CyberArk Stock: Massive Secular Trend & New Business Model – Top Pick

Boring is sometimes a goal of an investor. It means they can SWAN (sleep well at night) knowing their investments are churning out growth slowly but consistently, like the sunrise each day. CyberArk (NASDAQ:CYBR) has been pretty boring this year as it completes its transition from perpetual licensing to recurring, subscription-based revenue. Its stock is down about 11% year-to-date, which seems anything but boring – perhaps frustrating, instead. But, this calm duck on top of the water has its feet pedaling furiously below as its business is now accelerated into its next phase of life – a consistent, predictable, and market-beating growth engine in a resilient sector of tech. With the market granting returns beating all benchmarks, something of a victory in 2022, there’s good reason to dive into CyberArk’s potential.

Now, if the stock’s returns in 2022 don’t draw you into CyberArk, allow the execution of management’s transformation of the business into a cloud-first, subscription-based business along with a long-term secular security trend to do the talking.

A Stronger Model Of Predictability

The company has been embarking on this journey of subscriptions for almost two years. Unfortunately, its growth has seen headwinds because of it, keeping it at single-digit and very low double-digit levels for nearly every quarter over the last two years. But with the latest earnings report, things are officially on a new trajectory.

After reporting a quarter with revenue growth of over 21%, management followed it up with FQ3’s even stronger guidance, implying a growth rate of 28.2% at the midpoint. This accelerating growth is exactly what I predicted in February when I last covered CyberArk for my paying subscribers.

The acceleration in growth comes from its subscription revenue, which accounts for 46% of total revenue. Moreover, total recurring revenue is now 85% of total revenue.

If this subscription versus recurring is a bit confusing, it clears up once you find the delineator. The non-subscription but recurring revenue comes from perpetual licenses and the associated recurring maintenance fee. To break it down one level deeper, in the old model employed, a contract would have an upfront license cost (which was considerable) with an ongoing smaller fee for maintenance and support – the recurring part. This was standard in the industry, at least before the subscription model became the predominant contract method.

The perpetual license model is rarely employed by the company for new sales, but the maintenance fees are still around from all the prior perpetual deals. However, these maintenance agreements will eventually fall off whenever the contract period is up for the customer. At that time, CyberArk will negotiate to move the client to a subscription model, moving the once less secure revenue to a spread-out subscription schedule encompassing the entire package of product, support, and maintenance.

Add on top of that the cloud model where clients don’t need to support on-premise infrastructure to get up and running, and the sales cycle shortens significantly. In addition, using CyberArk’s cloud product gets the client in the door much quicker, paying sooner. The company is more financially predictable as closing deals within a quarter is no longer a concern as a large upfront license payment is no more.

But this only is a transformation of the business model itself. Its products still need to be sold, and momentum still matters.

And momentum has mattered.

Demand For Zero Trust Is Demand For CYBR

The company continues to drive new business and upsell current clients. The recent industry push to Zero Trust architecture is driving much of CyberArk’s product demand. For those who haven’t heard of Zero Trust or have heard of it but don’t quite understand it, the concept is simple in theory. Still, the implementation requires reworking or ripping out many legacy security systems unable to protect an enterprise or business in 2022.

At its core, Zero Trust means there’s no longer an authenticate-once-and-gain-free-range-access to the network system; no more network “edge.” This trust but verify philosophy opens up users to become unwilling Trojan horses for malicious code, attacks, or pawns of “keys to the kingdom” phishing. Instead, Zero Trust says users must authenticate at every step, all the time, at every request. It means anyone with unwarranted access will hit a roadblock on the next task they attempt. It confines an unauthorized user (someone who has stolen a password, breached the network, etc.) to be restricted to whatever they were doing or accessing at that moment – any next attempt at moving around will be met with an authentication request, one they cannot verify appropriately.

The problem is this kind of security philosophy is super cumbersome if a user continually must authenticate and use MFA (multi-factor authentication) for every task they need to accomplish, not to mention CI/CD (continuous integration/continuous deployment) applications doing automated communication. It would relegate employees to spending half their day authenticating and swiping the proverbial badge at every step. But cybersecurity companies have created systems to automate this process by storing secrets in vaults, so users aren’t even privy to passwords, and by providing systems that can manage continual authentication, including single sign-on and live monitoring of expected activity.

In lamest terms, think of Zero Trust as going from passing an ID check at the club entrance with only the bouncer to being asked to be ID’d before you can buy each drink, dance with anyone, request a song from the DJ, or buy someone at the other end of a bar a drink. Each one of those requests will require a different account and authentication method. Oh, and your ID is just your voice, and it uses a password you’re not even aware of, and then it changes when the bartender gives you each drink. To you, you’re just talking, but to the systems around you, they’re identifying you and granting you proper access to your requests.

