CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Okay. Good afternoon, everybody. Thank you for joining us. Really delighted this afternoon to have the CFO of CyberArk, Josh Siegel with us. Josh, thank you so much. I'm Hamza Fodderwala. I'm cybersecurity analyst at Morgan Stanley. Before I begin, brief disclosure, for important disclosures, please see the Morgan Stanley research disclosure website at www.morganstanley.com/researchdisclosures.

All right. I think I'm getting better at repeating that. So Josh, thank you so much for your time. Really appreciate it. So I want to start by kind of level setting the conversation. CyberArk has been one of the better, if not, one of the best cybersecurity stocks year-to-date from a relative performance standpoint. Can you talk a little bit about the demand environment for Identity Security. Why has it been more resilient relative to other areas of spend? And why is it such an important priority today versus, let's say, 2, 3 years ago?

Yes. Great. And Hamza, thanks for having us. By the way, maybe we should switch seats because this way I can look at you and...

Yes. No one wants to look at me.

No, I could look at both -- everybody. So same question, though. Thanks for having us here at the conference. And when we think about the demand for cybersecurity, clearly, we're all like exposed to what's going on in the macro environment and the likes. But -- and so -- but when you think about cybersecurity, the threat environment has never been higher than it has been over the last year, over the last 2 years. And there's a lot of obvious reasons for it. I mean, the digital transformation and COVID really spurned it as well as well it going on before that. And when we think about CyberArk within cybersecurity, we're thinking about Identity Security. And if you look at all the breaches around -- that's going on in the threat environment, well over 90% of those breaches are going to occur because some credential, whether it's a human credential or a machine identity was breached and basically, it went through on the entire attack chain of moving from credential to credential until it got to finally where the bad actor was trying to get to, whether it was the personal identifiable information, or the credit card information or the IP or for whatever the purpose was for the bad actor. And CyberArk plays in cyber -- in Identity Security. And so when you think about preventing, you're thinking about what am I doing to secure proactively, not just manage identities, but actually secure the privileged users who are the IT administrators, the workforce, which go up and down in privileges during the day and of course, the application credentials. And it's basically has remained, as you said, more resilient even in today's environment.

Got it. And so where CyberArk started was on the privileged access security side. So these were IT administrators, the users that were really securing the crown jewels of the organization. Can you talk a little bit about how that privileged access security market has evolved to encompass not just users, right? You mentioned machines. And how are some of the infrastructure changes within IT driving that?

Yes. So first of all, application credentials has always been a major backdoor. And CyberArk has been selling for over a decade, privilege access for application credentials as well. But they were static applications. In other words, the credential was hardcoded into the application. It would speak to another hard-coded credential into another application and so essentially, it was what we call static. What has changed and has made -- has proliferated even more machine identities that I was referring to is the fact that now they are dynamic, they are dynamic credentials in the DevOps processes, for example, every developer now as they're -- as they're doing -- as they're working through DevOps processes are creating what's called secrets. And that's why we even call the whole thing now Secrets Management as opposed to application credential management. And those secrets are constantly -- are dynamic in the sense that they're rolling up and they're rolling off and they're constantly changing. And so that's been a result of the DevOps processes becoming big. Even with static applications, because of the digital transformation, so many more things are being automated. If you think about robotics processing, which is now running processes through an IT organization in an enterprise. Those are also still static. So there's a lot more applications that are running credentials. And then kind of where we continue to expand on the market is around the entire workforce, thinking about not just viewing the workforce for how do you manage your identity to know that single sign-on and multifactor which is pretty basic but understanding that even the standard workforce employee is going up and down in privileges during the course of the day, whether it's the treasurer who now has to access banks or the head of IHR, which has to access Success Factors or some ticketing system for HR or marketing and running their social media feeds and so forth. And what we believe is really important for enterprises to think about is securing the entire organization, including the workforce now as if they have the crown jewels as well because they don't always, but they do during courses of the day, and that's exactly what bad actors are looking for. They're looking for when do I access this credential at a time when they're doing something that I can leverage to actually get to something more valuable or to another account. And so over time, I mean, it's the infrastructure of digital transformation. It's just much more usage. It's the remote usage. And it's the fact that individuals and workforce are becoming much more privileged and not just IT administrators.

