Cynergistek, Inc. (CTEK) CEO Mac McMillan on Q1 2019 Results - Earnings Call Transcript

|
About: CynergisTek, Inc. (CTEK)
by: SA Transcripts
Subscribers Only
Earning Call Audio

Cynergistek, Inc. (NYSEMKT:CTEK) Q1 2019 Earnings Conference Call May 14, 2019 12:00 PM ET

Company Participants

Bryan Flynn - Investor Relations

Mac McMillan - President and Chief Executive Officer

Paul Anthony - Chief Financial Officer

Conference Call Participants

Matt Hewitt - Craig-Hallum Capital Group

Andrew D'Silva - B. Riley FBR

William Gibson - ROTH Capital Partners

Jeff Bash - General Pacific Partners

Ross Taylor - ARS Investment Partners

Jerry Well - Private Investor

Operator

Good day and welcome to the CynergisTek, Inc. First Quarter 2019 Earnings Call. Today’s conference is being recorded. At this time, I would like to turn the conference over to Mr. Bryan Flynn, CynergisTek Investor Relations. Please go ahead, sir.

Bryan Flynn

Thank you, operator. I want to welcome everyone to CynergisTek’s first quarter 2019 earnings call. Joining us today from the company includes Mr. Mac McMillan, President and Chief Executive Officer; Mr. Paul Anthony, Chief Financial Officer.

Before we begin the formal presentation, I would like to remind everyone that some statements made on the call and webcast including those regarding future financial results and industry prospects among others are forward-looking and maybe subject to a number of risks and uncertainties that could cause actual results to differ materially from those described in the conference call. Certain of these risks and uncertainties are or will be described in greater detail in the company’s SEC filings. CynergisTek is under no obligation and expressly disclaims any such obligation to update or alter its forward-looking statements whether as a result of new information, future events or otherwise.

At this time, I would like to turn the call over to our CEO, Mac McMillan.

Mac McMillan

Thank you, Bryan and good morning everyone. We had a very active first quarter with the sale of the MPS business and the introduction of our newest and fifth managed security offering, managed security services providing 24/7 threat monitoring and alerting through a new strategic partnership.

As I stated just few weeks back on our annual earnings call, we now offer a full suite of cybersecurity services needed by healthcare organizations. Our goal is to continue to expand the services we provide to existing clients, while expanding our market share with net new ones. This continued focus on propelling managed cybersecurity services has been the key factor for growth, which we accomplished in the first quarter seeing overall cybersecurity services revenues grow at an impressive 32% year-over-year. Our managed cybersecurity services grew by 20% led by a continued demand for our Capstone service aimed at assisting clients in developing their cybersecurity programs called CAPP, our patient privacy monitoring service and vendor security management followed by a growing pipeline for our newer managed security services and medical device security offers.

In addition to pipeline, we saw several wins in the medical device security assessments. And last quarter we reported that we entered into a strategic partnership with Protenus, a patient privacy monitoring solutions vendor and this quarter we had our first win and see additional opportunities for joint contracts ahead. Our focused strategy on increasing the number of services we provide to our clients has also been successful. This focus has led to multiple CAPP renewals or expansions, where clients have added additional services such as vendor security management, incident response support, medical device security assessments and professional services. The professional services and consulting service business has seen a 40% plus growth in revenue year-over-year for the second quarter in a row.

We continue to see strong demand for our professional services from clients looking for network security engineers, security analysts, privacy analysts, virtual CSOs and other harder to fill cybersecurity skill sets. Due to the acute labor shortfall in the cybersecurity space, we see this as a segment of our business with a lot of potential for growth as healthcare clients continue to look for critical resources to fill gaps in staffing, help with remediation requirements in short and long-term project work. As you may have seen in our recently released 2019 annual cybersecurity report measuring progress, the healthcare industry is expected to suffer 2 to 3 times more cyber attacks in 2019 than the average in any other industry.

Overall, hospitals still struggles as conformance to the net standards continue to lag across the healthcare industry at large. Ransomware and other advanced malware attacks continue to be a major threat to healthcare organizations and have made resurgence in 2019. For example, Symantec reported the Ransomware group responsible for SamSam is now focusing primarily on a relatively small subset of U.S. companies, mainly municipal and healthcare organizations. The life and death nature of hospital operations keep Ransomware attacks higher in healthcare than in any other sector according to the Center for Internet Security. Not only that, but hospitals find themselves targeted specifically by ransomware attacks as the attacker may want to benefit from the hospitals need to restore care delivery as soon as possible.

