CynergisTek's (CTEK) CEO Mac McMillan on Q2 2018 Results - Earnings Call Transcript

|
About: CynergisTek, Inc. (CTEK)
by: SA Transcripts

CynergisTek, Inc. (NYSEMKT:CTEK) Q2 2018 Results Earnings Conference Call August 9, 2018 2:00 PM ET

Executives

Bryan Flynn - IR

Mac McMillan - President and CEO

Paul Anthony - CFO

Analysts

Matt Hewitt - Craig-Hallum

Andrew D’Silva - B. Riley FBR

William Gibson - ROTH Capital Partners

Bill Sutherland - Benchmark Company

Operator

Good day and welcome to the CynergisTek’s Second Quarter 2018 Earnings Call. Today's conference is being recorded. And at this time, I would like to turn the conference over to Bryan Flynn, CynergisTek Investor Relations. Please go ahead.

Bryan Flynn

Thank you, operator, I want to welcome everyone to CynergisTek’s second quarter 2018 earnings call. Joining us today from the company includes Mr. Mac McMillan, President and Chief Executive Officer; and Mr. Paul Anthony, Chief Financial Officer.

Before we begin the formal presentation, I'd like to remind everyone that some statements made on the call and webcast, including those regarding future financial results and industry prospects, among others, are forward-looking and may be subject to a number of risks and uncertainties that could cause actual results to differ materially from those described in the conference call.

Certain of these risks and uncertainties are or will be described in greater detail in the company's SEC filings. CynergisTek is under no obligation and expressly disclaims any such obligations to update or alter its forward-looking statements, whether as a result of new information, future events or otherwise.

At this time, I would like to turn the call over to our CEO, Mac McMillan.

Mac McMillan

Thank you, Bryan, and good afternoon everyone. Q2 saw a multiple signs of improved performance in both operations and sales. We continue to strengthen and enhance the account management with the existing clients and are seeing the results of that in contract expansions and strong renewals. This quarter saw our first big renewal in MPS with the addition of three more years to one of our large academic medical centers. We also saw a multiple managed security service renewals and expansion. Several new managed service accounts added and a large win and professional services. Booking for Q2 and security were nicely up over Q1.

We are very excited about the prospects going forward if these trends persist. There are many factors contributing to this not the least of which is the continued pressure that healthcare is under from cyber criminals and incidents. The healthcare industry continues to find themselves the target of cyberattack both Black Books annual cyber security survey revealed that healthcare enterprises are not maturing fast enough, and that cyber security will continue to be underfunded and under staffed in 2018. Additionally, over 90% of healthcare organizations have experienced their data breach since Q3 of 2016 and nearly 15% have had more than five data breaches in the same timeframe.

Proactive threat monitoring is still not in the forefront of an executives mind. Less than 20% of healthcare organizations monitor quietly, despite the fact that they know many of these breaches now come from commonly missed endpoint devices such as printers, biomedical devices, IOT and imaging equipment. Healthcare organizations continue to fall behind as the majority of them are not conducting regular cyber security and internet response drills, even though the number of data breaches remains constant and the impact to the new business worsen.

The continual rise in healthcare data breaches illustrates the need for increased vigilance. This quarter the FDA has released two plans to increase security around medical devices and software. The first titled Medical Device Safety Action Plan protecting patients and promoting public health seeks to provide patients with access to safe medical devices that meet their healthcare needs. This plan aims to establish a robust medical device patient safety net in the United States as well as spur innovation towards safer medical devices and advanced medical device cyber security and development of new technologies that facilitate device recognition and security evaluation.

Second, the software precertification pilot program which calls for cyber security to be baked in to product design would be applied to developers and vendors who are looking to introduce new software products in the market place requiring them to include a baseline, a security protocol in to their software. As these standards start to be rolled out and deployed via hospitals using these products, it opens up new opportunity and requirements for security assessments and components.

The combined effect of GDPR and the newly released space security for state level privacy legislation has also driven heightened interest and privacy concerns for health plans, healthcare clearing houses and healthcare providers who electronically transmit health information. Many of these laws like those in California and Colorado significantly change the landscape for companies doing business in those states or handling the sensitive information related to personnel that are citizens of those states.

Many other states are considering their own versions of enhanced privacy protection, as consumers become vary of waiting for the federal government to enact a national standard. Something that’s been hinting at for more than a decade. Like the European law, these new rules carry financial penalties that are a cause for attention. This has generated much discussion around the industry and in particular with business associates many of whom do business in multiple states as well as overseas.

