Join our community of smart investors

Cyber security: small is beautiful?

In the last of the cyber security series, former City analyst Robin Hardy examines the opportunities in small caps
Cyber security: small is beautiful?

Our last two articles on cyber security discovered that cyber attacks are only likely to get worse over time and that organisations have moved from seeing this as an IT problem to a business-critical issue. This should mean high, enduring growth for those providing solutions. The second discovery was that, even after a hefty hit, investors are happy to rate the sector highly. While the second point is true in the US, this is much less the case in the UK where (save for Darktrace (DARK)) the listed pure-play small-caps are lagging well behind the wider technology sector and even growth stocks in less glamorous sectors such as Industrials. 

Growth in cyber security is highly visible: it is addressing a very real threat, attacks are growing daily and the scope for cyber risk is still expanding. This is not true for all branches of technology: think digital migration, 5G, faster data networks, tightening compliance legislation, blockchain (distributed ledgers rather than cryptocurrencies), artificial intelligence, machine learning and perhaps the biggest threat to data security, quantum computing. Perhaps more importantly, spending in this area is far from being discretionary if organisations want to continue doing business. 

Here, we look at three UK-listed, small-cap businesses working exclusively in the cyber security space, serving a range of end markets that are trading at substantial discounts to their US peers but share the same exposure to a high-growth market. Our selection: Shearwater (SWG), Corero (CNS) and Intercede (IGP), each of which look to be on the cusp of a new wave of investment-led growth.


Shearwater – resilience

Shearwater is a UK-based corporate resilience business offering cyber security software (own IP) and services operating across 46 countries with many large businesses (including tier 1 banks) as clients. Revenues total around £35mn, with historic (adjusted) earnings before interest, tax, depreciation and amortisation (Ebitda) of a little over £4mn forecast to grow at a compound annual growth rate (CAGR) of 20 per cent to March 2025, reflecting strong markets, cross-selling opportunities and a planned phase of new investment. 

The software side has a typical structure, with high margins (>75 per cent gross ), selling through a two-tier distribution model, meaning low sales and distribution costs in-house. It owns the intellectual property (IP) for its two software brands SecurEnvoy (zero trust identity and access management) and GeoLang (tools that discover, classify and protect sensitive data and information across a range of storage locations and mechanisms). There is high recurring revenue here (>80 per cent) and >60 per cent of customers have contracts of three years or more.

Having spent the past two to three years wrestling with Covid-19 and various internal issues plus eliminating its historic debt, Shearwater is now in a position to expand in software by acquisition and/or investing in research and development organically. Its focus is the remaining quarter of the $40bn (£32.6bn)-plus security-as-a-service market not already covered (privileged access, cloud access and identity governance), a sector overall forecast to grow at a c16 per cent CAGR. Shearwater has £10mn in cash and untapped debt facilities to facilitate this, and buying well (management is happy to buy early-stage businesses) could bump baseline profits by as much as 50 per cent. 

The services arm is larger by revenue (four to five times larger than software), but with lower margins (still a healthy 30 per cent gross) makes a similar level of Ebitda, giving the business a healthy balance. In services, a lot of revenue comes from selling third-party products and IP (hardware and software) in solution sets for core cyber security functions and monitoring plus consulting fees and the group’s in-house penetration testing – trusted hacking to show network vulnerabilities. 

Good underlying market-driven growth augmented by anticipated investment mean that the 20 per cent growth being forecast here is tangible. Yet, the rating does not square with the prospects (specific and industry) – Shearwater’s enterprise value (EV)/sales ratio is just 0.65, the EV/Ebitda is less than 5 times and the price/earnings (PE) ratio is just 8.8 times year one. This is closer to the valuation you might expect for a mature cyclical rather than a high-growth industry. Darktrace’s equivalent figures are 4.8, 37 and >300, respectively. 

Valuing Shearwater on sensible but still cautious ratios (1.8x sales, 12x Ebitda or a PE of 18) indicates a fair value as high as 250p (currently 118p). While this is a long stretch, must still be viewed through an appropriate risk lens and may prove out of reach, it does indicate that the current share price is likely to be materially overpricing risk, lingering too much on historic negative total shareholder returns (TSR)  and underpricing potential, especially from fresh investment.  

Correro – dealing with denial

Distributed denial of service (DDOS) attacks used to be relatively infrequent, but are now an everyday occurrence. DDOS is a malicious attack where a network, often a website or web-based application, is bombarded with access requests, causing normal or legitimate access to either slow dramatically or fully stop. DDOS attacks can be for third-party advantage (kicking the competition), aiming to disrupt core infrastructure/services or to demand ransoms. The frequency and scale of DDOS attacks are on the rise, and only last week US content delivery/management platform Cloudflare reported the largest DDOS on record. However, such large-scale attacks are rare and more typically organisations suffer more frequent. Global around 30,000 attacks occur per day – double the 2020 level, but smaller (c10 minutes duration) attacks. 

