With social distancing and increased adoption of remote work by organizations of all sizes, there is a lot of bullish sentiment on CyberArk Software Ltd. (NASDAQ:CYBR). Through this article, I aim to explain my rationality around the risks to investors from this already pricey stock.
To be clear, I am not bearish on CyberArk Software. Privileged Access Management is an important area within cybersecurity and is currently dealt with the seriousness it deserves only by very few organizations. With the growing number of organizations transforming their business digitally, the administrator access for these systems needs enhanced protection.
CyberArk is clearly the leader in the PAM space, and there is large potential in a relatively untapped market.
Competition is growing in the PAM space, but that is a story for another day.
IT Budget Cuts
Recent standards indicate that many firms set aside about ten percent of the total IT budget for cybersecurity. This has been the trend despite security experts arguing against the practice.
COVID-19 and the associated business disruption are causing organizations to introduce IT budget cuts to increase liquidity and survive during the pandemic.
(Source: Enterprise Technology Research)
There are investments being made by many organizations to enable their staff to work from home. But these are mostly in the lines of equipment and infrastructure:
Laptops and other portable media
Infrastructure to support remote work (Cloud, virtualization services etc.)
Mr. Market is not a subject matter expert in software technologies. As a result, the majority of technology stocks continue to trade at lofty valuations. It is important to understand the difference between what is essential to enable remote work and what is the best practice to sustain remote work in the long term.
Cybersecurity is extremely important for organizations across industry types. Be it to reduce regulatory, reputational or financial impact, security by design is essential. However, the world we live in does not see it that way yet. Numerous reports reveal that security continues to be an afterthought in digital transformation. (Report from Bloomberg stating how cloud security is an afterthought despite large cloud adoption). Despite massive data breaches in 2018 and 2019, Chief Information Security Officers (CISOs) continue to have to fight for their budget.
Hence, with a lot of talks around IT budget cuts, the cybersecurity budget across organizations will also take a significant cut. In my opinion, this is unfortunate, but it is likely to be the reality.
CyberArk’s Product Suite
It is easy to make all software technologies sound like they enable remote work. CyberArk provides software products that protect and secure the access to enterprise platforms by privileged users.
CyberArk suite aims to secure the keys to the IT kingdom. However, to deploy and make it functional in an enterprise, it needs to be integrated with all the domains of the IT kingdom.
(Source: Investor Presentation)
The deployment and operationalization require extensive planning and design. As the integration aims to protect existing infrastructure, it involves coordination with the associated infrastructure teams. Most often, professional services are engaged to assist with the implementation, and this incurs additional cost. Further, training campaigns are required for administrators of those infrastructure to get them familiar with the new login and access process with CyberArk. All this takes several months (if not years). Also, the organization deploying CyberArk will require resources to own and operate the tool (either new hires or through managed service offering from consultants).
In my opinion, spending to deploy PAM technology will not be on the top of the priority list during this time of crisis. This is mainly because CyberArk does not directly enable employees to work remotely. Rather, it comes in the line of organizations establishing secure practices around their existing infrastructure, which will be the logical next step when the economy begins to stabilize.
Large implementation projects that are being postponed indefinitely. CISOs will be looking to deploy tools that can be deployed and operationalized quickly, to fill the essential security gaps. CyberArk suite neither fits that description, nor fulfills that requirement. Technology infrastructure such as VPN, Multi-Factor Authentication, and Mobile Device Management would be prioritized at this time, with the budget that is available.
CyberArk stock trades at approx. 8x sales.
(Source: Seeking Alpha)
(Source: Author’s calculations)
(Data Source: Company 20F and Q4 conference call)
Even with the guidance revenue for 2020 to be between $510 and $519 million, it is evident that the growth rate is reducing. This is normally expected for the market leaders in a specific technology domain, as is CyberArk for PAM.
However, in my opinion, the company will not be able to meet this revenue guidance due to reasoning from the above sections. I decided to draw some rough calculations on the valuation (multiples of sales).
(Source: Author’s calculations)
If CyberArk continues to trade at 8x sales, then by meeting guidance, we can expect to see about 19% upside from current prices. But I believe this is unlikely, since the guidance was issued on February 12th, much before COVID-19. The business impact due to budget cuts was not accounted for in these calculations.
With lowered growth rates, assuming 8x sales valuation, I see very small upside for investors. Normally, when the growth rate reduction is seen by Mr. Market, the price multiple also drops. I am not accounting this in my thesis, since there are many unknowns. My article only aims to outline the fact that the investment growth is very low in comparison to the potential risk ahead.
I must add that I do not anticipate the scenario of no YoY growth. CyberArk’s product suite is difficult to implement. But once implemented, it is very difficult to sunset. I do not expect existing customers to scale down or replace the suite at this time. It is possible for existing customers to purchase additional licenses to enable more of their workforce to work remotely.
Despite the importance of cybersecurity in the market, CISOs will face budget cuts during times of economic crisis. The longer the pandemic situation persists, the weaker the near-term growth story for CyberArk Software. I do not see new customer adoption to be along the lines of previous years. The stock is already carrying a high valuation multiple, and in my opinion, the upside is quite low. The risks outweigh the upside at this time. Hence, I choose to remain cautious and wait for a better entry point.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.