Hospitals continue to be the victim of the countless varieties of social engineering attacks such as phishing. As the number of people with access grows – so grows the human attack surface and success at avoiding incidents requires education investment and solutions and cybersecurity readiness to combat these threats. No longer this compliance equates to security, the most recent reports from Crowdstrike presented two very [indiscernible] statistics for defenders. The number of threat events tripled in 2018 to 3 million per second and lowest breakout time after it reached by an adversary was less than 10 hours, while the fastest was less than 20 minutes. Breakout time is the speed at which a hacker can exploit the target’s enterprise and time the defender has to contain or stop the breach. The irony is the average time to detect most – by most organizations still is in the interest of 180 days. After this the estimated 200 million connected IoT devices advances and artificial intelligence and introduction of 5G networks and the ecosystem just continues to become more complex and with bigger risks.

If CIOs and CSOs are not focused on improving their cybersecurity controls and effectively monitoring their network endpoint and cloud assets proactively, they are and will continue to lose ground against cyber criminals. This security posture today requires constant due diligence across all five quadrants of the cybersecurity framework identification, protection, detection, response and recovery. More than ever security depends on a balanced approach in an application of a sound fence and depth strategy that values readiness as much as protection.

In Q1, we continued to execute our strategy to expand our core services and achieve deeper penetration in our existing client base. We look forward and evaluate strategic partnerships and M&A opportunities and expand services we offer to non-healthcare clients, while managing the divestiture of the MPS business and implementing advanced systems to enhance our sales, project management and financial processes. Innovation in services of both core and new also continue to be a high priority. In cybersecurity, innovation is critical to maintaining market leadership, relevance and being successful.

Let me stop here and hand it off to Paul to review the financial highlights of the first quarter of 2019. Please go ahead Paul.

Paul Anthony

Thanks Mac. Good morning everyone. Along with the strong revenue growth in the first quarter, we took a major step in improving on our financial stability with the significant pay down in debt, with the proceeds from the sale of the MPS business. The financial information I am about provide us with the continuing security business only unless I specifically mention that it includes discontinued operations. Security revenue for the first quarter increased by $1.4 million to $5.8 million. Breaking down this revenue, Q1 ‘19 versus ‘18, security managed services revenue was $2.8 million, an increase of 20%. Professional and consulting services increased 47% to $3 million.

Gross margins were 40% for the first quarter of ‘19 compared to 45% in 2018. The reduction in gross margin is reflective of our investment in attracting and retaining talented cybersecurity employees, costs associated with ramping up new services and the implementation of advanced systems to support the business. We expect to see similar gross margins next quarter. However, we expect margins to improve in the back half of the year, consistent with prior year trends and as we gain traction with some of the new services.

Non-GAAP adjusted EBITDA loss from continuing operations after adjustments was $0.6 million or negative 10% of revenues for the first quarter of ‘19 compared to a loss of $0.7 million or negative 15% of revenues for 2018. Non-GAAP adjusted loss for continuing operations after adjustments was $0.9 million or $0.09 per basic and diluted share for the first quarter of ‘19 compared to a loss of $1.1 million or $0.11 per basic and diluted share for ‘18. The company had $12.4 million of cash, cash equivalents before taking into consideration approximately $4.8 million tax liability driven primarily from the gain on the sale of the MPS business. We have reduced our debt down to $2.3 million consisting of $1.7 million in notes payable and $0.6 million in operating lease obligations which reflects the new accounting standard on leasing.

The full financials and reconciliation of GAAP to non-GAAP information can be found in the earnings release that came out yesterday. As you all know probably at this point we sold the MPS business on March 20. As we have talked about previously, we made the strategic decision to divest our MPS business in order to focus financial and operational resources on cybersecurity. The gain on the sale of this business together with the earnings from discontinued operations, net of tax total $19 million for the quarter. We do anticipate some additional adjustments to purchase price and as much as $200,000 to $300,000 of additional compensation expenses related to the discontinued operations over the next couple of quarters as we finalize working capital calculations and close out these activities between the two organizations. This concludes the prepared remarks. Operator, please open the floor for questions.

Question-and-Answer Session

Operator

Thank you. [Operator Instructions] And we will take our first question today from Matt Hewitt with Craig-Hallum Capital Group.

Matt Hewitt

Good morning gentlemen. Thank you for taking the questions.