You can thank the pandemic for pushing this and, more recently, the Biden administration for requiring the NIST protocol related to Zero Trust for government agencies.

All this to say, CyberArk has the products needed to implement Zero Trust architecture. And CEO Udi Mokady said during the Q&A portion of the Q2 ’22 earnings call the market is finding out CyberArk has the tools it needs:

…you can’t achieve Zero Trust… if you don’t have a privileged access management controls in place, if you don’t apply lease privilege on the endpoint, which is our EPM. And it’s been really – the market has been understanding that.

And the sentiment is not without proof.

The company added 250 new logos during the quarter, up 30% from the previous year’s quarter. That’s an acceleration from the 185 new logos the company added in last year’s quarter. It also surpassed 1,000 customers with over $100,000 in ARR (annual recurring revenue), up 50% year-over-year.

It’s clear momentum is accelerating and not slowing as the macroeconomic conditions have had virtually no impact on the company.

This isn’t a surprise to me.

Cybersecurity – as I emphasized strongly during the height of the pandemic crash – is not discretionary spending. CIOs are not cutting spending; they’re increasing it because it’s cheaper to buy an enterprise-wide system for Zero Trust than to piece together legacy systems and/or go through a breach of any sort.

The CEO affirmed the zero impact the broader economy has been having on its sales during his prepared remarks on the recent earnings call:

The broader economic uncertainty we are all hearing about has not impacted our business. We are watching very closely and analyzing the trends in our business more frequently. We continue to execute our strategy. Our close rates are strong. Our pipeline is at record levels, and we are seeing an acceleration in demand. (emphasis mine)

He goes on to say, “the first half of 2022 was one of the best in the company’s history, and our Q2 performance demonstrates [that].”

Accelerating demand – hello! If you’re looking for a sector and an industry bucking all the trends right now, it’s the tech industry, specifically cybersecurity and, more specifically, CyberArk.

Paying Less Than You Would Have Before

All the while, the valuation for CyberArk has shrunk. As a result, you are paying less for CyberArk now than if you bought it at the onset of the pandemic crash. That’s because its outlook is better today than when everyone worked from home.

Unlike other companies, like Zoom (ZM), which provide a service specifically for working remotely and have seen the cycle take them down after the pandemic needs have unwound, CyberArk is providing the future all companies need regardless of the pandemic. For cybersecurity, the pandemic only pulled in the inevitable move to better security. Once that happens, it can’t stop. Cybersecurity only moves forward because malicious actors and threats only move forward.

This means CyberArk’s business is brighter now than during the pandemic, and the multiple compression has created an opportunity to buy it cheaper.

Some might look at a forward price-to-sales ratio of 10 and think, “That’s too expensive for this environment!” But you can’t forget the “environment” you’re talking about has had no impact on the business. In fact, the business is accelerating, and the multiple is lower than when less growth was factored in. And, if you’re wondering why I’m using sales and not earnings, it’s due to the subscription transition hurting costs. The company is pushing forward with R&D and sales & marketing while missing the upfront revenue it used to have. Eventually, when the company is done seeing headwinds from the transition (it saw a $16M headwind this past quarter), operating income will expand accordingly.

If the stock maintains a forward 10.26 P/S ratio and estimates continue to rise – as they will with the company’s accelerating demand – the stock will rise on just the performance of the business. Accordingly, I expect FY23’s estimates of 22.5% growth to be way too low. Instead, the company will do closer to the higher end of current estimates at around $780M, or 30.6% growth over FY22.

Combined with a 10.26 times multiple, the stock is fairly valued at $186 (using 43M weighted shares versus the current 41.4M expected in FQ3 ’22). This is about 22.6% returns over the next year from Thursday’s levels. Admittedly, this isn’t a ton, but when the stock is outperforming the broader indexes by a factor of over two this year, it means a lot in this market.

Finding Shelter In The Storm With CyberArk

There isn’t a better sector to place money in during these volatile times than cybersecurity. Not only is the sector seeing accelerating growth, but one of the best-managed and best-positioned companies in the industry is seeing accelerating demand with muted valuations. The pandemic was flashing the same valuation multiples during the crash, and confidence in growth was nowhere near today.

Add to it the transition to a predictable, smooth sales model, and the company has all the qualities of a management team standing on top of every pillar of success. This includes a solid business model (subscriptions), a solid set of products (showing accelerating demand in the market), and a solid underlying secular trend to the latest security philosophy (driven both by the government and threat actors). Under $150 is a good start; under $140 is even better. If the story holds here or gets better, any dip is an opportunity in CYBR.