Got it. So you talked a little bit about the importance of Identity Security as we move more towards this hybrid workforce as you're using more cloud applications. When we used to think about Identity Security, initially, you think about single sign-on and MFA, which is what you offer as well. But you guys came through it from the roots of privileged access security. Why is that a harder problem to solve for some of your competitors versus the access management side, which you said sort of is more basic?

Yes. I mean, first of all, it's just the pure access side of single sign-on and multifactor is pretty basic. I mean, there's actually a lot more to that world, which we are trying to bring to the table, which is we think, is much more advanced usage, whether it's also provisioning, securing the session that the workforce is doing, like we do with IT administrators or allowing them to have password management for their non-enterprise passwords similar to what you might get from a LastPass or something like that. So there's a lot of things also on the identity side. But to answer your question around why is PAMS so hard for others to come to. And it's because when you think about -- first of all, the IT administrators and the PAM side of the business, it's the crown jewels. Always, not just part of the day. It's like 24/7. They're credential, if you break into that credential, you can -- you're only 1 or 2 or 3 or 5 steps away, but you're much, much closer to kind of what we call a network takeover, which is kind of the holy grail for a bad actor. So they need to be on 24/7 alert all the time. And these administrators are also working with all parts, all types of the IT network. It could be with firewalls, it could be with mainframes, it could be with cloud providers, it can be with Microsoft servers and of course, you have all of the administrative access going on at all the endpoints. So there's just such a broad variation of what you need to be able to manage. And it's not just kind of the same for everybody. Everybody needs to be looked at differently. And one of the things that CyberArk has done over time and is that kind of help create the competitive moat, so to speak, is that we work out of the box with almost every piece of the IT infrastructure. So even if you have the technology to secure the PAM and the privileged users and the privileged credentials, you need to be able to interface when that privileged credential is working on any piece of the IT enterprise. And we sell to mostly to medium and large enterprises. And when you think about your own at Morgan Stanley infrastructure or anybody here thinks about their infrastructure, it's much more than just a small shop. It's very hybrid. It could be multiple clouds, it could be on-premise, it could be cloud, it can be legacy servers and things and more advanced technologies. And because of our experience, we work with all of them.

Got it. Got it. Another thing that we're hearing more and more is cyber insurance, right? And cyber insurers are requiring privileged access security more and more as part of their underwriting criteria. How is that bringing you into customers beyond the large enterprise? How penetrated would you say the opportunity is?

So I think with cyber insurance, it's like -- we like to just collect more and more tailwinds to our demand environment. And I think that cyber insurance is one of them. I mean if you think back, I mean, here we are in London and the House of Lloyd's and all the leading underwriters of the world. And if you think back years ago, basically on the cyber insurance front, they would just raise fees to be able to cover their risk. But then they realized, I think, in the last 3 years, when ransomware has become super abundant and the cost of an actual network takeover for an enterprise -- and again, I'm talking about enterprise. Even if it's a commercial-size enterprise selling $1 billion a year, it still could be a massive expense to be on the front page of the paper for a cyber breach and I think that the insurance companies are saying, "okay, well, we can't just keep raising fees, we will, but we can't just do it ad nauseam. And so let's start to try to reduce the risk at the same time." And once they went under the hood, to determine, okay, well, how do we ensure to help reduce the risk, the basic cyber strategy principles came out. I mean, they're not a secret. So they decided, okay, well, you need to have a firewall to make sure it's harder to get in and you need to have something at the endpoint that gives administrative access, lease privileges and reduces the ability of -- and can prevent ransomware and you need to have privileged accounts, which are the -- are 95% of network takeovers protected. And if you do some of those basic things, then you're then -- they're reducing their risk and it helps to -- that's why it's become a tailwind because they understand they have to do both, not just play with their fee structure but also to have enterprises reduce the risk.

