Description

The security software company CYBR is a very attractive opportunity for three reasons: 1) It is embarking on now fairly typical revenue model transition from upfront perpetual license to recurring subscription. Similar software revenue model transitions have proven to create massive value due to faster revenue growth and a greater mix of high multiple recurring revenue. But, the benefits are still misunderstood because the early stages of these transitions are somewhat complex and optically messy.  2) It is an “A+” quality company in terms of its competitive dominance and its reputation with customers.  3) CYBR’s security offering is arguably the highest priority area within the already high priority security space, so CYBR should have a very strong demand tailwind for the next five years.  We are playing for a double in the stock and we believe the rapid shift to subscription revenue in 2021 will be a catalyst for multiple expansion.

Description

CYBR is far and away the dominant cyber security software provider for a security category known as Privileged Access Management (PAM).  Privileged accounts are the “keys to the kingdom” which provide IT admin level access to critical IT systems.  In virtually every corporate hack the attackers try to “escalate privileges” to get access to these key systems. 

To understand the scope of the problem that CYBR is solving, it is important to understand that most large companies have 10’s of thousands of privileged accounts which are protected by passwords. Every server, every router, every network device, etc, not to mention ERP systems, CRM systems, databases, etc. is protected by admin passwords.  An industry rule of thumb is that there is a 10:1 ratio of admin accounts to employees at a company.  At most companies, there is no formal system for centrally managing admin passwords.  1,000’s of systems or devices might have the same IT admin password which might be written on a Post-It note on someone’s desk.  Compounding this obvious vulnerability, the passwords are not updated regularly, there is no control over who has the passwords, companies are vulnerable when IT staff turnover, and external contractors/partners often have access.

CYBR solves this problem with a digital password vault. If you are an IT admin or an external partner (or increasingly any accessing “identity” including machines and other systems), you log into CYBR’s portal which is custom tailored to give the admin access to only the systems the admin needs to access. For example, the SAP admin gets access to SAP, the networking engineer gets access to routers, etc.  The portal provides direct access to admin systems without needing to enter a password for each system.  CYBR is doing the authentication and automatically rotating the passwords behind the scenes.  CYBR’s customers can track and allocate who has access to what.  When an IT employee leaves the company, the company can close access to that employee’s portal.  CYBR provides “session recording” whereby it records what an IT admin does when logged in so it can be audited later.  CYBR also eliminates passwords and encryption keys that are hard-coded into an application or code by using an API linked to CYBR’s system for real time authentication.

If you are familiar with Okta, this might sound similar to a Single Sign On (SSO) tool, but it is much more complex.  It is a heavy lift to implement CYBR because it requires figuring out all the admin passwords (most cos don’t even know how many systems/devices they have), re-architecting the access through CYBR’s vault, and allocating access to IT admins.  A typical IT admin might have access through CYBR to 1,000 of systems.

Dominant Player

CYBR is far and away the dominant provider for PAM.  It has almost 7,000 customers including >50% of the Fortune 500 and 35% of Global 2000.  To paraphrase one industry person, CYBR is the “900-pound gorilla.”  If you are familiar with Gartner’s Magic Quadrant, CYBR is the top ranked vendor by a wide margin.  It has competition from two much smaller vendors, Thycotic and Beyond Trust, which have recently merged under private equity ownership.  These two companies play more in the mid-market and there is more than enough market opportunity for both them and CYBR.  I’d emphasize that this is an uncommonly attractive industry structure for software because most categories have at least 4-5 relevant competitors.

Massive Tailwind

For reasons that are hopefully obvious, security software has a massive tailwind and is one of the fastest growing areas in the software sector.  Numerous CIO surveys overtime rank security as a top spending priority, and the area that is least likely to be cut back in a downturn.  Furthermore, within security, PAM is ranked as one of the key priorities.  The PAM space is expected to grow 20-25% per year for the next five years from a combination of greater awareness, regulatory pressure, greenfield expansion, and further penetration of existing clients.  One survey says that 85% of organizations lack basic PAM.    CYBR itself expects to grow revenue 20-25% overtime, holding aside its revenue model change (more on that below).      

