CYBR Analysis deep dive

Investment Analysis Clubs Saul’s Investing Discussions
1

Who is CyberArk
Cyberark (https://www.cyberark.com/), is a cyber security software company, specializing in Privileged Access Management. The company was founded in 1999, and had their IPO on the NASDAQ in September, 2014. The company claims that more than half of the Fortune 500 companies trust CyberArk to protect their most critical and high-value assets. Their 4400+ customers are in 90+ countries, with the majority of clients and revenue based in the U.S. The company was founded and is headquartered in Israel, but reports and transacts in the U.S., and trades on the NASDAQ. They follow US GAAP reporting standards.

In Cyberark’s investor presentation from Feb 2019, they report their 5-year CAGR at 39%, steadily growing revenue from $66 million to $343 million in the past five years. Their 2018 annual revenue is divided into license revenue at $192 million, and Maintenance / Prof. Services at $151 million. Geographically 62% of their revenue comes from the Americas, 31% from EMEA, and 7% from APJ. 30% of their clients are in banking, 11% in Government, 10% in manufacturing, 8% in energy, 6% in retail, and the rest are scattered across several other verticals.

CyberArk’s current market cap is $3.87 billion, on TTM sales of $343 million. The company has no debt, and shows as having $11.67 in cash per share on the books. The current P/E ratio is a lofty 84, the forward P/E is 43.7, PEG ratio is 2.43, and P/FCF is nearly 32. Their EPS growth this year is > 104%, and growing at an annual rate of 84% over the last five years. Insider ownership is merely 1.8%, while institutional ownership is 86.4%. Gross margins are 85.9%, operating margin is 13.8%, and profit margin is 13.7%. Over the past 52 weeks, the share price has been as low as $48.50, and as high as $105. The average daily volume is 786K.

What Do They Do?
CyberArk provides a comprehensive set of software solutions to proactively monitor privileged accounts, detect suspicious behavior, and prevent malicious and/or destructive attacks. Their approach is centered on the premise that over 80% of security breaches are initiated using privileged credentials. Once an attacker gains access to a privileged account, they can then obtain access to key admin credentials (i.e. Local Administrative Accounts, Domain Administrative Accounts, Service Accounts, Application Credentials, SSH Keys). In the wrong hands, privileged credentials can be used to cause catastrophic damage to a business such as stealing corporate secrets, commit fraudulent transactions, destabilize and disrupt key business operations, destroy or alter essential business data, lock-out personnel from key business systems, and do untold damage to a corporate enterprise. Most such attacks may go unnoticed for several months, even years.

Gartner positions Cyberark in the upper right quadrant on their annual magic quadrant report (November 2018), naming the leader in both key measures of completeness of vision, and ability to execute in Privileged Access Management.

Key Financial Metrics

Non-GAAP (in millions)


Year  Revenue  Oper. Income   Margin %   Net Income
2015     $161           $44        27%          $35
2016     $217           $58        27%          $45
2017     $262           $52        20%          $42
2018     $343           $90        26%        $76.5

Operating Cash Flow (in millions)


Year    Cash Flow    Margin %
2015          $59         37%
2016          $56         26%
2017          $81         31%
2018         $180         38%

Financial Highlights from the Fourth Quarter Ended December 31, 2018

Q4FY18 vs Q4FY17

  • Revenue Total $109.1M, up 36%
  • Revenue; License $66.8M, up 38%
  • Revenue; Maintenance and Pro Services $42.3 million, up 33%
  • Gross Profits $95.7M, up from $68.5M
  • GAAP Operating Income $27.5M, up from $11.6M
  • Non-GAAP Operating Income $39.8M, up from $19.7M
  • GAAP Net Income $24.2M / $0.64 per diluted share, up from $3.6M / $0.10 per diluted share
  • Non-GAAP Net Income $33.4 million / $0.89 per diluted share, up from $15.0M / $0.41 per diluted share
  • Operating Expenses $68.2M vs $57.1M
  • Diluted Share Count 37.61M, up from 36.30M

Financial Highlights for the Full Year Ended December 31, 2018

FY2018 vs FY2017

  • Revenue Total $343.2M, up 31%
  • Revenue; License $192.5M, up 30%
  • Revenue; Maintenance and Pro Services $150.7M, up 32%
  • Gross Profit $294.7M, up from $291.9M
  • GAAP Operating Income $47.3M, up from $20.3M
  • Non-GAAP Operating Income $90.5M, up from $51.9M
  • GAAP Net Income $47.1M / $1.27 per diluted share, up from $16.0M / $0.44 per diluted share
  • Non-GAAP Net Income $76.5M / $2.06 per diluted share, up from $41.9M / $1.16 per diluted share
  • Operating Expenses $247.5M, up from $200.0M
  • Diluted Share Count 37.1M, up from 36.2M
  • Total Assets $673.6M, up from $502.6M
  • Total Liabilities $206.9M, up from $148.6M

Cash On The Balance Sheet

  • $451.2M in cash and equivalents, up from $410.0M at September 30, 2018, and $330.3M at December 31, 2017.
  • Total deferred revenue was $149.5 million, a 42% increase from $105.2 million at December 31, 2017.
  • The Company generated $130.1M in cash during FY2018, up 61% from $80.7 million in 2017.

