SSH Communications Security Oyj (SSH1V) Earnings Call Transcript & Summary

Welcome to SSH Communications Securities Investor Call for Q3 of 2025. My name is Aino Virolainen. I am a part of the SSH Finance team, and I handle our Investor Relations. The results will be presented by our CEO, Rami Raulas; and our CFO, Michael Kommonen. [Operator Instructions] The call is hosted with our own solution, SalaX Secure Messaging. The call will be recorded, and we will share the recording as well as the presentation slides on our investor pages later. And now I think we are good to start. So I will give the floor to our CFO, Michael. Sir, please go ahead.

Thank you, Aino, and good morning also on my behalf. In the third quarter of this year, our net sales grew by 4.0% and our EBITDA was EUR 0.8 million. Sales reached EUR 5.5 million. It's up from EUR 5.2 million in the third quarter of last year. And the subscription ARR growth was 7.7%. PrivX overall sales growth was 14.4% in the third quarter. EBITDA, as mentioned, was EUR 0.8 million. This is broadly in line with comparison period, slightly down from the EUR 1 million a year ago. If you adjust it for our R&D cost recording in this year more cost base than investment base, it's actually very close to the previous year number. We continue to see headwinds from the weakened U.S. dollar. So the 4.0% growth would have been 6.6% at constant currencies. In the third quarter, we announced the strategic partnership deal and the financial investment agreement with Leonardo. This happened actually on the first day of the quarter, July 1st. At that time, we expected the deal to close in the third quarter. It actually took slightly longer than we anticipated due to regulatory reviews, so something that was basically outside the hands of us. And we're very happy to announce that 2 days ago on October 21st, the deal finally closed. So this happened in the fourth quarter. Looking a bit more at the numbers in the third quarter, subscription sales overall grew nearly 10%, EUR 9.8 million. Deferred revenues were down somewhat. They were at EUR 9.7 million. This has to do with timing of a few renewals of our products. So these are contracts that have not been discontinued, but in some cases, we have been negotiating upsells with customers. And for these reasons, these renewals have slipped a bit from the third quarter into the fourth quarter. These are major invoicing contracts and these slight delays then reflect on the deferred revenues as that invoicing did not come in, in the third quarter. EBITDA, as mentioned, EUR 0.8 million, EBIT very close to the last year's number at EUR 0.0 million. Cash flow from operations was slightly better than last year, EUR 0.2 million negative. So with this, I will hand over to our CEO, Rami to elaborate on the third quarter.