To add fuel to the fire, security budgets have recently gotten a ~10% boost following the Solarwinds hack in December.  For brief background, the Solarwinds hack was the biggest security breach ever impacting 18,000 companies, and the effects are still being determined. Solarwinds is a widely deployed software vendor that companies use to monitor networks.  Russian hackers penetrated Solarwind’s source code and thus were able to get into 18,000 companies that were users of Solarwinds.    

The hack is a vivid illustration for why PAM has been emerging as a key security priority.  A shift in security posture has occurred over the last few years whereby many companies have gone from trying to prevent attacks with firewalls and email security (so called “perimeter” security), to assuming they have already been hacked and trying mitigate the damage (a so called “Zero Trust” approach).  Traditional “perimeter” security approaches were completely useless for protecting against Solarwinds.  But, tools like CYBR limit the damage because hackers are not able to steal the privileged credentials necessary to access keys systems.

Regulatory compliance is another a key driver of demand.  Increasingly auditors and regulators (for example bank regulators) are doing security audits and recommending PAM as a best practice for complying with a host of regulations including Sarbanes Oxley (SOX), Payment Card Industry Data Security Standard (PCI), HIPPA, General Data Protection Regulation in Europe (GDPR), and the California Consumer Privacy Act (CCPA). 

Platform Expansion

CYBR has a handful of peripheral products which are ~25% of license revenue, and it is working to build a broader platform of add-on products through R&D and tuck-in acquisitions.  It is starting to bundle these add-ons into subscription packages in 2021.  Some of these products have been sold as subscription from the start which is why CYBR has a small amount of subscription revenue in 2020.

The most noteworthy product is Idaptive which competes in the same space as Okta.  Okta is a $37bn market cap company trading at 34x revenue, so needless to say it is a very hot category.  By comparison, Idaptive has a puny $16mm of run rate revenue. Management says they are planning to grow it “aggressively” by cross selling it into CYBR’s F500 customer base, and management believes that it could easily be $100mm+ of revenue in a couple of years which I think is very credible. 

I am not a huge fan of TAM figures, but FWIW, CYBR claims it serves a $20bn TAM and that it plans to build out its platform to address a $50bn TAM.  Over the very long term, I believe security will converge into several large platform players. I think CYBR has a shot at being one of the leading platform players and, if not, that it will be acquired by a platform player.  Regardless, I think this is probably 5+ years in the future.

Subscription Transition

In November 2020 CYBR announced that it is transitioning from a perpetual license revenue model to a recurring subscription model.  Many software companies have made this transition in the last 5-10 years, starting most notably with Adobe back in 2012.  The massive value creating benefits of a subscription transition are theoretically well understood at this point, but investors still seem to get caught off guard by the short-term revenue impacts. 

For a super quick tutorial (and you can probably find ample descriptions of this elsewhere), a typical perpetual license price structure consists of an upfront perpetual license fee of say $100 and a recurring annual maintenance fee of 20%, or $20.  So, the client pays $120 in Year 1 and $20 each year thereafter.  Under subscription pricing, the client pays a simple recurring annual fee.  In CYBR’s case, which is pretty typical, the annual subscription fee is ~$58 which results in a ~2.7x year breakeven.  This means that after 2.7 years CYBR is making more cumulative revenue from a customer than under the perpetual model.      

Revenue growth obviously takes a big hit in the first year of a transition because revenue from a new customer drops from $120 to $58.  But, once a company gets past the initial revenue hit, then revenue growth is faster for longer than it would have otherwise been because of the effect of “stacking” incremental recurring revenue each year.  In other words, in Year 1 there is $58mm of subscription revenue. Year 2 there is a $58 recurring from Year 1, plus $58 from new deals in Year 2 ($58 + $58 = $116).  In Year 3 it is $58 from Year 1 + $58 from Year 2 + $58 from Year 3 = $164, and so on.  