So to shift the conversation to sort of the broader macro environment, right? So security, you mentioned obviously relatively more defensible than other areas of IT spend, but certainly not immune to the macro pressures. And you've been through 1 or 2 cycles with CyberArk. So I'm curious, all the secular tailwinds you mentioned certainly are there. But anything that you're seeing on the margin maybe on the macro front that you worry about or you're considering as you think about your outlook for next year?

Yes. I think when we think about next year, obviously, we're looking at let's call it, the harder visibility of what will happen. So we know what's happening today. We know what happened over the first 9 months of this year. And the fact that there's this macro volatility going on, we wonder, okay, well, is there going to be a moment where things either turn to worse to the right or maybe starts to turn better to the left. And when everybody is thinking about their next year plan, they're thinking about, how do I hedge for that. So clearly, we need to -- the visibility of what this type of an environment gives, gives any type of an executive in an enterprise a reason for concern because we have to kind of gamble which way things are going to go. And I think we always are in -- we're not worried about the actual threat environment. I mean not that we're praying for new threats, but we see that, that trend is [ leftistrations ]. So that's always -- and in harsher economic environments or geopolitical environments, we actually see the threat environment going up usually historically. The other thing that's interesting about where we get some comfort from the threat and from the demand environment is in this type of an economic environment, you're seeing a lot more companies make downsizing decisions and downsizing decisions actually is a big proponent for insider threat as well. An insider threat is something that is protected by -- is one of the first things you're going to do for -- to have -- make sure you have privileged controls and workforce controls and application controls because -- so that's actually -- there's been a lot of discussion around the rise of potential insider threat when you have people being laid off or some volatility within the organization. But on the negative side, for me, it's really the visibility that it's really hard to know what's going to happen and what quarter it's going to happen.

Got it. The other thing that we're hearing in this macro backdrop is around consolidation. The average enterprise is using 50 different security tools. They're using multiple identity tools as well. It seems to me CyberArk is really building this broader identity security platform story. You've got 20% of your ARR not coming from Access Management, another 20% that's coming from the Endpoint Privilege Manager. Are you seeing more consolidation within your customer base than you had, let's say, a couple of years ago? And do you think right now is the time for you to double down on that, continue to consolidate the market and that might include maybe perhaps pursuing some inorganic opportunities as well?

Yes. So absolutely with our success in really moving into the identity security space as opposed to just the privileged space. We're seeing and we have tons -- lots of proof cases over the last year where actually our customer base is either moving from the PAM and incrementally moving into our identity services and those are all services right now because they're SaaS platform and as well moving into Secrets Management as well. So it's happening, I think, in part -- one because I agree with you that enterprises are trying to look to reduce their vendors, but also because we're really able to offer this in a very competitive way. I mean, one of the things that's exciting for CyberArk that's happened in the last month is we came out in an industry report for now not only being the leader in far up to the right in PAM, we're actually now in the leader space as well for access, and we were able to move over from -- move up from the visionary into the leader space. So it really makes us the only company in the world that is in the leader quadrant, both for privileged access and for identity access, which allows us to really to stake a claim on true identity security. So it allows us to really talk to enterprises about thinking holistically across your organization. How do you think about securing all of your credentials, whether they're human, whether they're machine, whether they're static or dynamic, whether they're in cloud or whether they're self-hosted and multiple clouds for that matter as well. And so that gives us a very powerful statement. And I think we're still kind of at the beginning of that larger story, but I think that it resonates well.

So right now, every CEO, CFO is having to deal with the question about growth versus profitability. It seems -- you guys have always been a profitable business prior to the transition, and you'll get back to those margin levels at some point. But when you think about that, right now, it seems like relative to other -- some of your competitors who are struggling, cutting OpEx, you have a time to really -- a keen opportunity to continue to consolidate that market. Do you think right now is actually the time to double down on growth?

