Gen Digital Inc. (GEN) Earnings Call Transcript & Summary

[Audio Gap] run the cybersecurity research team here at Stifel. Thank you all for joining this virtual event. I have the pleasure of also virtually welcoming Norton's CEO, Vincent Pilette; and then President as well, Samir Kapuria, is going to be joining, too. Before starting, if you'd like to ask a question, you can do so via the webcast link, or you can also just shoot me an e-mail at [email protected]. Vincent and Samir, thank you both for joining us.

So let's start high level as we usually do with these things. I think most of you all have familiarity with the Norton brand. But obviously, a lot has changed over the last year. I think for those perhaps less familiar, maybe you could provide us with a brief overview of the core business today and the overall growth strategy. I think a lot of investors have familiarity with the prior iteration of Symantec, but how should we think about Norton as a stand-alone consumer story going forward?

Yes. Thanks for the question, Gur. And I met with a few investors this morning, was surprised to hear that a few were new to the story, which was actually delightful, but surprising. So we are NortonLifeLock. We come out of the separation of Symantec between consumer, cybersecurity business and the Enterprise business. The Enterprise business last November was sold to Symantec for $11 billion, and we returned the cash to shareholders in the form of a special dividend. When you talk about the division, we see, really, November as kind of our IPO, if you want, under NLOK, NortonLifeLock brand. It comes from the Norton Security business, Software Security business, full consumers part of Symantec, and the acquisition of LifeLock identity protection and restoration business that Symantec acquired 2 years ago. At the time of the acquisition under the leadership of Greg Clark, they built a vision of developing a cybersafety plan for consumers. As the life of consumers more and more move online as your identity becomes more and more digital and as your identity actually explode into multiple identities and lives online, the need for an overall cybersafety protection plan, if you want, the same way that you have protection and safety in your physical world would only grow. And the combination of an integrated portfolio coming out of the merge of Norton and LifeLock enable us to launch last April, Norton 360, which is an integrated platform offered for a membership fee, fixed level of membership, and giving us the ability to add new features as we build this vision towards a digital cybersafety plan for consumers. Since then, we said that we would increase our investment in marketing since we are 90% direct-to-consumer business, selling through our e-commerce platform. E-commerce and marketing is basically our sales engine. We've increased our overall marketing investment to roll out Norton 360 and build up the message of cybersafety for consumer. And we've seen early signs of success. We've been growing at 4% booking rates for 2 quarters, a customer count that had been in decline for many years has turned out to be growth -- granted slow growth, sequential growth, but we'll continue to build and roll that Norton 360 features to our installed base and to new consumer across the world. So that's where we are today as we close the fiscal year. We have a midterm model in place from a financial perspective, growing mid-single digits, delivering operating profit of 50% margin, both of which were almost there at that level, delivering an EPS of $1.50 and generating $900 million of free cash flow, supporting then all of that, the vision towards that cybersafety company.

That's great. And Vincent, you've been tasked with handling the separation of the Symantec Enterprise piece from the consumer piece. Can you maybe just talk about where we are in that transition? I think if you go back even a year plus ago, there was sort of this discussion of whether the separation could even happen, given shared technology, yet, it's been incredibly smooth. Maybe you could just kind of walk us through the underlying reasons why that's been the case and where we are today as far as that separation?

Yes. And I think that's correct. A pure separation in 2 stand-alone businesses could have been really hard. We had the opportunity with the Board, the management team to sell the Enterprise business in a very unique manner for this scale, which is an asset sales. Broadcom bought all of the Enterprise revenue and only the necessary assets for them to integrate into their already formed software division, which then left behind about $1.5 billion of annualized stranded costs at the time. And we told the Board that we would eliminate 100% of those stranded cost over a 12-month period, while at the same time, we would reinvest into the consumer business that was a little bit trending like a cash cow division, if you want, invest first in marketing and then invest in R&D to accelerate the innovation cycle. We bifurcated both processes and we accelerated the transition. We're almost done. I told on last earnings call that by this quarter would be the last of material stranded cost. And then in July and August, the following quarter, we'll have the remaining ERP and data center decommission. So a little bit of remaining cost. By September, we will be done with that transition. We also sold a portion of our underutilized assets, still have a little bit to do in that area. And we then embark on to really focusing on building that consumer business. When we reinvest in R&D, there are 2 areas that we're looking at. The first one is fast prototyping, so creating more bandwidth in the R&D organizations to accelerate the development of new features for Norton 360 as we constantly evolve the portfolio. And the second one is rebuilding some of the layers that move to Broadcom, for which we have a long-term partnership with and sharing data across the 2 companies. They focus on the Enterprise, so we focus on Consumer. But there are some layers that we want to have in-house and that we are rebuilding.

