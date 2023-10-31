da-kuk

Back in February, I placed a “Buy” rating on Okta (NASDAQ:OKTA), noting that after the company had earlier lowered guidance that the bar looked low and that its valuation was attractive. The stock had been performing well until a security breach, and the stock is now down about -9% since my original write-up.

Company Profile

As a refresher, OKTA is a cybersecurity firm that helps its clients authenticate and manage user identifications across various apps and devices. Customers use it Workforce Identity Cloud solutions to help verify credentials to protect their workforces, as well as to create secure solutions with partners. The company’s Workforce Identity Cloud solution has several modules, such as identity governance, advanced server access, and single sign-on solutions, that customers can purchase.

Its Customer Identity Cloud solution, meanwhile, is used by clients to deliver secure experiences for their customers and end users. The solution was acquired when it purchased Auth0 in 2021. Customer Identity Cloud comes in 3 plans types: Enterprise, B2C, and B2B.

Security Breach

OKTA shares came under pressure earlier this month after the company announced in a blog post that a hacker infiltrated its support case management system through stolen credentials. The company noted that the infiltrator was able to see some recently uploaded files from some OKTA customers who had requested support. The company noted that its support case management system is separate from it production OKTA service, and that neither it nor the Auth0/CIC case management system had been impacted.

The company said that the breach likely came from the uploading of HTTP Archive (HAR) files, which it commonly asks for when troubleshooting. However, it noted that these files can contain things such as cookies and session tokens that can be used to impersonate valid users by hackers. OKTA recommended that its customers sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.

Three fellow cybersecurity firms – 1Password, BeyondTrust, and Cloudflare - came out and said they notified OKTA of suspicious activity and a potential breach.

Meanwhile, this wasn’t the first high profile breach that OKTA has experienced this year. Casino operators Caesars (CZR) and MGM (MGM) were both the victims of cyberattacks earlier this year when hackers attacked their OKTA installations by going through the companies’ IT help desks.

The security breach sapped any momentum that the company may have had coming out of its Oktane user conference earlier this month. At the conference, the company announced 10 new products, as well as even more additional features for existing products. Most of the new products are centered around AI and will be released at various points throughout 2024. Its list of new products and features can be found here.

The company was also very excited about its solutions for Identity Governance and Administration (IGA). At its Oktane conference, CEO and founder Todd McKinnon said:

“So what IGA really does is it takes life cycle management plus workflows and adds 2 very important last pieces. One is what's called an access certification workflow, which is essentially like sending out an e-mail to all the managers in a configurable way and let them attest to the fact that the access that the system is automatically given is, in fact, the access they should have. So it's access certification process. And then the last piece is basically report on it to your auditors. It's important that's integrated with workflows and life cycle management because the report is like the final authority to your auditors that says, here are the manual attestations through workflows and here is the automated process that was all synchronized to the engine. So when you ask is workflows important, it's absolutely important because you have to have that extensibility and customization to do that. So we're very excited about it. … So that's why the real exciting thing is just we talked about the governance market, and it's an important market. But really, what's going to happen is that we're in the catbird seat for this converged solution.”

OKTA has some pretty exciting new products coming out next year, but the data breach really puts a damper on that. The company’s main job is to help prevent hackers from stealing credentials to get into systems, and that happened to one of its own systems. That’s just a bad look.

Meanwhile, asking clients to sanitize their own files when uploading it to OKTA’s system is also a bad look and response. OKTA needs to be able to do this themselves automatically, since after all they are a cyber security firm. The gap between when OKTA notified the public and when it was notified by other cybersecurity firms also isn’t a great look.

OKTA was already struggling with decelerating customer growth, so this incident likely will hurt on this front.

Valuation

SaaS companies are generally valued based on a sales multiple given their high gross margins and the companies wanting to pump money back into sales and marketing to grow.

On that front, OKTA is valued at an EV/S ratio of about 4.7 x based on the FY 24 (ending January) consensus for revenue of $2.215 billion. Based on the FY25 sales consensus of $2.569 billion, it trades at an EV/S multiple of 4.1x.

In the past, the company has often traded at over 25x LTM sales. However, growth is slowing from 40-50% a year to around 16-20% over the next few years. OKTA is one the cheaper cybersecurity firms, but its decelerating user growth numbers and this recent breach are two good reasons for this.

OKTA Valuation Vs Peers (FinBox)

Conclusion

While from a valuation standpoint OKTA looks attractively priced and its solutions are needed, the security breach is likely to impact business going forward. This was at the very least a big reputation hit, and one that could have lasting effects. At the end of the day, the company’s job is to help protect clients from threats against stolen credentials, and it was unable to protect one of its own systems from this very threat.

As such, I think it is best to downgrade OKTA at this point to “Hold” until there is a better sense of what the medium and long-term implications are from this incident. OKTA clearly has a target on its back, and it needs to step up and do a better job. The company is going to have to convince both investors and clients that it can. However, its initial response to this latest breach was a poor start.