Mac McMillan

Good morning.

Matt Hewitt

First off, Mac, regarding the study that showed how quickly was the hacker is able to get in, they are able to exploit that entry, I think you said 20 minutes, what kind of pressure does that put on you to be able to respond and shut them down and does that more or less tell the hospitals they have to have you on site?

Mac McMillan

Well, it actually doesn’t put any pressure on us to be available to shut them down. You actually have to be inside the network to be able to do that. So really what it means is that the hospital or the network the people who are running the network for the hospital actually have to have the detection capability or the awareness capability that something is going that they can quickly isolate where it is and then shut it down. I already as I said at the later part of that was that we are still operating on a vacuum, because even though the threat can happen very quickly and the exploitation can happen just as quickly, the average organization is still way behind in their detection capability. So, what this really means for all of them is that they don’t have much time between when a hacker finds an opening or a weakness in their controls if they could potentially take advantage of and the time it takes them to exploit them and in the way that they are going to be able to limit the damage or mitigate the impact of those kinds of events is by shortening that time period from when that occurs to when they actually detected that activity is ongoing. So, it’s really that 180 days that we need to shrink not so much the minutes between the actual breach in the exploitation, stopping or shortening the gap between the breach and the actual exploitation is going to be more of a technical matter, meaning you are going to have to have systems in your architecture that actually can detect when an anomalous behavior is occurring and make certain decisions on their own and this is where artificial intelligence of machine learning come in with some of the newer cybersecurity solutions that folks are working on to be able to detect those things that are potentially dangerous and shutdown certain activities and stop those attacks in their tracks, but we are not quite there yet, number one. Number two, most of our hospitals don’t have that, those advanced technologies deployed in their environments and more importantly, they are not really monitoring the environments closely enough to be able to even detect when these things are going on and to recognize them fast enough to really to be at the turn. So, it really comes down to focusing on readiness as opposed to compliance and protection so much. And we are as one person recently said it, when you look at the five quadrants across the NIST Cybersecurity Framework that starts with protection and ends up with recovery. That’s right in the middle is where that event occurs in that detection quadrant and we are not there yet. And that’s really where we need to focus there and we need to focus to the right of that in terms of being able to quickly react and recover when an event occurs and we are just not there yet. We are still focusing on the other side of that spectrum in terms of the protection, which is not keeping up with the threat.

Matt Hewitt

Interesting. Alright, thank you. And then last quarter I realized it was just 1.5 months ago or so that you are able to update us on the number of customers and I know this is one of your key goals is increasing penetration with accounts and multiple offerings. But as of last quarter, you are at north of 40% you just had a press release out here last week that you had additional up-sells or if you will what does that number sit today and maybe where do you expect that to sit as we exit the year?

Mac McMillan

So I think the number is just probably – just barely above where I reported. That number if you recall was the increase from a year-over-year increase from 2017 to 2018. 2017, we determined that we have somewhere in the 20% range customers that have multiple managed services at the end of ‘18 we had north of 40% who had that the beginning of this year we have had knock-on wood, a very good year so far in terms of renewal rate and in expansion with respect to those renewals. So that’s creeping up and that’s really a big focus of ours going forward in Q1. One of the things that I was very happy about was that we saw bookings actually increased year-over-year in Q1 this year, which was very nice to see, because typically if you guys recall, we got the seasonality effect in healthcare that’s always there and there is usually always a downward pressure if you will in that first quarter and we actually saw better first quarter this year than last year with respect to bookings though hopefully that will translate as well down the road to where we want to get to.

Matt Hewitt

That’s great. Maybe one more for Paul, if you could help us, so I think I heard you say, gross margins will be comparable in Q2, but then we should see it step up in the back half of the year with some of the new offerings, is it your expectation you could get up maybe closer to the mid 40s from a gross margin perspective in the second half? Thank you.

Paul Anthony

Yes, that would be our target.

Matt Hewitt

Great. Thank you.

Mac McMillan

Thank you, Matt.

Operator

And we will hear next from Andrew D'Silva with B. Riley FBR.

Andrew D'Silva

Hi, good morning. Thanks for taking my questions. I will start with just a couple quick bookkeeping ones, Paul, if you could just let me know what equipment sales if you had any further quarter and then cash flow from operations and CapEx were for the quarter? And then while you are pulling that, Mac, can you just run me through the commentary that you had about attracting talent and more specifically how long does it take typically from hiring a cybersecurity professional before that individual is actually able to be included into a service. So, effectively how long does it take for them to go from being an impact to gross margins to actually being a benefit to gross margins?