That makes a lot of sense. And I do want to drill in a lot into 360 in a second, but I'll ask the obvious elephant in the room question and get it out of the way first, which is, you gave some good detail on the last call regarding the impact of COVID, which was actually fairly minimal as far as what it meant for retention rates. As things are fairly fluid out there, the world is changing by the day. Perhaps you could give us your updated thoughts on where we stand today as far as how you're thinking about that overall impact? And have you seen any sort of change here over the past few weeks?

Yes. So when COVID-19 happened, obviously, like any leadership team and in working in collaboration with the Board, we went back into analyzing multiple scenarios and say, what would happen if and we develop all of those? Went back also to 2008 and 2009 and see what happened at the time. We concluded that we have a very resilient business and that we have plenty of P&L and balance sheet flexibility read by that excess cash and plenty of variable spend to navigate through short-term impact in the economy. Now every crisis is unique. And this one definitely comes with the fact if it's an economic crisis, maybe now, short term and long term, nobody knows. But it comes with the fact that more of your life is moving online. More of your identity, more of your identities are moving online. And from all cohorts, new cohorts like maybe my mother who never really went online and now is going online to do some orders, and all the way to my 12-years-old son that does all of his school through video conferencing and other. So the digital life has taken a bigger proportion. And that is our underlying structural growth story, which is, as more and more of you life as a consumer over the long term -- we have 7.5 billion of consumer to touch, you will develop a need for cybersafety and enablement and protection plan, if you want, as you do that. That long-term view of us has just been more validated by COVID-19. And we haven't seen like a jump of multi-percentage point overall, but we've seen very good solid interest for our products, our portfolio, from members that wanted to make sure that they have all the data right in our system to ensure proper renewal. All of that, if you want, has been a validation of our message. Now the question I get from investors saying, "Hey, maybe the pandemic is behind us, maybe. And the economy may be in a V-shape in term of recovery, maybe. What does it mean for you? And my point of view is always the same. We have a long-term structural growth. We have not changed our long-term model or metrics, and I think we're marching towards that. In between, COVID-19 has been just one more angle for us to drive our message and awareness with consumers.

That's super helpful. Let's drill into that in the context of Norton 360, right? If you look at the history of the consumer security space, it's been, I would say, fragmented in a lot of ways, right? Maybe you had a play on mobile. Maybe you had a stand-alone VPN play, and it was a patchwork of different solutions. You're really sort of making the play for a consolidated, sort of simplified type of solution. What do you think the appetite is right now for a solution like that? How should we think about present-day penetration? And what are you thinking about in terms of longer-term penetration? Do you see COVID potentially as a catalyst and sort of in the wake of greater digitization and more folks moving online, more folks doing things online, or the new term more holistic solution might be more impactful in today's world than it was last year?

Yes. And of course, you will want and I will want to stay very practical. And in certain markets, is their consolidation fragmented, not fragmented? But allow me to step back first. When consumers' security studied, it was really mainly around the antivirus to compensate for security weaknesses of certain operating systems. That need by itself, obviously, has diminished tremendously as the operating system have been increased. Still there because I think a third level of protection is an absolute plus, but it's not by itself the main driver. Then all provider of those solutions have increased their portfolio and have tried to eliminate some pain points. Password managers, maybe VPN when you connect. All of those features, in my mind, are still very device centric. You move maybe from one device to multiple device, from one operating system to multiple operating system, but you're very device-centric. Two years ago, when we bought LifeLock, we became user-centric. We also wanted to protect and restore your identities. Everything that went online that could be stolen from you or misuse from you from an ever-evolving cybercriminality is something we want to address as a pain point from consumers. And so moving from what I mentioned, one device to multiple device, from one operating system to multiple operating system, moving towards user centric, what applications do you share information with that could be a risk from a cybercriminality is what we're trying to address. And I would say, if you fast forward now to the future, that's even evolving the same way non-devices evolved from one identity that you could now have physical and digital, to multiple identities. Even the definition of a digital identity could continue to evolve and be broad based. All of those are offering us opportunity to build that overall cybersafety plan. And within that, of course, now you want to come back to the practical view, which is you still have standard markets. So you have a market-defined security, in which you have multiple players. We're the leader in it and will continue to roll up and add new functionality. You have a market for identity, and that's growing at [ real ] single digit. You also have multiple players in that. And there, the technology and the needs will constantly evolve. Then you have new emerging markets. What does privacy mean? What is the right to be forgotten on the Internet means? Et cetera, et cetera. And all of those are opportunities that we believe we have both the brand and the capabilities to address under an integrated umbrella of Norton 360.

