Cyber security growth comes with cash flow at NCC

Broker Peel Hunt called it “the most disruptive of times for [a people business] in living memory”. In 2017, NCC swung to an operating loss of £53.4mn, from a profit of £11.4mn the year before.

Palser steps down next month, and will be replaced by Mike Maddison, until recently the head of cybersecurity for Europe, the Middle East and Africa at auditor EY. But thanks to his good work streamlining the business through multiple disposals, the company is in much better shape that when he found it. Peel Hunt, for one, has seen a “step change in the management control systems, overall professionalism and the resilience of NCC”.    

The human touch

NCC is made up of two divisions. The larger, assurance, is home to cybersecurity consultancy and advisory services helping clients better identify cyber risks and set up processes to reduce the threat, including recommending and deploying the most appropriate software. Unlike other listed cyber companies, this is a people-led service, rather than a software business.

That may sound underwhelming for investors keen to get a slice of scalable, must-have technology. But the constantly developing nature of cyberattacks means humans (which for now are more adaptable than computers) still have an important role to play in defence

In the first half of NCC’s May-end financial year, assurance revenues hit £123mn, or 82 per cent of the group total. This was up 5 per cent from the same period last year while the gross margin rose 1.2 percentage points to 36 per cent. Despite wage inflation, NCC has managed to improve efficiencies by better utilising its global workforce through remote working. The result, the company says, is that the entire workforce “can now be deployed on high value engagements, smoothing out peaks and troughs of demand or skill shortages”. 

NCC has forecast assurance revenue to grow around 15 per cent in the second half of the year, which would translate to a double-digit percentage growth in the top line for FY2022. The increase is due to a rise in both volume and prices – the latter being especially reassuring as inflation bites and a shift that suggests NCC has the pricing power to pass rising costs onto clients without losing market share.

Software bounces back 

NCC’s second, smaller division has had a tougher time of it lately. Software resilience provides both on-premises and back-up cloud services in case a client’s software provider fails. NCC can help the customers “maintain or recreate an application from the original source, should it ever be needed”. The service is referred to as software escrow.

In the first half of last year, continuing revenue from software resilience declined 3.3 per cent on a constant currency basis. This decline was greater than expected because of issues “attracting and retaining sufficient sales resources” which meant a decline in UK and US contracts. The tight labour market has made it tricky to attract the right people.

There is hope that this blip is in the rear-view mirror. In a 9 May recent trading update, management said it expected software resilience to return to revenue growth in the second half of the year. This should be bolstered by last June’s $220mn (£176mn) acquisition of US intellectual property management business IPM from Iron Mountain.

NCC says the integration is “significantly advanced” with customers already successfully migrated. Management has also launched a review into the division's operational processes and expects to deliver £5mn of extra cost savings by 2024. The main benefit of this acquisition is that it gives access to the far larger US market – as Iron Mountain is a recognised player in the country’s software escrow sector.

Although Iron Mountain is a big player in the US, it has been slow to develop its SaaS (software as a service) escrow options. NCC therefore expects revenue opportunities from offering “cloud and wider cyber resilience services to IPM’s extensive customer base over the medium term”. Software resilience is a much smaller part of the business, but its gross margin of 71.7 per cent is almost double the assurance divisions own. If sales pick up, then it will provide a big boost to the group margin – a big part of the reason why analysts are confident cash flows and operating profits will grow steadily over the next four years.

Cyber growth drivers 

During the pandemic, many companies accelerated their digital adoption and invested in improved cloud capabilities and capacity. While great for employees and organisations that want to work more flexibly, the trend does create more entry points into computer networks, making networks more vulnerable to hackers.

The global cyber security market is expected to grow at a CAGR of 11 per cent from 2021 to 2028, according to business consulting firm Grand View Research. It's these market forecasts that go a long way to explaining the excessive multiples most cyber companies trade on. UK-based artificial intelligence software company Darktrace (DARK) is currently trading on a forward price-to-sales ratio of 11 while in the US CrowdStrike (US:CRWD) is worth 23 times its forward revenue – despite being yet to turn a profit.

These numbers are siveable compared with NCC’s lowly price to revenue multiple of 2.2. Its PE ratio is also an affordable 16.1 – yet unlike many unprofitable cyber businesses, NCC actually makes a lot of cash because of its small amount of working capital. In the first half of the year, the cash conversion ratio was 74.7 per cent. When the £6.4mn of IPM acquisition costs are stripped out, it was a more impressive 99.2 per cent. Analysts anticipate a 12-month free cash flow yield of 4.9 per cent and a 2024 yield of 7.4 per cent, according to FactSet-compiled consensus figures.

Given these impressive cash flow projections, NCC’s relatively low valuation is almost certainly due to a combination of its historical mismanagement and the more recent struggles in the software arm. Investors have reasons to look beyond both: Palser’s tenure has largely put to rest governance issues, while the recent acquisition of IPM provides another avenue for growth in the resilience business.

With NCC in a much better state than Palser found it, his successor now can push things forward. Peel Hunt is impressed with Maddison’s background and his reputation as a strong team builder. With the foundations set, it is time for NCC to switch to a growth mindset.

Last IC View: Buy, 215p, 27 Jan 2022