Mac McMillan

Sure. So Paul are you ready to answer?

Paul Anthony

Yes, I mean, I can give you this. I don’t want him to lose the numbers. The equipment is only about $17,000, so it’s immaterial at the end of the day and we will probably be bundling that up into managed services and then CapEx is about $50,000 this quarter.

Andrew D'Silva

Okay, perfect.

Mac McMillan

So, on the recruiting and retaining talent side of things, the challenge for us is the challenge that everybody else has obviously as you guys have heard with respect to the talent that’s out there, fortunately knock-on wood again. We have had so far good luck in finding good people and being able to recruit them and we have done a better job now retaining folks. We had a high just like everybody else we had a fairly high turnover with respect to cybersecurity professionals, because they are so mobile and they are getting hit. I mean, I talked to several of our guys and they were telling me that they literally get anywhere from 4 to 5 calls a week from recruiters from other companies trying to recruit them away and the fact that we have the average, the folks that they are here as long as they are and lot of our folks that have actually left than the last year or so. Couple of years have actually come back, which is a good sign that obviously they went greener on the other side of the FIN so to speak and they came back to work with us, but we are working very hard to make sure that our salaries are competitive that the benefits that they have are competitive. That the thing that really energizes these guys and gets them excited about their career is the diversity in their career and learning or the education. And what I mean by that is they just – most of these folks they don’t want to come to work and do the same thing over and over again. So, one, we make sure that they have lots of varied assignments that they get put on. Obviously, they are working in different environments in terms of different types of customers all over the country and that also keeps them excited. And then one of the things we did this year as well is we made sure that we enhanced the training that they received and made sure that the professionals staff is getting the training that they need to acquire and maintain the certifications that they need to be relevant. We also make sure that all of them are aware of the program that we have in place to assist them with tuition or higher degrees, particularly those that are pursuing higher degrees in cybersecurity. So, we are doing a lot of things for the professionalization of that workforce if you will and for keeping them engaged and giving them that diversity of assignment and experience that they really value so much in addition to just paying attention to their compensation and benefits and those sorts of things. Generally when we hire one of these guys depending on our gallons, depending on the role that they are going into, if they are one of the younger people that’s going into of our analyst roles, it’s nearly anywhere from 60 to 90 days before they really know their – know what they are doing really well. And what I say independently productive if you will they typically, but those folks are in a supervised environment, so they are able to be productive right from the get go with supervision, but generally speaking after they have been on board for about a quarter in that position, they tend to be able to operate very independently which is good. On the consulting side, most of our consultants are very senior and so typically when they come in they already have the basics of their skillset if you will. They already have the knowledge of training and certifications that make them who they are. It’s really just a matter of them learning how we do things, our processes and how we manage our projects and that typically takes them two or three projects to get that cadence down in terms of how we do things as opposed to maybe where – how they did things elsewhere. So again it’s usually couple of months, 2, 3 months before they at least our profession in going out and performing whatever it is that they need to perform about themselves or in a small team and usually about 6 months in, they are really – they are beginning to say well, why are we doing this or why don’t we do that and they are beginning to contribute to the process. So it doesn’t take them too long, because we don’t have a lot of inexperienced folks that are joining the team.

Andrew D'Silva

So just to recap on what you just said basically all else equal in a quarter where you have significant hiring it should take about one to two quarters for that hiring to kind of average out to the efficiencies that we have historically seen from a gross margin standpoint, is that a fair assessment?

Mac McMillan

That’s probably a fair assessment. I mean it’s like anything else it takes them a while to get the cadence down for all the services. And keep in mind, we have 40 plus services that these guys deliver, so the average consultant in the team depending on what team they are on, maybe performing half a dozen or so different types of services. So it’s not like they are just learning one thing and repeating it, they are actually learning multiple things and they know the basics of all those things. But again, it’s getting down – getting our toolset down, getting our reporting down, getting our process down, but they typically do that fairly quickly, but it’s just a – but it’s like anything else, you just have to give them time to get there.