So I think you answered the question, but I'll drill in a little bit. When you think about that conversation, how do you sort of view your current appetite for pushing into relevant adjacencies? And when you take that a step further, how do you think about the potential impact to ASP, which have been trending up, should you make kind of these further pushes into relevant adjacencies?

Yes. So let's just be clear, we are at the early stage of our new life under Northern LifeLock, right? And building up an operating system, a leadership team, a company that can operate with credibility was very important. I think after 2 quarters operating stand-alone, we've earned the right to be considered that way, but we'll continue to improve. The second immediate initiative that we launched was to make sure we have the marketing engine which is really our sales engine, if you want, behind to push that awareness, push the world of Norton 360, making sure that there is an overall demand and awareness for our products out there. That's the investment in marketing we've made, and you'll see more of that. It goes without thinking that at the core, we are a technology product company. And so constantly investing in that technology space is the next step of initiatives. We've definitely launched a few new features in the dark web monitoring, the on-title alerts, all inputs that we get from a vast installed base and many other inputs that then build into the overall R&D engine. As we continue to create operational efficiencies, we're going to increase both the velocity and the bandwidth of that R&D engine to be able to do fast prototyping and test some of the new features and push them along. So you'll see more of that as we continue in progress. You'll hear more about the new features we're launching. And that's absolutely a critical avenue, if you want, in our long-term future.

That makes sense. And I guess in the context of that conversation, how do you think about potential appetite for M&A? I think there's a lot of chatter out there right now in the security world. Just given the environment we're in, given some of the challenges that smaller private companies perhaps are facing and raising capital, it's a question we ask everybody. But when you sort of look out there, does this make you want to be perhaps more aggressive or less aggressive? And looking outside of the core R&D base to perhaps grow the TAM and expand it to other areas?

I think we want to be ambitiously aggressive to build toward our vision, which is a cybersafety plan for consumer. And again, if you go into pretty mature industries, you always have one or 2 top brands that come to mind. If I go to consumer today and I say cybersafety, you won't have that. And we have boosted the brand capability to go and define that overall market for consumer. So that's an exciting place to be. You need to have a vision, and we have that. Then you need to have a strategy and an operating system. And that's what we're building. And I think we've earned the right now to say that we've had early success in both the operational side and also the growth side. We added a few functionalities, not yet to where we want to be, but it's getting there. And we've returned to stabilizing and maybe slightly growing sequentially customer account. Both are very good signs. Then you want to say, okay, what else you want to do? And you continue on your strategic framework, and you say, what are the adjacencies I want to build on? And as we do that, we identified some, obviously, we have. And then you analyze, do I want to invest organically there? Because I have a shot, I have the ingredients, nobody has been there yet. Or you look at the competition and say, hey, has a product already being derisked from a [indiscernible] perspective? Or is it already a full business with paying customers? And you look at all of that, and you want to make financial trade-off between your organic investment and your tuck-in M&A strategy. I think we are at the stage today that we have the right to do that. Not that we will do it because, as always, in acquisition, it depends on so many stores, cultural, people, process, timing, et cetera. But in terms of aggressively pursuing our vision, whether it's organic or inorganic, is absolutely -- not only a must, but something that drive all of us on the leadership team here.

That makes sense. And in the context of that conversation, how do you think about the competitive environment today? And if you kind of -- if you go back 2, 3 years, the viewpoint was that Consumer was just sort of going to be a part of an Enterprise story, a way to kind of make margins and that ultimately fed the engine. Obviously, the viewpoint has changed pretty dramatically today. When you look out there, you still have some players that still kind of operate more of that hybrid model. You still have some stand-alone flares. But can you just take a step back, how do you think about that environment? And then you talked about some that are device-centric. Maybe you could elaborate a bit on that, whether you see that being still kind of an undercurrent across the broader space?

