ratio - Of course, those 2015 earnings of 100 cents gives them a PE of about 42.5, which is awfully high, unless they have a very good moat.

Well do they have a moat?
Once CyberArk gets in with a company and is running their internal security it’s hard for me to imagine the company tearing all that out and starting with another cyber security firm just to save a few dollars. There would have to be something really wrong. CYBR’s moat is that they have the best system, with the most features. They are the dominant player in the niche. However if a big company like Checkpoint decided to compete with them, it might become a considerable headwind for them.

How About Insider Ownership – Still run by one of the co-founders, who owns 3% of the stock (or over $40 million dollars worth). I couldn’t find any insider sales in the past twelve months.

Long Runway and Long Way to Grow – They figure there are about 10,000 companies who could pay a million dollars each annually for this kind of security. That comes to $10 billion, and CYBR’s little $161 million in revenue this year comes to less than 2% of that addressable market.

Absence of Debt – They have about $238 million in Cash and equivalents, and No Debt.

Easy to Follow, Covered by the Fool – Yep, but very few posts on the CYBR board.

Reasonable PE – They flunk on that one.

WHAT ARE THE RISKS? Let’s see.

Earnings really stall and the PE drops to 20.

A larger security company comes along and competes with them? Their niche may be too small for competitors to bother. For example, a company like Checkpoint might have 100,000 customers while CyberArk sees their total addressable market of companies large enough to need their kind of security as 10,000.

Everybody quits hacking into networks and the need for security goes away? Uh….

Conclusion
Growing very fast, quite profitable, good margins, but high PE and strangely low estimates for 2016.

Best,

Saul

For Knowledgebase for this board,
please go to Post #17774, 17775 and 17776.
We had to post it in three parts this time.

A link to the Knowledgebase is also at the top of the Announcements column
on the right side of every page on this board

For Knowledgebase for this board
please go to Post #15056.

A link to the Knowledgebase is also at the top of the Announcements column
on the right side of every page on this board

25 Likes

That’s why I’m very skeptical when they estimate 85 cents in earnings in 2016. Who are they kidding? Maybe earnings growth will slow down from 125% in 2015 to 50%, or even 30%, but down year over year? No way, unless they are planning a big bonfire with their profits.

Have you checked their 10K, perhaps they will be paying full taxes this year.

2013 16.6%
2014 31.2%
2015 18.7%

Rather erratic tax payment percentages.

JT

3 Likes

Thus, revenue was up approximately 56%, each of the last two years. The revenue seems to be almost all renewable income, as the majority is licenses. In fact that part grows year to year as companies that buy one product one year, can be cross sold another the next year. Most actually now start larger and buy two or three the first year. The rest of their income is service and maintenance, which is also renewable.

I haven’t looked at this company. Here are some things to verify.

  1. Check how much of their business is really renewable. Do they have a large upfront access fee or set up fee? Or is revenue distributed more evenly. If it’s the former and they got a lot of big customer signups in the recent past and if this doesn’t repeat in the current year then this might explain the low forecast for this year.

  2. Check how the company recognizes revenue. Revenue recognition of subscriptions doesn’t always match cash receipts. This could explain positive cashflow and lower revenue. I’m not saying that this is happening but it’s something to look at and monitor.

4 Likes

For those of you interested to know more about CYBR, I found this post in the RBS:CyberArk Software board, courtesy of TMFPencils: http://discussion.fool.com/1069/ceo-interview-with-jim-cramer-32…

In that post is a link to a YouTube video of an interview with CyberArk founder and CEO, Udi Mokady by Jim Cramer.

TMFPencils points out in his post that he really liked this line from Mokady at the end of the interview, when he was discussing the disconnect between the performance of the business and the stock price:

“Look, I care about our shareholders and of course this is my job – to make sure they see great returns. But what I tell my employees is don’t look at the stock on a given day. We’re in a long-term business. I’m a founder. We’re here to grow a large, global information security company. We’ve been executing great; we had a tremendous 2015.”

Cheers,
MJ

2 Likes

I was trying to be respectful to the original poster, but it just occurred to me that everyone here may not have access to a Rule Breakers board (I’m a new at being foolish so go easy on me). So in case that is true, here is the link to the interview on YouTube: https://www.youtube.com/watch?v=VGEbrr4ZgrI.

(Side note: I have heard of Jim Cramer, of course, but have never watched his show. Is he always like this? The guy can barely enunciate basic words!)

1 Like

Hey Everyone!
I want to say thanks for digging into this company, and providing all this info that this board does.

I am not an expert and have lots to learn, but I want to share my what is my expertise, and that is cyber security. It is important to understand the infancy of this sector, and everyone is just trying to stay afloat (or not be the guy/business that is breached). How I have seen it is that there are two ways to conduct cyber security business, ‘best of breed’ or ‘full suite of products’

Best of breed is vendor agnostic, just buy the best out there at the time. The issue is that management of these vendor devices is harder, and the more vendors/contracts you have the more effort you have to managed them. And because the business process in IT, especially cyber security, is immature managing these products/contracts is very difficult.

Full suite of products: Think IBM, McAfee, EMC(RSA), LogRhythm. If you care, google gartner magic quadrant for Security Incident and Event Management (SIEM). In my experience that means network flow analysis, vulnerability scanning, event management, web filtering, anti-virus, endpoint protection, data protection/encryption, and a bunch of other stuff. There are issues and problems to this as well, but easier to manage if not as effective. This goes well beyond firewall only.

In my opinion, and I have never used CyberArk products, but they seem to be a ‘best of breed’ kind of product.

There are a ton of security companies - I think this is true, and I am not sure how much a moat CyberArk actually has because of this. Their moat might be in privileged account security, but that is just a slice of the pie. It seems everyone is calling what they do, their patented product, by a different name so it is difficult to compare. But in the end, the security technicians understand what they do or don’t do.

The standard security approach is to build a firewall around the company’s network. That’s what most security companies provide.

That’s the security that CYBR provides, the security inside the firewall. - There are lots of other companies that provide the same, and more, services. I am familiar with FireEye, Verizon and IronNet, both have VERY strong relationships and connections with NSA and DoD, and will try to eat into this space if it is profitable.

I am not saying this company isn’t great, or a great stock to own/invest in, but I do question how accurate some of the reasoning why CyberArk is a first mover, rule breaker, has a moat, etc.

I could continue to go on, but this post is already long. If you have direct questions, I will do my best to answer them. I think there are others on this post that are as familiar or more than I am in this sector.

Cheers,
Robert
no position in any cyber company right now. To high of PE, to easy to have bad publicity, tech changes constantly, enterprise level businesses/management don’t understand the problem and have a hard time investing in good products.

27 Likes