Andrew D'Silva

As far as gross margin sorry to keep talking about gross margin, but as far as gross margins go, this isn’t a situation where effectively wage prices for cybersecurity professionals are increasing, but service contract prices are staying essentially flat. So, year-over-year, you are running into situations where profits are being eaten up on a comparable contract with the health system on a year-over-year basis

Mac McMillan

And I think it is a little early to tell right now and I am sure we are feeling a little bit of that pressure, but it’s too early to tell whether or not that’s going to be a permanent or if this is just temporary to be honest with you, so…

Andrew D'Silva

Okay, perfect. And then I know the sale of the MPS business is still very early, but how are the organizations working together now that they are under two separate parent companies, particularly from a cross-selling standpoint, has there been any progress on that front in Q2 or then to Q1 after the sale took place?

Mac McMillan

We haven’t yet and primarily it’s think they are still trying to get their act together and get organized over there. And I mean obviously we are still communicating with them on a regular basis and whatnot, but it sounds like they are still trying to – they are going through the pains of that initial integration, if you will, of the businesses and trying to figure out what that means. So, we haven’t really seen them doing a lot outside of what they were already managing.

Andrew D'Silva

Okay. And just my last question just on the regulatory front, any sort of new initiatives going on that we should be aware of or paying attention to and then how active are you from lobbying or anything to do with discussions with people who you need to be talking to on the regulatory side of things?

Mac McMillan

Sure. Communications with folks at OCR, CMS, FDA, etcetera, because we have several of our folks that sit on the working groups that those folks Chair. So for instance, David Finn and David Holtzman are both on the 405D working groups. They come out of HHS and CMS Marti Arvin who is very active on the privacy side and the compliance side with those folks. I would not call it lobbying, we don’t lobby.

Paul Anthony

We don’t pay any third-parties.

Mac McMillan

But we are active in the sense that we contribute to and participate in those industry government collaborative working groups and whatnot.

Andrew D'Silva

Okay, perfect. Well thank you very much for answering my questions and best of luck going forward this year.

Mac McMillan

Thank you.

Operator

And we will move next to William Gibson with ROTH Capital Partners.

William Gibson

Thanks. Hi, Mac. You always breeze over the device area, which is the area that excites me, how big do you think that could be next year or can we put a like a parameter around it 2 to 5 million and let’s look out for years with the same question?

Mac McMillan

So, you are right, Will and I apologize for that, because I am very excited about the medical device side of it as well as even the IoT component, because that is one of our newer attach surfaces in cybersecurity and it is one that there is still very open Greenfield if you will in terms of solutions for tackling and solving a lot of those problems. Our goal this year was around $3 million for medical device security. We are seeing a really good traction right now with respect to our pipeline and we have sold several medical device security assessments and we have several discussions ongoing right now with folks from medical device security management, which is where we hope to get to soon. And we just finished our first annual conference with our clients this past week, and out of that, I heard that we had more than a dozen different folks, who said they were very interested in talking to us about medical device security in both assessment and management. It was a big focus of our – of the conference in a lot of the discussions. And it’s really interesting, because when you looked at the outcomes of that conference and our customers and what they said they were interested in or what they were concerned about, what came out of that over and over again was third-party risk, supply chain, medical device security, and then the – just the influence – the increase in hacking that we’re seeing in this industry. I mean, if you look at it year-over-year, if you looked at it from 2009 to 2018 timeframe or end of, excuse me, end of ‘17 timeframe, the percentage of hacking was down in the teens, it was 11%, 12% of the types of attacks that healthcare was experiencing. In ‘18 and ‘19, that percentage has grown from to – 40% to 53% now.

So, literally one and two attacks that healthcare is experiencing today are technical in nature in their hacking. And so that’s really what’s – what our hospitals are interested in today and I think that’s why there’s going to be the shift to looking at that – the right side of that spectrum in terms of that readiness issue that’s going to be so important. But the medical device security piece of it is – has really gotten a lot of attention. A lot of the tools are coming along nicely, so to speak, in the sense that, that they are becoming more sophisticated in their capabilities at identifying medical devices and the issues with medical devices. And that – and it’s – we’re just getting to the point I think where the industry is beginning to be aware that those services in those solutions are now available. And so we’re about – we’re getting ready to launch another campaign to really try to hit the market hard in terms of following up on this interest in that space and seeing if we can accelerate the sales on the medical device security side.

William Gibson

Because we came from a standing start to 3 million fairly quickly, is this something that could grow 100% plus or do you have a sense of that?

Mac McMillan

Yes.

Paul Anthony

Bill – that 3 million was a target, Bill, that’s not what we’ve done.

William Gibson

Oh, target. Got it, yes.