Conference Call Summary
In December Gartner published its first ever Magic Quadrant for Privileged Access Management, stating it is one of the most critical security controls. CyberArk was pleased to be positioned as the leader in the industry, both in completeness of vision, and in ability to execute.

In Q4 CyberArk introduced enhanced protection for massive scaling cloud platforms AWS, Google Cloud and Azure, as it continues to add more features for Cloud security against cyber attacks. A leading SaaS company deployed CyberArk in AWS, boosting credibility.

Revenue driven by Value Added Reseller advisory firms, like PwC, Deloitte, KPMG and Accenture increased by more than 85%, accounting for 67% of CyberArk’s revenue in 2018, up from 61% in 2017.

Although 2018 was a record setting year, the company believes they are in the early stages of their opportunity and that momentum in the privileged access security market is accelerating.

In 2018, 60% of License revenue was generated from existing customers purchasing additional licenses, and approximately 40% of revenue was from new customers, same revenue mix as in 2017.

Fourth quarter revenue of $109.1 million outperformed, accelerating growth to 36% year-on-year, fueled by greater than expected year end budget flush. I took this to mean that companies with budgeted funds had to spend it or lose it. It’s hard to tell if this is a common annual trend, but it appears Q4 is always the company’s strongest quarter.

Gross margin for the quarter increased to 90%, up from 88% in Q4 last year. R&D expenses grew 23% to be 12% of total revenue. Sales and Marketing increased 7% to be 33% of total revenue, and G&A increased 41% to be 8% of total revenue. Total operating expenses increased 15% compared to Q4 FY2018.

Gross margin for the year increased from 86.5% in 2017 to 88% in 2018, mostly on strong demand for professional services. R&D was 14%, no change from last year. Sales and marketing was 39%, and G&A was 8.5% of total revenue for 2018.

Q1 & FY2019 Forecast
For 2019 the company forecasted revenue between $411 to $415 million, approximately 20% growth at the midpoint, non-GAAP operating income between $92.5 and $95.5 million, and non-GAAP net income per share between $1.94 to $2.00. These are based on 38.5 million weighted shares, which would add 1.4 million shares from the 37.1 million at the end of 2018.

For the first quarter CyberArk expects a seasonal decline in sequential revenue, and anticipates revenues will accelerate through the subsequent quarters, peaking in the fourth quarter.

Risks
My concerns with CyberArk is that they keep issuing new shares, increasing the share count by about 2.5% per year.

Another concern is the low internal ownership; according to their 20-F Annual Report filed in March, 2018, Ehud Mokady, the executive officer, owns 1.8% of the shares, but none of the other executives of directors listed in the report have any shares.

CyberArk itself identifies as a potential risk in their 20F Annual Report, that being based in Israel they may be affected by political, economic and military instability in Israel, and potentially targeted by terrorist activity.

Cyber Security is a complex and highly competitive industry. A major, widely publicised breach of resources protected by CyberArk software could result in a major setback to the company’s reputation, and could result in a lawsuits and huge financial penalties.

Technology changes rapidly. Maintaining a competitive edge requires major investment in research, and ongoing innovation, with continuous advancement in product offerings, which limits their profitability.

My Observations
CyberArk is on an impressive growth trajectory, and quite profitable with respectable margin and cash flow numbers. It was first recommended on Motley Fool in the rule breakers service back in November, 2015, when their market cap was merely $1.2 billion, and annual revenue was $146 million. Their recommendation can be found here: https://www.fool.com/premium/rule-breakers/coverage/1069/cov…

Cyber security is not new, it is a mature industry, but it is rapidly growing due in large part to highly publicized cyber attacks that have humbled major corporate enterprises in recent times. The pace and breadth of these cyber attacks is on the rise as more corporate data and digital assets shift online and become increasingly accessible via the Internet. Cyber attacks such as the Equifax scandal in 2017, or more recently the massive Marriott breach, confirm that hackers are relentlessly at work. The threat is increasingly incalculable as major nation sponsors such as China and Russia wage cyber warfare, threatening corporate and national infrastructure globally. This virtually ensures that cybersecurity solutions will continue to evolve and grow in proportion to the threat.

There are other major players in this key vertical, including Palo Alto Networks ($21.4 billion), Check Point Software ($19 billion), Fortinet ($14.4 billion), Symantec ($14.4 billion), ProofPoint ($6.5 billion), and Zscaler ($6 billion), which is no stranger to this board.

I really like CyberArk’s approach to addressing this growing security threat, and now that Gartner has recognized Privileged Access Management (PAM) as a critical security control, it lends further credence to CyberArk’s approach.

I’ve been an investor in Check Point Software, another Israeli based security software company, since 2010. I was not aware (but not surprised) that Check Point was interested in acquiring CyberArck in early 2016 until I started researching CyberArk. At $415 million in sales (2019) it seems this company has a lot room to grow, a sentiment echoed recently by analysts that track CyberArk.

Check Point has done very well for me, with over 415% return. But based on what I have learned through this analysis I believe CyberArk will outperform Check Point in the next few years, so I will be looking to slowly rotate a portion of my Check Point position into CyberArk in the next few months.

I’m also keeping an eye on Zscaler, and may take a very small position in them too, but for now I will mostly watch them from the sidelines until they turn a profit and show some track record.

-----
Invest wisely my friends
CMFSoloFool - Ticker Guide / Share Holder
Profile and holdings: https://goo.gl/TYTU4S

21 Likes