So we're continuing to invest in growth. This year, we were always with the theme of investing in growth, partially because in order for us to invest in growths, we actually have to do it in advance because it takes our sales teams time to ramp up. It takes -- the sales cycles are 6 to 9 months. So it's a bit -- because we sell into the enterprise space, software enterprise space, we do have to be thinking about these things in advance. And we are still bullish that the identity security market is a growth market. And I think in this economic environment, we need to be more prudent about thinking, okay, doubling down is kind of 2021 language as opposed to 2023 language. But absolutely, we don't want to leave money on the table, and we want to be sure that we're able to be there through 2023, assuming that the demand environment remains and the economic environment is suitable to it. And mostly that means around especially investing in the go-to-market side.

Got it. Just a couple more questions, and then I'll open up to the audience. So you're at the tail-end of the subscription transition right now and the ARR growth has accelerated throughout the year. To what degree is that ARR growth being driven by your existing maintenance base converting to SaaS or subscriptions?

Yes, to a very small degree. I mean, if we saw 49% ARR growth on Q3 to Q3 last year, it's just in the single-digit percentage points of that because of what we call migrations or conversions from kind of maintenance to either SaaS or to self-hosted subscription. And we should be clear about when a company -- when one of our customers actually migrates from a maintenance contract to either moving everything to the cloud, which is kind of one part of their story or saying, okay, I want to buy more seats of what I had, but I'm going to subscribe now because that's what -- because those new products that we're selling to subscribe to are much more feature-rich than what they had bought as a perpetual product and then they'll say, well, let's back -- I'll go backwards and move all of my perpetual product to the subscription product in order to enjoy the feature rich of the subscription product. That's really a tech upgrade. So that's kind of similar to what we were doing when everything was perpetual, we'd go back to them and say, "don't you want to buy all these additional features to your perpetual story?" So it's only the piece of the business. So some pieces -- maintenance that goes to the subscription, but a big piece of that incremental ARR is because they're paying more money because they're getting a lot more product on a per seat basis. So -- but at the end of the day, I think it's still a small -- less than 10% is moving over to -- is kind of the right hand moving to the left hand.

Any like early data points you would have, what the typical ASP uplift might be moving from support to SaaS?

When we think about -- it's kind of a range between 2x to 3x. So it depends on whether it's moving to another self-hosted environment but with the new product? Or is it moving all -- if it's moving into the cloud, then it's going to be in the higher multiple because it's a more expensive product because we're now hosting the service. But we can figure it 2x to 3x.

Got it. So on the profitability front. So you're at the stage of the transition now where the revenues are accelerating because you're lapping some of the transition headwinds. When do we start to see the more meaningful margin leverage come through over the next few years?

Yes. So I think the way we're looking at it and what we talked about is this coming -- in the first half let's call kind of -- we have a kind of a 3-year post-transition window. If you think the first half is going to be a slighter, a smaller slope, but improving operating margin. The revenue, we're already seeing a swing back, last year, it was in mid-single digits, I think 8% growth. This year, we're -- the guide is around closer to 20% growth. So we're already seeing that swing back and that will continue. And on the operating -- that will help us with the operating margin, but it's going to be slower in 2023, but then the slope should steepen in '24 and '25.

Right. And that's because more of the sales are now coming from the renewal base as...

Yes. It's because when you think about in 2024 and 2025, I mean, today, we're at high -- we're almost between 85% and 90% of all of our new business, SaaS and subscription. Next year, we'll be at 90-plus percent of the business will be SaaS and subscription. So when we think about like 2 years from now and 3 years from now and 4 years from now, what happens is that you -- our maintenance ARR is going to be maybe 10% of the business, and all the rest of the ARR is going to be coming from license, SaaS and subscription. So once we start to round trip 80% and 90% of our ARR going through with license, we kind of get back to how we were as a perpetual company. I mean, that's just how the kind of the math works. And assuming we do our homework and we execute well on the renewals.

Got it. All right. Any questions from the audience?

Talking about ForgeRock, do you think the transaction should be approved? And if so, why or why not?

ForgeRock, approved by?

By the FTC?

Yes. I actually don't have a strong opinion about it. We're okay if it gets approved and we don't really have a position there, and I don't really have a strong opinion.