Paul Anthony

Yes.

Mac McMillan

So, the real answer, Bill is, I don’t think anybody knows yet what that market is going to be or what it’s going to look like. If you look at it, there’s – by last count, there’s some 200 million devices that are connected – are network connectable out there and every time we talk to a customer, we’re literally talking 10s of thousands of devices that are connected to their networks that need to be managed. So it’s – I think there’s – I think there’s a great deal of opportunity there. And just about everybody needs it and almost nobody has implemented those solutions yet.

William Gibson

Thanks, Mac.

Operator

And we’ll move on to Jeff Bash with General Pacific Partners.

Jeff Bash

Hi, Mac, Paul.

Mac McMillan

Hey, Jeff.

Paul Anthony

Hi, Jeff.

Jeff Bash

You have 32% year-over-year revenue growth in the first quarter. How would you characterize that versus the industry generally, are you in the middle, higher or lower?

Mac McMillan

That – that’s a great question, Jeff. I don’t really know how to answer that question. But I will see if I can find something out for you.

Paul Anthony

Yes, it’s a little tough to find services on the companies, a lot of the growth that you see are coming out of these technology or product guys, so it’s tough to find just a pure cyber services group.

Jeff Bash

Okay. Paul, I think on the last call you mentioned the possibility of $1.2 million reduction in OpEx cost. Was this – does this all shaken out? Where do you stand on that now? Is there –

Paul Anthony

That was all taken out as part of the – that was taken out as part of the transaction and all of that got moved down.

Jeff Bash

That’s realized. On the MPS sale, I know there was $1.5 million contingent payment possible on how some deals ended up going, where do you stand on that?

Paul Anthony

No, unfortunately, we don’t have an update at this point, Jeff, so, we’re still waiting for feedback from the prospect and from Vereco.

Jeff Bash

Is that something you have some control or participation in or some –

Paul Anthony

We do have – we have some secondary control, I mean, we’re still dependent upon those individuals, who’ve moved – went along with the transaction to Vereco, who are responsible for bringing that – the deal to closure, but we – we’re in constant communication with that group, the sales team front.

Jeff Bash

Do you think it’s likely or more – in the possible –

Paul Anthony

I mean, at least – we felt pretty good about it going into the transaction. These things are just, again, as things develop, it’s just – it’s an unknown right now. We did do what we felt was a conservative approach and fully reserved it in the Q1 financials.

Jeff Bash

Okay. And I took a look at the balance sheet, you really have a fabulously strong balance sheet, I know the share over equity is based on my calculation, $3.94 a share, but I did notice one thing and I had another question, shares outstanding went up 93,000 from the first – from 12/31 to 3/31. Is that option exercises?

Paul Anthony

Restricted stock, that’s right, and then some options as well we’re seeing.

Jeff Bash

Oh, restricted –

Paul Anthony

We had some vesting of – no, we had vesting of some restricted stock units that were granted to the Board and then we’ll have some additional shares as part of the employees who left the organization, there’ll be some additional exercises associated with their departure.

Jeff Bash

Okay. And finally, you talked in the past about an acquisition strategy and with a very strong balance sheet, you’re certainly in a position to have one. What’s the status of that these days?

Mac McMillan

So, we actually have been very active in looking at opportunities out there on the acquisition front. We have several folks that we have been and are in communication with looking at folks that present the right kind of opportunity. And hopefully, we’ll have more to – be able to talk about that in the future, but right now, we’re just actively looking for the right fit, that’s going to add the right things to the mix.

Paul Anthony

And one of those things, Jeff, obviously, is cash flow. So, we’re very focused on trying to get the adjusted EBITDA into the positive territory as soon as we possibly can.

Jeff Bash

I understand, an area I see in the telecom space is that, you may find a target, but the prices are unrealistically high. So, do you have any uses of that or are you have plenty of target surprises you think makes sense in some –

Mac McMillan

From a services standpoint I think – from a services standpoint, we feel pretty good about what we’re seeing in the marketplace. From a technology play or intellectual property when it comes to that, that’s in our opinion maybe a little bit out of our feet. We definitely have taken it off as a focus. We think the valuations are a little high and too much risk there. So –

Jeff Bash

Okay, I’m glad you’re being selective. Thanks again for a great quarter and look forward to hearing you in the next quarter.

Paul Anthony

Thank you, Jeff.

Mac McMillan

Thanks, Jeff.