Aim-traded Corero provides services that detect and mitigate DDOS traffic before it reaches the core of a network either by intercepting in the cloud or using hardware and software at the edge of a physical corporate network or web hosting installation. Its customers are primarily: Telecos, web hosting providers, SaaS providers, co-location datacentres, ‘edge’ providers – platforms such as Netflix and Facebook – and on-premises enterprise local networks. This is a relatively small cyber sub-sector worth around $5bn a year in total, with Corero’s directly addressable market worth only around $750mn. Market growth is around 15 per cent CAGR. 

The traditional approach to managing a DDOS is either to divert all traffic, genuine and malicious, through a remote ‘scrubbing centre’ to filter out the malicious, or to use a distributed network to deliver the requested data from another data centre. Both approaches are relatively inefficient and work less well with today’s smaller, short-lived, rapidfire attacks. Speed is CGP’s main strength, with it achieving a response in seconds rather than the minutes achieved by its competitors. This is because it still relies largely on hardware solutions rather than software. 

Like the other stocks here, Corero is now looking to put its balance sheet to work to augment underlying market growth. This is to involve: a broader geography (today the US is responsible for around 70 per cent of sales), growing in Europe and, primarily, Asia Pacific; a bigger push to service tier one businesses, from today’s large but not household names; improving technological capabilities as network data speeds increase; and broadening network capabilities from today’s dominant carrier technologies (Juniper Networks and GTT). Again, in common with the peers, this could be achieved organically or by acquisition. Corero, arguably, has more scope to use equity.

Corero has shown a more stable TSR than the others reviewed here, meaning there has been no share price slump that might create apparent value: the five-year TSR here has been +63 per cent against Intercede’s -28 per cent and Shearwaters’ -72 per cent. Also the rating is higher, with EV/sales already at 2.4 and EV/Ebitda of 44, which can make value harder to see. However, against the US peers and Darktrace, there is still a sizable discount and with a stronger TSR history, potential returns may be lower than our other two selections but there should be greater confidence in making gains. 

Intercede – Hackers don’t break in, they log in

The infamous Colonial oil pipeline network breach and ransomware attack occurred because the password of a legitimate employee was compromised, leading to severe disruption in the supply of auto and jet fuel, with president Biden declaring a state of emergency. The clear message arising from this incident has been that passwords no longer offer adequate defence for key networks and that access controls need to be more complex, multi-factored and more dynamic. In addition to being confident about their own security, organisations (particularly governments and especially in the US) now demand that partners and supply chain elements adopt far more rigorous identity verification before they are allowed to do business. Furthermore, regulations and compliance requirements are tightening globally to ensure that more organisations adopt stronger access protocols. It is in this identity verification space (known as identity and access market or IAM) that the UK’s Aim-traded Intercede operates. 

There is an established hierarchy for the security and trust of users’ credentials with passwords way down at the bottom and a regime known as public key infrastructure (PKI) offering the gold standard that government agencies and tier one banks etc demand. Intercede is a key player in the PKI segment, providing IAM services to a number of US government departments (55 per cent of revenues), defence contractors, national ID schemes and large financial institutions. However, like Shearwater, Intercede is now looking to expand into the previously less well-covered areas of its end markets, in this case technologies known as FIDO (Fast ID Online) and OTP (one time password), the latter becoming increasingly familiar to UK online banking users. 

This shift has scope to accelerate growth as PKI is a long-established, more mature market (but still growing at around a 20 per cent CAGR) with a narrower range of potential users, long lead times, complex integration and cumbersome roll-outs, whereas FIDO and OTP reach a wider customer pool with lower cost and faster-to-market solutions where the ultra-high standards of PKI are not required. This expansion should more than double Intercede’s total addressable market and accelerate growth. 

Intercede also plans to grow by both increasing internal investment and through acquisitions. This has largely been made possible by tidying up the balance sheet via the early redemption of an expensive convertible loan note with a 7 per cent coupon issued from 2016 when the group was running out of cash. This leaves the group with almost £8mn of cash to invest, potential to issue equity (but not at the current depressed share price) and possibly additional debt. 

Figure 1: Tiers of IAM security

Source: Intercede PLC

Can investors be confident here? There was a profit warning of missed forecasts as recently as April this year, which saw the price drop 37 per cent in a single morning session. With caution, the answer is probably yes as moving into the less rigorous IAM segments should help soften the impact of protracted dealings with the US government: the profit warning was largely a timing issue due to a US federal institution’s decision to phase its PKI roll-out. The IAM market is healthy, has growing regulation behind it and the growing practical requirement for supply chain partners to beef up credentials’ assurance. 

Intercede has slipped up and consensus forecasts have become markedly more cautious, but perhaps overly so. While the ‘one-off’ revenues of new licences and consultancy revenues are volatile, the support and management revenues are solid, have a high recurring element and are growing. This revenue block alone could underpin a higher valuation for the group. Approaching £8mn a year in the forecasts, this part of the business alone could support a valuation of 3 times sales or £23mn-£24mm, 15 per cent more than today’s enterprise value (market cap minus net cash). That excludes another £4mn of annual sales likely from ‘one-off’ sales, which could push the overall value to near £30mn, close to 50 per cent above the current enterprise value. There is still timing risk here, but with a growing, stable revenue core, strong market fundamentals and a more than halved share price, a lot of risk is already reflected in the share price – arguably too much.