With increasing regulatory awareness and the ever growing attack surface in the healthcare environment, organizations must strengthen their cyber security defenses. CynergisTek focus has always been on helping organizations meet regulatory requirements and proactively building cyber threat awareness within their environment through our cyber security and privacy services.

Just this quarter, KLAS recognized CynergisTek as the top comprehensive cyber security firm in the country providing services for healthcare. So this validates our market-leading position and the ability to quickly and effectively respond to our clients need. We will continue to offer services and innovations that address the ever changing threat landscape and to deliver long term success to our clients.

Turning back to the second quarter, I’m pleased with our results. As I said in my read-in, we had two large wins, one in professional services offerings and the other a renewal and a longstanding management and services client. We made great strides forward with our professional services offering by signing a multi-million dollar contract expanding services with one of our larger accounts.

CynergisTek will place additional security resources in the health system to augment that organization’s existing security team, helping to overcome security personnel shortage facing the healthcare industry. We continue to see healthcare organizations of all sized struggle to recruit and retain talented cyber security professionals which are critical for addressing these ever-evolving threat landscape. This new expanded engagement is a testament to our successful product relationship with this health system. It also demonstrates the growing demand for security experts to help manage comprehensive security initiatives.

Overall, we saw an increase in professional services in Q2 with the addition of five new engagements. We will continue to focus on growing our professional services program to take advantage in the labor shortfall. On the managed print side of the business, as we discussed we were able to extend a large academic medical center contract for an additional three years.

As I stated in Q1, our focus was on strengthening those relationships with our clients. This earlier renewal was a testament to the hard work and dedication our teams have exhibited over the last six months in 2018. But we continue to work with our clients to make sure we are exceeding their expectations while delivering the best overall managed service programs.

In addition, we are capitalizing on the continued consolidation within healthcare, working with our MPS clients to expand services under their newly acquired entities in Q2, further demonstrating our progress towards strong relationships and improved services. We continue to see strong demand for all of our managed service offerings and experience steady growth in our overall pipeline.

We increased the number new service clients by 12, renewals remained at 95% and 20% of those renewals included expansions through additional services. Last quarter, we began to rollout new service offerings in internet response and biomedical device security management. We are excited to report that we have had wins in both of these new categories and are seeing an increase in the pipeline of opportunities for both of them.

Our biomedical device security solution incorporates the technology I mentioned earlier, that is enabling our ability to find and manage these devices more affectively improving both cyber security and patient safety. In addition to expanding our service offerings with existing customers, we are continuing to grow our overall client base. Our sales team has made a significant progress in booking growth and are off to a strong start for the first half of the year, putting us in a good position for the remainder of 2018.

I will now hand it over to Paul to review the financial highlights of the second quarter of 2018. Please go ahead Paul.

Paul Anthony

Thanks Mac. Breaking down the revenue in to the new categories for Q2 2018 versus ’17, managed services revenue was 13.2 million, a decreased of 9%. This decrease was a result of the MPS non-renewables which we discussed in the past. Consulting and professional services increase by 8% to 1.8 million due to growth from security related consulting and professional services provided to both new and existing customers. Equipment and hardware and software resales increased by 226% to 1.9 million.

We maintain a gross margin of 26% of revenues in the second quarter of ’18 as compared to the same period of ’17 and non-GAAP adjusted EBITDA after adding back stock-based comp was 1.1 million or 7% of revenues for the second quarter of ’18, compared to 1.2 million or 7% of revenues for the same period at ’17. Non-GAAP adjusted earnings was 8 million or $0.08 per basic and diluted share for the second quarter of ’18 compared to 0.8 million or $0.09 per basic and $0.08 per diluted share for the same quarter in ’17.

The reconciliation of the GAAP to non-GAAP information can be found in the earnings release that came out earlier today. As of June 30, 2018 deferred revenue was 2.4 million up from 1 million at March 31, 2018. This increase to deferred revenue was a result of approximately 1.2 million in equipment delivered but not installed by one of our larger clients. The company has $5 million of cash and cash equivalents at the end of the quarter, along with 23.5 million in short and long term debt.

Company maintains a line of credit with the commercial bank up to 5 million subject to borrowing base limitations of which this clearly has no outstanding balance as of today. This concludes the prepared remarks, operator please open the floor for questions.

Question-and-Answer Session

Operator

[Operator Instructions] and we will hear first from Matt Hewitt of Craig-Hallum.