Operator

And we’ll hear next from Ross Taylor with ARS Investment Partners.

Ross Taylor

Okay. A couple of questions, gentlemen, one is, have you guys looked at what you see the total addressable market for your services are and over, let’s say, 3-year, 4-year or 5-year period, how big can this be?

Mac McMillan

So, we haven’t done any exact modeling so to speak, but we have looked at where – we’ve looked at two things, one healthcare specifically, and for – and it varies by type of service or type of managed service, if you will, in terms of what the running room is for growth. If you’re looking at things like managed security services, it’s literally a very competitive space, but it’s one that most of healthcare is dissatisfied with the options that they have out there. So, our goal is to try to offer a more tailored approach to that to see if we can compete with that very effectively. If you’re looking at it from a medical device security perspective, as I said earlier, it’s an open field, I mean, it – there is the huge portion of the healthcare industry is going to be a potential client for that for those kinds of services.

If you look at it from an IoT perspective, now you’re – you go beyond healthcare, because it – just everybody has an IoT issue and an IoT threat, and so that’s a potential opportunity. If you go – when you go outside of healthcare depending on the market space that you go into, if you’re going into the financial sector, obviously, there’s a lot of competition, and for some things, but not so much on some others. I was talking to some folks about that, because we are trying to figure out where the – where those places are that we can absolutely move into that where we might offer something that’s a complement to what is already out there or different than what’s already out there. And it seems that the services space, which we’ve focused on almost exclusively in our – in a way we built this company is one that, that they actually need out there.

They’ve got a lot of product vendors, a lot of solution vendors, but not so many – not so much folks that are offering services around those things in that they need. But then one of the other things that’s going on out there that we didn’t talk about was the changes that are happening with respect to privacy legislation. And when you look at the new California Law, the CCPA Law that will go into effect after the first of next year. We’re already in the look-back period this year, that is going to change dramatically the landscape for a lot of different industries, because today – and the financial sector has their version of privacy through Gramm-Leach-Bliley, healthcare has its version of privacy through HIPAA, but there are a lot of other industry sectors that the only touch that they have with privacy is the 1974 Privacy Law that, that’s out there, which is – which has really no requirements whatsoever as it relates to compliance or regulation.

CCPA is going to touch every company that does business in California or that collects information on individuals, who live in California. So, it’s going to have pretty wide impact. And a lot of the things that are going to be impacted, they’re going to be organizations’ ability to segregate that data, protect that data, be able to control that data in a very different way manner than they have in the past, which is going to – which always – people always think about privacy as if it’s something separate, you can’t have privacy without security. So, what ends up happening is, is security comes along with it whenever there’s a change in those privacy regulations.

Those state activities that are going on around things like the California Law that we think are going to become more and more prevalent, which probably will force us into a – at some point, a national privacy statute, if you will, it’s just going to create a greater opportunity and a lot of other industries before have not had that kind of a requirement. So, I think the short answer is that for the foreseeable future on the cyber security front with everything that’s going on and now as I talked about or alluded to in my comments earlier that the things that we’re seeing with artificial intelligence, machine learning, 5G, et cetera, which – some of which they don’t even understand yet what the impacts of those things are going to be. The market for cyber security – I have not seen anything anywhere that talks about the market for cyber security shrinking or declining, all it ever talks about is, is that it’s going to continue to increase and affect more and more people. So, I think that’s really the –

Ross Taylor

In the Internet of – okay, in the Internet of Things related to your space, the medical space, how do you see getting paid, do you see getting developing products and services and like that basically get you royalties, do we see a situation – this market seems huge, you guys have – you are one of the leaders in the space and you have what sub $50 million market cap and yet you’re – you seeing from your industry’s perspective to be one of the best players, if not the best player in the space. It strikes to me as there’s a serious dislocation between what the value of this business is and how the market sees it, but part of that I think is – there’s a confusion as to how you end up really exploiting and how the economics of this are going to work for us as shareholders?

Mac McMillan

Sure. So, there are several ways that we’re – that were likely to be compensated, if you will, for – on – in that space. The first of which is through our partnerships with those solution vendors that, that have developed those technologies that allow us to – now to identify inventory and take control or manage those devices, and so we have the ability now to do medical device security assessments, which we’ve already performed for several hospitals, that that’s one way through that assessment – revenue, if you will. The follow-on to that is actually a managed service, where we actually run the solution for the client and provide assistance to both their clinical engineering and their IT and security groups and managing those devices on an ongoing basis. And we get the way that gets paid is through a managed service that’s based on licensing for X number of devices, as well as the service that we provide around that.