The stacking effect is even better than this for growing software companies like CYBR that are selling more and more deals each year, holding aside pricing model changes.  For example, a company like CYBR would be growing its perpetual license revenue 20-25% per year if it were not converting to subscription, and in turn would be selling 20-25% more new subscription deals year each.  For illustration, in Year 1, a $100 upfront perpetual license would instead be $58 of recurring revenue. In Year 2, perpetual license revenue with 25% growth would be $125 and new recurring revenue would be $73 (which is added to $58 in Year 1). In Year 3, perpetual revenue with 25% growth would be $156 and new recurring revenue would be $92, etc, etc. So, you get the effect of “stacking” incrementally larger recurring revenue streams each year. 

The beauty of combining underlying new business growth plus “stacking” of recurring revenue each year is that companies tend to grow much faster than expected during the “ramp” after the initial revenue hit because the sell side does not model it carefully (or they don’t model it at all!).  For CYBR, 8 out of 11 sell side models that I have seen don’t even model subscription revenue and those that do are (way) too conservative because they are not explicitly modeling the bridge from the growing perpetual license line to subscription revenue as I described in the paragraph above.  This is a key thesis point.  Subscription revenue transitions are massively value creating and most of CYBR’s sell side analysts don’t even model it! 

Varonis (VRNS) is the most recent example of this dynamic.  VRNS announced a similar subscription transition in 2019 and has gone on to blow away revenue expectations and has been rewarded with significant multiple expansion.  VRNS is a very relevant example because it is similar to CYBR in that both are similar-sized Israeli-centric cyber security companies (although in different areas) run by founder-CEOs who are close in age.  I believe CYBR is trying to copy VRNS’s subscription transition, and that CYBR was likely motivated to purse the transition because of the success they witnessed at VRNS.

I think CYBR’s transition to subscription will happen much more rapidly than their guidance for “within 8-10 quarters.”  For example, VRNS guided to a 25% subscription mix for the full year 2019 and it ended up being 82%.  The reason these transitions happen faster than expected is: 1) For both CYBR and VRNS, the sales force is incented to push subscription pricing over perpetual. Sales people are savvy and they know the transition is coming, so they start to “prime” customers even before the official subscription transition announcement.  2) Management is likely sandbagging.  3) Subscription pricing for software has now become the norm so customers understand it, and many customers prefer the lower upfront commitment.

Forecasts and Valuation

Below I have laid out how I see the revenue trajectory for CYBR under both the old and the new models, and how the “stacking” of new subscription revenue builds up.  Key points: 1) Revenue growth is depressed at ~8% in 2021 (my forecast; consensus has 6% FWIW) which optically looks weak and is one reason that growth investors take a “wait and see” approach.  This ignores that fact the underlying business excluding the revenue model change is growing close to 30%.  2) Revenue is lower in 2021-2023 than it would otherwise have been representing the “trough” of the transition.  3) The recurring revenue mix is much higher, growing from ~50% currently to >90% in four years.  Recurring revenue businesses are obviously afforded higher multiples.  4) My revenue forecasts are significantly higher than consensus in 2022 and 2023 (14% and 30% higher respectively) because the sell side is not modeling the transition as I have described above, including the “stacking” benefit.

I am trying to avoid cluttering this pitch with too much detail, but it is worth mentioning that some portion of “subscription” revenue (I estimate ~40%) will actually be three year term-based licenses.  Term based licenses are still annual recurring revenue, but under GAAP, a portion is recognized upfront versus pure subscription revenues are recognized ratably.  The effect of the partial upfront revenue recognition makes the “stacking” look a little less smooth.  If you want to get into that level of detail, I am happy to engage in the Q&A.

For valuation, I see slightly more than a double in 4-5 years using 30x FCF and 9x revenue on 2025 estimates.  30x FCF seems reasonable if not conservative for a company growing close to 20% beyond 2025. 9x revenue compares to 13x for comps with 20% growth today.  I am applying a discount because I think current software multiples are elevated.

----------------------------------------------------------------------------------------------------------------------------

This posting is solely for the evaluation of club members and is not a recommendation to buy or sell this stock.  The views expressed are those of the author individually and should not be attributed to any affiliated investment firm, which may or may not hold positions consistent with the views expressed herein and may buy or sell shares at any time.

Catalyst

Further accelation of strong underlying demand due to the Solarwinds hack

Faster than expected conversion to subscription

Results well above expectations in 2022 and 2023 due to the effect of "stacking" new subscription revenues