Matt Hewitt

First one from me, you announced a couple of days ago the renewal with New Haven, and I’m just curious, you’ve talked about historically when you get to the tail end of those big deals, you typically are seeing your best margins. As we think about the next three years with this contract, is it a continuation of those higher margins or was it a competitive bidding situation where maybe you don’t get the full benefit?

Paul Anthony

In this case, actually the margins remained flat; they still remain at what would be considered kind of our target margin. This specific renewal was related to some operational changes and some other things that were being done that allowed us the opportunity to extend it for a longer period of time and take advantage of the situation. So we did that. So fortunately in this case at least we did not see maybe the normal margin impact at renewal that you would see for an account that saw itself get to the end of its original term.

Matt Hewitt

Shifting gears maybe a little bit high level, I think back to when the companies merged there was a lot of excitement and opportunity from a cross-selling perspective. I think we spoke a little bit about this last quarter. As you look at the installed base today, even the new wins that you announced here just a few moments ago, as you look at the installed base how many of those customers today are simply buying one service or one offering versus two, versus more than that and where do you see that opportunity going over the next year or two.

Mac McMillan

We still have a fairly low percentage in terms of penetration rate at multiple offerings. I think we have about 20% of our customer base that has more than one man who serves and we typically measure that by managed services not just one-off discrete services. Many of our customers will buy one-off discrete services throughout the tenure that they are part of the program. But we’re really look forward is in terms of incremental growth is when they start adding additional managed services. And that’s still a big area of focus for us and we’re trying to improve that needle further to the right, and we are beginning to see some progress there, where we are beginning to see more customers buying our [BSM] offering and our privacy monitoring offerings and now we have a lot of customers that we’re having conversations with around managed print and as we learn a lot of our existing customers who are already in some form of managed print relationship. So we are in the process obviously of working to be in the mix when either they renew or displace whoever is in there now. But we still see that as a big opportunity and it’s something that we’re focused on in terms of our sales team and in fact we have sales training coming up in the next week and that’s going to be one of the big focuses of that training is moving customers in to multiple managed services relationships.

Matt Hewitt

Maybe one last one from me Mac, you kind of touched recent report highlighting that personnel remain a challenge, finding the right people for your customers. You historically have had a great success in attracting and bringing those types of people in-house. Given when we are at from unemployment standpoint here in the states and some of the other bigger issues that are occurring, it doesn’t seem like that’s going to change. So I would think that that would accelerate adoption of some of your managed services rather than some type of new training platform that brings more people in to the work force to help. Am I thinking about that right?

Mac McMillan

Matt, you are. In fact we’re more and more customers to straight to the managed service option as opposed to one-off service, and that’s one of the things that kind of sort of changed our deal mix a bit in terms of because we basically put things in professional services, consulting services, managed services, buckets if you will in terms of how we track things. And we’ve seen an increase on the managed service side and the professional service side and a decrease on the consulting side and a lot of that’s because a lot of customers instead of just buying a one-off risk assessment are going straight to a three year cap, because they’re having so many challenges, getting the people that they need on (inaudible) and being able to retain them, the whole managed service model is becoming more and more attractive to those hospitals in particular.

Operator

And we will hear next from Andrew D’Silva of B. Riley FBR.

Andrew D’Silva

Just a few quick ones, I’ll start with a few for Paul. Could just explain maybe a little bit what the rev mix from a security versus document standpoint? I’m just confused on how your gross margin increased year-over-year and sequentially as equipment sales increased so much. And then just looking at the balance sheet accounts payable are way off historic norms, what’s causing that and will it to more historic levels going forward?

Mac McMillan

These relates to the product mix or services mix, security was just over 4 million really both quarters, 4.4 or so for Q1 and 4.2 for Q2 on the security side. And it specifically relates to the balance sheet, you also see that we had a drop in our accounts receivable as well. A large portion of our business on the management services side includes playing agent role for our clients and so in many cases we don’t make payments on a number of our expenses associated with a given client until we’re paid by our clients. So it’s really more of a timing issue specifically related to Q2. There’s no trends that we notice necessarily, we just happened to collect more money in that quarter and the resulting payout against the vendors that support those accounts we’ve done as well. As you remember back in Q1, we actually saw an increase in AR because we hadn’t changed the collection that came in later. So it really is a timing difference, no trends that we’re seeing or changes in trends.

Andrew D’Silva

And as you look at the business, I know that we discussed this last quarter, but are there still headwinds on the document side of the business or are most of the ones that you experienced in the first half of the year behind us now or has the competitive landscape of all enough that it couldn’t make that segment more unpredictable than perhaps how it was over the previous, call it three years.