There is also activity, where we support the medical device manufacturers themselves in assessing their devices and helping them to identify security issues that they need to address with the device itself. There are the medical device or device managers, outsourcers to help systems, where we can partner with them to provide the security component to their service that they provide to the hospitals. So, there are multiple – and when you look at IoT, the broader aspect of IoT, for instance, we have some hospitals where we literally provide the medical device security component, but we also do the IoT management piece for them as well, because the same tool we use for medical devices, we use for identifying and interrogating those IoT devices that are out there. So, it just – it’s really it comes through basically three different avenues, one is our traditional assessment activity, the second one is our managed service, where we actually become their partner to help them manage those devices more effectively, and thirdly, through partnerships with the folks, who are providing those devices to them.

Ross Taylor

Okay. It would seem to me then – I’ll – this is my last comment on it is that being that you guys are a leader in the space and you literally have a market cap that would let pretty much anyone in your space swallow you up and not even have to file on it? It would be helpful to develop the strategy out, let people know, let investors have a better understanding of where you’re going, how fast you can get there and the like, because simply a $46 million, $50 million market cap company is a long way from the kind of critical mass we need to achieve to keep investor interest and to get fair value realized out of the company?

Mac McMillan

That’s a – you’re absolutely correct, and we’ve had several folks that have shared that, but – with us, and that is one of the things that we’re looking at doing is developing a broader and more developed strategy that then hopefully we can share with everybody that says, here’s where we’re going, here’s what we’re doing in each one of those service areas.

Ross Taylor

Okay, great. Thank you very much.

Operator

And we’ll hear next from Private Investor, Jerry Well.

Jerry Well

Good afternoon, guys. See, just as a shareholder, I have two questions. One is, if you could tell me how about the liabilities, legal liabilities weigh in your contracts, in other words, sharing to the shareholder what our liabilities are when we enter into these client contracts as far as penetration, someone worked through obviously have a major hack that would create a big financial liability? And then the second question is, if you are comfortable giving any kind of longer-term guidance goals on revenue growth all the time? Thank you.

Mac McMillan

So, I’ll take the first question with respect to the liability. So, we do not actually take responsibility for any of our clients’ environments meaning they own their network, they own their responsibility for that network. Our work like most cyber security firms is to provide them with advice, assessment, measurement. We assist them in managing their environment, we assist them by providing them the information they need to make the right decisions in terms of how they manage their environment.

But we are very careful in all of our contracts with our clients to make sure that we are responsible for the work that we do and the quality of the work that we do and how we deliver it, but not to – not that – but not to infer or to take liability for the security or the integrity of their environment, because ultimately, at the end of the day, they’re responsible for making the decisions with respect to how they secure it, how they invest in it, the solutions that they put in place, the controls that they set and how they configure those and how they manage those. And we don’t – and we’re not involved in that day-to-day, if you will, operation of their environment and how they actually do that. And so we don’t take responsibility for their environment.

And that’s very typical in this space with respect to how you – the relationships that most cyber security companies have with their clients. We are there to help them understand what the risks are, where the threat – what the threat is, where their weaknesses are, what they need to consider with respect to what they need to do to enhance their security or improve their program, but ultimately, at the end of the day, they make those decisions on how they’re going to do it or what they’re going to do, and they’re responsible for those decisions.

Paul Anthony

And we don’t give formal guidance on growth projections. From an organic perspective, we continue to try to target low double-digit and then we’re still, as we’ve discussed, we’re still kind of hammering out with some of these new services we think the contribution can be from there. And then we’re all – as we mentioned, we’re also continuing to look at other opportunities to grow through M&A that might help accelerate some of that. So –

Jerry Well

Alright, thanks a lot, guys. Keep up the good work.

Mac McMillan

Thank you.

Paul Anthony

Thank you.

Operator

[Operator Instructions] And Mr. Mac McMillan, it appears there are no further questions today. I’ll turn the conference back over to you for any additional or closing remarks.

Mac McMillan

Okay. Well, thank you very much, operator. And thank you, everybody, for joining us today. Paul and I both appreciate it and look forward to speaking to you again in the future. And we appreciate your support as always, and have a great day.

Operator

And again, that does conclude today’s conference. Thank you everyone for joining us. You may now disconnect.