Yes. So to be clear, the competition evolved, the view of enterprise and consumer evolved, but also the consumers themselves have evolved with their habits and what's happening in that world. I think that's an important one. I cannot speak for the competition. But I can tell you, for us, managing the requirement of an Enterprise Security business and managing the speed, velocity and different angle of a Consumer business has been pretty challenging. I think we made the right decision by selling the Enterprise and focusing on Consumer. And maybe that thesis when it was mainly around engine and protecting an endpoint device, which by the way, is an enterprise term, made sense. But as you get closer to the consumer, integrate it past the device security needs and going to the user needs and embraces different needs around, like for example, your identity restoration or your protection. You have also different business model, more services oriented. And I think that's an opportunity by itself that has enough complexity. When it comes to competition, we address 4 pillars, mainly, right? So still the traditionally defined security pillar, the identity pillar, privacy and maybe connected home in a fragmented way. On the security side, there are 3 main players that together and with the leader on about 60% of the market. The rest is still fragmented. And the way we compete in that environment, obviously, is proposing an integrated solution that not only protect the device but product the usage and your digital entities online. When it comes to identity, we also have mainly competing against the credit bureaus, if you want. We offer a broader set of the portfolio. And then you lean back to the technology software security angle, which is not only will provide your identity element, but we do it in the digital world, thanks to our software enablement platform. And then on privacy and connected home, I would say those are emerging fragmented market for which we absolutely have the right to play and need to continue to be very innovative.

Okay. That makes sense. And maybe just going back to the comments you made earlier. You talked about the growth in subscriber count here for 2 consecutive quarters. Maybe let's elaborate a bit on that, the underlying drivers of that growth despite all the changes happening within the business. You're still able to kind of get good growth here on the subscriber level, which I think surprised a lot of people, especially in this environment. If you take a step back, how do you think about just the funnel, if you will, of customer growth? And where do you ultimately get the confidence of durability in that metric?

Yes. And it's an interesting one. I get that question very often. So first, let me tell you about the growth itself, and then we'll talk about the confidence in the future. It's important to recognize that over the last 2 years, the consumer division of Symantec really spent most of their energy integrated in integrating the offerings into that one platform, and they have done a great job at it. In the meantime, they also increased the engagement with the installed base and increased the retention up to 85%, which is industry-leading standard metric. But at the same time, they did not invest really in marketing -- continue to treat marketing down and let the customer count glide down for many, many quarters. I would say, even many, many years. So when we launched Norton 360, we said we need to create the room to invest in marketing. We became a Consumer pure play. So every dollar we're investing in the business is made for that business. And we launched or increase our marketing spend from roughly $200 million to $300 million at the same time that we launched Norton 360. We also directed those dollars into new form of marketing from the long and short-form traditional forms like TV, radio, mailing into the new forms like paid search, social media, and move those dollars more U.S.-centric to also being in international. We've seen an early sign of success, I would call it customer stabilization. With, of course, broad-based, as I mentioned, performance there, not only the traditional side, the security side, which we call Norton 360 value customers, but also continued growth into the premium side, which is more identity driven of Norton 360, a little bit more in Europe and Asia than in the U.S. but broad-based. Still low, broad based, a very good first sign than getting there in the market with our new offering, and our unique approach was well received. Obviously, we're going to continue to do that. With COVID 19, we saw marketing spend actually on a rate basis being lowered, and we reused some of those dollars to continue to accelerate our penetration in both markets and new cohorts. When you talk about confidence for the future, I get most often the question around, say, hey, there will be less and less device or less and less need for security. And people you've lost, you've lost them forever, all of which for me is very different in the way that we look at the world, which, as I mentioned, at the risk of repeating myself, but we moved from device to user-centric. And maybe you were a customer of Norton Antivirus 5 years ago and you don't need it anymore. But tomorrow, you're going to have a need for privacy or the right to be forgotten or other experience. And as we continue to build up the portfolio toward that cybersafety, we're going to continue to increase the addressable market, if you want, or the number of customers who can go and reach. And so it's a mix for me of good marketed e-commerce engine, coupled with constant development of the portfolio, new feature innovative technology.

That's really interesting. Maybe you could kind of elaborate a bit on the threat environment that you just kind of touched on and the evolution of that threat environment as it pertains to the consumers. When you think about this sort of this -- this I would say -- I won't say rotation, but let's say, this transition, if you will, from more device-centric type risk on the AV side to experience perhaps more user-centric, how do you think about the broader threat context around that? And then, maybe more importantly, how do you think about the consumer willingness to pay for security around that? Is it heightened relative to there once spent on AV? Or it's the same? Is it different? Is it too early to tell?