Mac McMillan

So I think it’s safe to say that there’s still a pretty strong headwind in front of those services. That entire business is still facing a lot of downward pressure with respect to price and cost, and a lot of the competition is, it’s becoming as you said before - and not becoming it is a commodity based market. But the fact it is I think it’s even becoming more effective than that in the sense that we have the equipment manufacturers who provide managed services, we have folks like ourselves who provide managed print service and then we have what I call, all the local folks, meaning the local office jobs etcetera, who will also provide a managed service around the equipment that they sell to a particular business, which I think is actually growing in terms of the numbers.

So, there is just a tremendous amount of competition out there for that business and it’s a lot of it is all price based in terms of the competition. Obviously the local vendor doesn’t have the overhead of travel or the organization to support or disperse client base that’s outside their geographic area. The manufacturers who sell the equipment, their focus is primarily selling the equipment, so they’ll discount the managed services in order to sell more boxes in to the clients.

So really those folks are like ourselves that are kind of in that middle sector of the business where we are pure managed print vendors. We really have pressure coming from both ends, and on top of that you’re talking about our market place that is extremely saturation. What I mean by that is, refining as we found when we started cross-selling in to our existing security clients. It was incredibly rare for us to run in to somebody who didn’t already have some form of the managed service relationship in place.

So you’re not only dealing with the pressure in terms of price, but you’re dealing with the pressure in terms of having to displace whoever is currently there and whether or not they are either happy or not so happy with whoever they are currently doing business with. But I don’t think that the headwinds have gone away. I don’t know that its anymore volatile than it was before. Meaning I don’t if that’s anymore unpredictable than it was before. I think it’s’ still very predictable that it’s going to be a difficult sell and it’s going to be competition every time you go in there.

Paul Anthony

So we’re definitely focused on the security angle that we’ve got that the competitors don’t have. It’s definitely an area that we’re focused on to differentiate ourselves.

Andrew D’Silva

Great color. And then I know you touched on this, but just looking at it from a slightly different angle, any thoughts on how legacy customers are viewing some of the new offering that you have come through security. I know you mentioned 20% adoption, is there an adoption or rate you would be disappointed with if you weren’t able to hit on a quarterly or annual basis, any benchmark that you can give us would really help us think about it from a modelling standpoint?

Mac McMillan

That’s a good question. We haven’t really I don’t think sat down and thought of it from that perspective. Right now the model that we put forward to our teams is we’d like to see every one of our customers have two to three different managing services a piece. But I haven’t really thought of it in the sense of does it have to be 20% or 30% or 40% penetration. So that’s a different way of thinking about it, and we can probably give some thought to that but we haven’t. I don’t know, I wouldn’t know what to tell you today.

Andrew D’Silva

And how about this, you mentioned the goal a Q3 managed services a piece, what’s the norm right now?

Mac McMillan

So the norm right now is, the overall majority have one and then they will buy other discreet services on top of that. The percentage I think its somewhere around 20% right now as anywhere from 2 to 3, and we just like to see that grow. That’s what we’d like to see grow.

Andrew D’Silva

And then a final question, you mentioned a 95% retention rate, is that based on revenue or total appliance and then is that a rate we should model as our base or what would be the best retention rate we should use as a base care going forward.

Mac McMillan

So I’ll let Paul talk about the numbers piece of it, but that percentage is just based on clients. It’s client account.

Paul Anthony

And then I would say, historically we’ve targeted 97% for the security business and historically prior to – in to 2016-2017 we would have had high 80s in to the 90s for both the MPS. So I think now what we’d like to see is if its right in that mid to high 90s and still – there still are targets related to [renewal].

Andrew D’Silva

And that’s quarterly or annually from a timeline standpoint versus the annual numbers?

Paul Anthony

Annually.

Operator

[Operator Instructions] We’ll hear from William Gibson of ROTH Capital Partners.

William Gibson

Mac, say could you give us a little more color on the biomedical, medical security wins? How many are out there and how big could it be and what’s the ramp and sort of the timing of when it start showing up in revenue?

Mac McMillan

That’s one of the things that we’re actually very excited about. And it seems like every time our sales guys have a conversation with anybody out there about this topic, they come away with an opportunity to present something to them. And the number of opportunities in the pipeline has just continued to grow. I think we’ve had two or three wins already on the biomedical side.

