Long: CyberArk (NASDAQ: CYBR)
NASDAQ: CYBR - Long
12-Mo Price Target:
$46.90 - $61.00
-3% - 26%
Privileged account (PA) security solutions are quickly gaining market awareness and becoming a crucial layer of any enterprise security platform. CyberArk, the market leader and largest pure play company within this vertical of security, is well positioned for strong, organic growth. The current value of the company does not fully reflect both these secular and company-specific positives. CyberArk is a compelling investment due to the following four contentions:
1. CyberArk is the market leader both in share and functionality.
2. Privileged account security is growing in demand.
3. There are positive secular trends driving this company forward.
4. CyberArk has made the right moves both within acquisitions and product development efforts.
1. CyberArk is the market leader both in share and functionality.
As the largest pure play in terms of revenue, within privileged access management, CyberArk covers every major sub-segment within the vertical. The company has garnered the trust of its customers as the top strategic security provider in an industry that is rife with customer churn. Its customer count spans nearly 40% of the Fortune 100. CYBR has taken full advantage of its role as a niche provider and sole focus on PA security to place itself ahead of larger rivals like CA Technologies (Xceedium), BeyondTrust, and Dell (Quest Software segment). Especially with all the recent M&A activity within this vertical, there could be a transition time between new management and operations before any synergies are realized.
CyberArk offers its Shared Technology Platform, as a common user interface to manage other CyberArk products.
The Shared Technology Platform includes:
- Secure digital server for storing keys, passwords, and settings
- Discovery engine for finding new privileged accounts or changes to existing accounts
- Master policy aggregator for translating an enterprise's security policies into technical settings
- Web interface allowing customers to monitor and manage their policies across CYBR products
The rest of CyberArk's product portfolio covers password management, session monitoring, threat analytics, app identification, app control enablement, and privilege management. The pricing for its products are all on a per user or per server basis, which allows CyberArk to grow its revenues along with the growth of its customers as they scale in number of privileged accounts, administrative users, and servers. The industries that are able to utilize CyberArk's security solutions are wide spanning, ranging from financial services, to airlines, to pharma, so the company has the advantage of being a horizontal player in the vertical.
Source: CyberArk Q1 16 Results
2. Privileged account security is rapidly gaining demand.
Privileged accounts (PAs) are simply a combination of a username and password used to login and provide access at the highest level to any device, system, or application. They are very common within databases, control systems, laptops, and applications to name a few. Traditionally, PA credentials are manually stored and distributed, shared among several users, and used by developers to access other applications or databases. However, this practice is risky because providing broad access to PAs makes them vulnerable to breaches, user activity cannot be tracked, and changing hardcoded App passwords can prove to be time-consuming.
Privileged account security involves locking highly valuable privileged credentials in a vault, keeping a record of use by other users in a network, monitoring account sessions, and restricting specific functionalities.
In 2014 and 2015, some of the largest breaches in the US were the result of cyber-attacks on privileged accounts. JPMorgan's (NYSE:JPM) infamous client account breach saw hackers obtain access to the highest level of administrative privilege. Sony (NYSE:SNE) discovered that hackers stole computer credentials of a system admin to give themselves broad access across its computer system.
Once a hacker infiltrates a company's network, the next step will target elevating its access of privileged accounts and move up the chain to higher level credentials with greater access to every level of the network. CyberArk stops this process in its tracks with its PAS solution.
3. Of course, we have all the secular trends.
The Importance of PAs - With so many high-profile corporate breaches behind us, many companies are beginning to build up their security strategies with CyberArk as a partner. This ensures that their crown jewels remain intact, think of Coca-Cola's (NYSE:KO) secret recipe.
Migration Towards the Cloud - Instead of hindering the PA security market, the cloud environment increases the risk and sensitivity of privileged access. This provides more room for further growth as companies expand their cloud networks.
A Shift Away From Perimeter - Under CyberArk's security solutions, attackers may still be able to infiltrate networks, but CYBR focuses primarily on protecting high-privilege accounts. In turn, companies are shifting towards a more focused security strategy, rather than perimeter-based solutions.
Regulation - Particularly in APAC, China recently passed regulations mandating that companies report their internal breaches publicly, essentially forcing them to increase spending on security solutions. Domestically, regulations like HIPAA place greater responsibility on enterprises to comply with data security requirements.
4. Good Acquisitions and Even Better Product Developments.
In 2015, CyberArk acquired Viewfinity, a Windows privilege manager, for $30.5mm in cash. Previously, CYBR offered a privileges manager for Windows through a reseller partnership, but now has boosted its margins by replacing the offering with Viewfinity. This gives CYBR full control over its product development and offering platform, making things seamless for their customers.