Any other questions? Maybe one more for me. You mentioned the margin levels getting back to when you were a perpetual company. When you're a perpetual company, I think your operating margins were peaking around 30%, 35%. Is that the kind of margin level we could see you get back to long term?

I think the first stage that we kind of geared investors towards is more of the kind of the rule of 40, kind of balanced rule of and -- but when we're at a rule of 40 for a fully recurring revenue company, it's a very powerful model. Even compared to kind of a 30% operating margin on perpetual, where you have a lot less visibility on being able to replicate it and you're much more at the mercy of the economy and volatility within the marketplace. Once you're really a fully SaaS recurring revenue company then, then you're able to be much more strategic on keeping that growth going forward because you have so much more power and visibility in the model. It's also an easier model to leverage when you choose to do so.

Any sense you could give us on -- I know it's still early days for the SaaS and subscription business when it comes to renewal. What are the net retention rates look like for some of the early contracts that have come up for renewal?

Yes. I mean, so far, it is early. And the reason why it's early is because we just started selling SaaS and subscription contracts really in -- towards the end of 2020 and mostly into 2021. And a lot of -- we have a 2-year duration. So really, it's kind of next year and the year after, we'll start to see the lion's share and the bulk of those renewals. But what we've seen so far is where we want to be for renewal rates and if we can continue at these numbers, we don't -- we're not yet publicly disclosing what they are, but there are renewal rates that are in best-of-class nature of what you'd want to see and we're expanding them. And I think that investors can see that because we look at our ARR and we talk about 2/3 of our ARR coming from existing customers and the 1/3 coming from new customers and then you look at that growing at 49%, you have to have a high renewal rate in order for that to happen and also a good expansion of those for that to happen. But you also know that 1/3 of that ARR is coming from new customers. So you realize that it's not only at the expense of expansion.

Got it. Any other questions from the audience? I can keep going for sure.

If you have any pushback on the renewal, what is it? If you have any pushback on -- have you had customers say they're not renewing, they're going to competitors?

Yes. So the typical point where we may not have a renewal is actually probably if they bought it and never used it. In the context of they either bought it because of some compliance problem or audit issue and then they never really felt like that was -- they didn't have their back into it. We have -- there were -- there have been times where we've lost in competition, but it's -- our renewal rates are very high. And so it's a sticky product. So when they're using it, it's very hard to want to replace because it's going through the entire IT infrastructure, there's a lot of policy and controls and so we haven't -- I don't have enough anecdotal storage to be able to tell you that there's one particular hotspot for why they don't renew, except for, oh, yes, we just didn't use it.

And can I have a follow-up? Zscaler this morning was suggesting that you don't need firewalls, you just need ZScaler? What are they not telling us and what is that you're offering?

Well, first of all, we don't -- we're not in the firewall space. So that doesn't impact us. But I think that I'm not an expert enough on Zscaler's positioning, but I do know that you need privileged access management and identity security if you want to have a proper cybersecurity strategy within your enterprise. That's -- I don't think you'll find anybody who would disagree with that statement.

Anybody have a CyberArk-specific questions? Maybe last question for me. The channel has been a real force multiplier for you guys. And you talked about these cloud marketplaces. Maybe just quickly, if you could talk a little bit about how that's been driving additional sales for you guys?

Yes. I mean, the main thing around channels, there's two areas. One is enabling and training advisory firms and partners, always been a huge point of success. And then the marketplace that you brought up specifically AWS, it basically allows us to take advantage of all the enterprises that are using AWS already. Many of them have credits with AWS for their usage -- of their cloud usage. And if we -- and then selling through AWS, it really reduces the friction for those customers because they're actually able to use the credits in order to purchase CyberArk solutions. So it's been a nice incremental channel for us to develop starting in '22. We expect to expand going into '23. And any time that you can reduce friction with your customers and make it a little bit easier for them to actually put the PO in, is a winner.

All right, Josh. We'll end it there. Thank you so much for your time, and thank you, everyone, for joining us.

Thank you, Hamza.