So we’re really excited about what’s going on there and this is just the front end, because right now we’re dealing with doing the assessments, helping them to understand how many medical devices the actually have that are connected where those devices are and what the issues are related to those devices, what the vulnerabilities are that need to be addressed. And the second piece of that the managed service on the backend which is the second part of that coming down the pipeline which what we’re really aiming for.

But it just seems like every single health system that we talk to, in fact I just saw to more opportunities this morning that would go under proposal for fire medical device security assessment. It seems like every hospital we talk to that they are anxious to jump on that and they are very excited about the fact that we’ve incorporated the new technology in to what we’re doing, so we actually have the ability to accurately find those devices and identify what’s wrong with them.

But on the other side of it there is also been some great partnering opportunities that are going on right now and we’re working with two of the large biomedical device manufacturers who also manage those devices for a lot of the hospitals that they work in and we’re working on a partnership with both of them to actually be their security partner and come in to their hospitals and work side by side with them to address the security piece while they are addressing the maintenance piece of those biomedical devices as well, and those – I guess there are opportunities that we just can’t wait to see where those go.

And then we also have a couple of opportunities that were more longer term, but there was very health systems that has many hospitals who are looking at more of partnership relationship where we come in and help them manage those devices across all of their hospitals. So the biomedical device security piece right now is something that’s very exciting and it’s got our sales team very excited because they don’t have the negative conversation any time they have one.

William Gibson

And so what’s the typical assessment period, is that three months, nine months?

Mac McMillan

The typical assessment period is about six weeks. We have to – essentially what you do is you deploy the technology in to the hospital, it sits and passively records the communications between the end point devices and other devices on the network and through those communications identifies the device, where its located on the network, the type of device it is, the rev version of the device, what its maintenance level is and what it’s security issues are.

We typically let the collector run in the clients environment for anywhere from three to four weeks, because all these medical devices are not online all the time. Just to give you an example, a hospital may have 20,000 devices that are connected to its network, it may only have 40% of those connected at any given time. But over a period of weeks all of those devices will typically have been connected during that time frame and you will have been able find them and catalog them and identify the issues with them.

So we leave the collector there for up to four weeks, collect the data. Once we have the data, we do the analysis, raise a report, make the recommendations with respect to the clients program in terms of how they’re managing those devices from a life cycle approach, meaning we go all the way back to where they acquire those devices and what their processes are for acquisition through maintenance as well as through retirement of those devices.

And that’s what that – and we basically provide them with an analysis that allows them to not only tactically attack those devices that need to be addressed, but also look at things like segmentation in terms of where they want to put them on the network, and visit the location in terms of where they want to connect them and of course addressing the things like patching and fixing with respect to the devices as well as fixes to their processes. So it’s actually (inaudible).

Operator

And our next question comes from Bill Sutherland of the Benchmark Company.

Bill Sutherland

So the first half, as I look at half of the equipment sales, it feels kind of flattish 2Q over 1Q of how you (inaudible) and security. And so as I try to get my arms around some of the additional business you talked about Mac and expansions and then tie that to retention and then also your pipeline and the time to convert. How do we think about the back half, should we think about it as sequentially up from the first half of obviously ex equipment sales?

Mac McMillan

Yes, absolutely. It’s generally talked about. We knew we had explored Q1 from a booking standpoint, we had a really strong Q2 and which we caught up with, made up for any short fall we saw in Q1 as well as exceeded in what were planning for the six months combine. So we’ll start to see that those bookings start to materialize in the revenue here going in to Q3 and in to Q4. So we’ll definitely start seeing additional growth as we get in to the backend of the year.

Bill Sutherland

And that’s I guess to both sides of the business?

Mac McMillan

Let’s go on the MPS side with the exception of maybe some equipment would get some – you start to come in around the deferred revenue that you had in there from the equipment, but most of the growth in the services side has come from the security side.

Operator

And it appears there are no further questions at this time. I’d now like to turn the conference back to Mac McMillan for any additional or closing remarks.

Mac McMillan

Thank you operator and thanks everybody for attending today and for all of your questions. Although the year started up slow, we’re now gaining momentum in 2018 and are looking to build on the strong sales performance we saw in the second quarter and the demand for security services we still see across the healthcare market. Our execution in the second quarter along with our industry-leading position will serve us well as a strategy for the remaining of the year. We will think we will maintain focus on growing our pipeline in both new and existing offerings and continue to deliver high caliber managed services to our clients.

I’d like to thank everyone for joining the call today and look forward to talking to you soon. Thank you very much.

Operator

And that does conclude our call. We would like to thank everyone for your participation today. And you may now disconnect.