Viewfinity also brought in its customer base of approximately 400 accounts to CyberArk's current ~2,200 customer count, giving a significant opportunity for cross-selling. Viewfinity also expands CyberArk's footprint in SaaS since the Windows service can be provided through a cloud platform, helping to further boost gross margins and increase CyberArk's top line.
Along the same line, the company has set up a successful alliance partner program, including integration with more than 30 partners and relationships with channel partners and system integrators.
CyberArk's Shared Technology Platform gives a sound base to leverage the rest of its product portfolio (outlined earlier in this article). The entirety of CyberArk's product line can be tied to a single platform, giving it a major advantage and allowing its customers easy upgrading to other products. This makes CyberArk a security vendor of sorts, rather than defaulting to yet another niche solution. This has translated to very promising customer retention and engagement metrics, with nearly a third of CYBR's existing customers making an upgrade each year. An increasing number of its customers are purchasing multiple products.
Compared to the rest of the cyber security cohort, CyberArk has very high profitability (EBIT Margin) and similar growth. The best method of valuing CyberArk is based off of a multiple to forward free cash flow. Currently, CyberArk is valued at 29.0x EV/FY16 FCF as compared to its peers which trade at a median of 38.6x EV/FY16 FCF.
If CyberArk maintains its positioning as the defining market leader in privileged accounts, expands its potential earnings from its Viewfinity acquisition and platform product development, and the secular growth within its vertical remains, then CYBR should receive a valuation on par with its high-growth comparables of ~38x EV/FY16 FCF. This valuation gives a 12-mo target price of $61 for a 26% upside potential.
CyberArk loses market share to surging competitors from incumbent security firms like CA Technologies (Xceedium), BeyondTrust, and Dell (Quest Software segment). Pricing arises as a factor if software solutions become too comparable and this could cut into CyberArk's margins. Within cyber security, it could only be a matter of months before a competitor releases a new product and CyberArk needs to constantly be on its heels in terms of product development and potential partnerships. In the bear case, CyberArk should receive a valuation at a discount to its high-growth comparables of ~28x EV/FY16 FCF. This valuation gives a 12-mo target price of $46.90 for a 3% downside risk.
Perfect Pricing - CyberArk is currently priced to maintain its level of execution and earnings results, thus the company has to maintain those standards to justify its forward valuation.
Customer Concentration - The Company's customer base is fairly concentrated in financial services with 36% of the company's bookings in FY 15. If there were to be a downturn in financial services, especially with the eve of 'Brexit', then IT spending budgets could fall, negatively impacting CyberArk's revenue per customer. CyberArk derives a significant chunk of its revenue from European markets, which may undergo some currency volatility due to the recent UK separation from the EU. Companies are unsure of future prospects in Europe and in turn will lower spending in IT and security.
Cyber-Attack Frequency - Any decrease in cyber-attacks, especially those targeting privileged accounts, could result in a lower demand for CyberArk's solutions.
The Competition - If competitors large or small were to catch up in terms of functionality to CyberArk's solution suite, the business could be negatively impacted.
Udi Mokady, Founder, President, and CEO - Mr. Mokaday co-founded CyberArk in 1999 and has served as the Company's CEO since 2005. Prior to his role as CEO, Mokady served as CyberArk's COO between 1999 and 2005. Prior to CyberArk, Mr. Mokady served as the general counsel at Tadiran Spectralink, a highly specialized producer of secure wireless communications systems. A veteran of a military intelligence unit, Mr. Mokady holds a law degree from Hebrew University in Jerusalem and a master of science management degree from Boston University.
Josh Siegel, CFO - Prior to CyberArk, Mr. Siegel served as CFO for Voltaire Ltd., a leading provider of InfiniBand and
Nir Gertner, CITO - Prior to CyberArk, Gertner served as a software engineer on BMC's Control-O automated systems operations solution. Within BMC, Gertner also gained valuable customer-related experience as a systems engineer responsible for pre- and post-sales activities in the northeast region of the US. While serving in the military, Gertner was the chief administrator of the Security and System Department of the Central Computing Center in the Israel Defense Forces.
Adam Bosnian, EVP Global Business Development - Prior to CyberArk, Bosnian was the Co-General Manager and Vice President of Sales and Marketing at Elron Software, completing the sale of the company to Zix Corporation. Prior to Elron, Bosnian served in a range of Sales and Marketing executive roles at InterSense, Spacetec Corporation and New Media Graphics Corporation. Bosnian holds a Bachelor of Science degree in Electrical Engineering from Worcester Polytechnic Institute where he graduated with Highest Honors.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.