Yes. So it's an interesting one, right, because in this world of cybercriminality, it's an ever-evolving threat, if you want, right? And while the consumer constantly evolve their need, their practices, their usage, the criminality adjust to that as well. And so new needs emerge and we need to address them. A small but perfect example is from a customer, when we heard the need to understand what did they have for their home titles? Because as you know, some home titles could be misused and against which some loans could be taken. And nobody really knows what's happening against their home title until they try to sell their home or do something differently and suddenly realize, oh my God, something has happened. And so we quickly integrate it into a Norton 360 platform, if you want, a home title alert, which is kind of a new need that came from consumer and we build into our overall environment. That is a constantly evolving platform in need. And again, if you go back to device-centric and AV-centric, that needs maybe will not be growing and -- although we never know. But when you think about, hey, I want to have my identity protected. And it's not just online. It's also the services that go with it, what's the restoration, how easy is it to restore? Or future needs like the right to be forgotten. How much would you pay to have all of the information you don't want to have on the Internet that you may have posted when you were a teenager, right? And so all of those things will constantly evolve. And our portfolio, which is a mix of software technology, coupled with services, will enable us to address those needs.

That's great. It makes a lot of sense. And we've got time for maybe 2 more questions. I'm going to ask one from the webinar Q&A. I've been asked, what is an example of a competitor's device-centric product strategy? And how does Norton address that differently?

Well, I kind of mentioned both, right ? So first, I'll start with us. We've embarked on the platform to integrate everything under an app, Norton 360. You pay a level of membership call it, Level 1. And from that, you have an antivirus, a little bit of backup storage. You have VPN. And then you can move up a level and you can have password managers and other things, still device-centric or value-centric. And you move at the next level of membership, let's say, Level 3. Now you have some identity protection, and you could have dark web monitoring. Are you parts with end users being sold or used in the deeper layers of the Internet? Then you can move another level and you have -- you've used your identity somewhere on the web to buy your car maybe and now your identity's being stolen, your credit is being attacked. The next level of membership could have a services of restoring that identity, all the way to kind of protection services if we can't restore the damage. So that's our way of approaching it, and we can constantly move features up and down, depending if they're being commoditized or innovated. And that's our strategy. We've seen from competition, some mimicking behaviors such as offering bundled products or offering discount if you go in auto renewal membership structure. And those small points for us are proof points that we are on the right path. Although, as I said, when we started this call, this is unchartered territories, and we are about to redefine a market for consumers.

That makes sense. And maybe if we've got time for one more question, if you're okay with that. Just at high level, you talked a lot about direct customer acquisition. Maybe we could talk a bit about indirect channels as well. You've had ISP relationships in the past, some new, some old, that you've inherited. How do you think about those just more broadly in the context of the evolution of the company?

Yes. So definitely, direct-to-consumer, 90% of our business, all acquired through our e-commerce platform, supported by marketing engine and of course, a great product portfolio. This is a fantastic asset. You can evolve that e-commerce platform in many different ways for the consumer, and we see that as a strong, strong value. At the core of it, it's not really the e-commerce tactics. It's not really just the marketing dollars. It's our brand. Our brand calls for trust in valuing cybersafety. The trust that it embodies allow us to think about many different adjacency for which we have the right to play. Either we have the capabilities with that one or we can acquire the capability or have the right to play. 10% of our business is indirect, which means directing these products through partners to push the message and the brand of cybersafety. The various form and shape of those partnerships, in my mind, it could be a lot bigger. They allow us to scale and combine our brands with other brands to have validity in certain submarket or vertical market. So it's a very important one. We still have to make sure we can bridge between direct-to-consumer and that partnership and don't become an indirect business. But they're a huge asset for us to continue to push that brand value in different shape and form to the vast amount of consumers that would be interested by cybersafety.

That's helpful as always. And Vincent, I want to say thank you so much for your participation here and for the enticing answers to all my questions. It was a great pleasure catching up with you again. And if anybody of you have any questions on the line, feel free to shoot me an e-mail. I will get it through the company or you can reach out to Soohwan directly as well. Again, thank you to Vincent...

Thank you. I appreciate it.

Thank you to Samir. Thank you to Soohwan -- yes. Take care. Talk to you later.

Thank you.