Thank you, Michael. Good morning, everybody. Today, we will have a little bit shorter presentation because in the afternoon, as I hope you're all aware, we have our Capital Markets Day, where we will go a bit deeper into the actions and activities which have been putting in place and are putting in place to find ways to execute the acceleration of our growth. But Michael mentioned already what we talked about in July when the agreement was signed, and now it has been approved by the government officials about the strategic partnership agreement and EUR 20 million investment into SSH from Leonardo. So let me say just a few words about where that strategic partnership plays a role, what do we expect from it, and where is Leonardo actually now. Leonardo may be most known for defense market, but Leonardo is much more than that in the group and company, about EUR 18 billion revenue, good growth, good profitability, highly increased valuation on the market like for most defense operators in Europe. Leonardo plays in different spaces; space, air, land and sea. And the strategy has been to enforce those and further develop those next generation, for instance, sixth-generation fighter jet, next-generation tank in partnerships with other European or global players to expedite the development times and to share the risk. So you see some of those partnerships there. The most recent announcement was the establishment of a company called LBO, which is a 50-50 between Leonardo and the Vikar, that will result in 5 or 6 manufacturing sites building in Europe for drone manufacturing. But the important part is that this is all multi-domain. I mean the next-generation tank, as an example, is just a computer that shoots. Everything is electronics. It's controlled remotely. Command and control systems are integrated into the military vehicles. So cyber and cryptography and secure connections become more vital in those environments. And that's kind of the long term -- mid-term to long-term strategy that we are working on now, not that immediate, but longer-term strategy, which certainly will play a role for our future. But on the bottom right corner, you see Cyber and Security division. It plays a role in cyber and security on its own, but also as a multi-domain source for all the other 5 divisions within the Leonardo Group. So let's have a bit closer look on what the Cyber and Security division entails because that's where these partnerships, acquisition and strategic partnerships have taken place, acquisition of Axiomatics out of Sweden, the strategic partnership with us, SSH Communication Security, and then strategic partnerships with CanaryBit in Sweden for high-performance and AI computing and Arbit in Denmark for secure network and connections, which perfectly complement our secure network encryption technology. So what are the elements of operations and offering from the Cyber division or Cybersecurity division of Leonardo. It's about services, resilience, consultancy, advisory and services on global cybersecurity, identify, protect, detect, correct and recover the usual model for cybersecurity, the so-called NIST and MITRE models. That's called GCC, Global Cybersecurity Center. The other big part is the transition from legacy applications to cloud-based computing and cloud-based applications. There's a big shift, for instance, in the Italian government to move from just data center operations to private clouds, hypervisors and public cloud usage. But that requires elements in software security and operational security and cloud security, and that's where Leonardo is really strong. There's also a complete portfolio for secure mission-critical environments, secure communication platforms, like here in Finland, we have Virve and Virve 2 networks, so similar network technologies actually around the world and now moving more to network -- to quantum-safe encryption. So quantum-safe encryption and our -- with our solution, NQX there is a key driver. There's a lot of governmental regulation standards and mandates to move to quantum safe being built into all the solutions and being implemented in customer environments, whether they are network connections, servers, databases, application. It's a big journey. We will talk more about that in the afternoon. It's all about Europe, thing made in Europe, this is European, helping European strategic autonomy and sovereignty in the area of cyber quantum space as well as cybersecurity. And our solutions now outcome of the strategic agreement is that our solutions are integrated within Leonardo's industrial capability and domain specific knowledge to all the markets that are there. And then the last but not least is also an area of common interest, which is high-performance computing and leveraging the technologies of AI, generative AI, agentic AI and other AI technologies in -- also in cybersecurity. We've been focusing our -- I've been talking about that in the earlier quarterly reviews. We've been focusing our growth opportunities into new segments for us starting from 5 years ago or so to defense, which you saw here, to OT security, manufacturing and supply chain security, which is nowadays in Europe governed also by new legislation, NIS2. So there's a mandate for organizations to be better equipped and prepared. I mean we don't want to see the Jaguar Land Rover type of billion-dollar losses on the market. And critical infrastructure. So here's an example, just to give you an idea of where Leonardo plays in critical infrastructure markets. Transportation, high-speed trains, digital twins for watching that road works and railways are intact, ports and logistics, oil and gas and energy, altogether, I mean, our first common customer is in the energy, one of the Europe's largest energy grid operator has already taken place. So this is a perfect match where we've been focusing as well if you think back what we've been announcing and talking about customer cases in the past. So -- and the work is now starting, has already started, is moving our solution suite into those customer bases together with Leonardo. So just a few words about where we are. So global company continue to do so. Of course, now we have a strengthening opportunity, especially in Italy, Poland, U.K., but globally as well. Leonardo is actually very strong in Middle East and Asia as well, which is where our growth predominantly has been the highest. So in Q3, we grew in APAC 15%, in Europe, nearly 7%, and in U.S., I mean, United States or Americas has been a turnaround game. So with the lead of Sean McAllister, young and energetic energy there, we have now built a new team. And I think we're beginning to see signs of a turnaround now in Q3. The sales in U.S. actually grew 3.5% in -- measured in local currency, United States of America dollar, but in euros, of course, because of the weakened dollar, not so. So we want to really have a balanced growth in all the regions and are putting our efforts in all the regions. But of course, now the immediate benefit and co-work with Leonardo, we have people already in the room working together with Leonardo. I expect that the biggest growth opportunities moving forward together in this partnership will be predominantly in Europe, but also in Asia, Middle East and in Americas as well. So we've been -- in the past couple of years, we've been not only developing new products and adding products to our portfolio. New to our portfolio is file encryption. I mean, there are actually 5 ways of doing file encryption, encrypted file transfers with Tectia or managed file transfers for cache management, for instance, updates into industrial systems through PrivX, making sure that there are no viruses or malware in the files. A lot of government organizations and public organizations and finance organizations use SalaX Secure Mail, turvaviesti in Finnish and turvahuone safety rooms to share critical sensitive information, also large volume with large files, which don't go through normal Microsoft mail at all. And we've added functionalities to our PrivX, which is the core growth engine. The subscription sales in PrivX grew 17% in Q3. And then we've added more functionalities and new use cases for network encryption as well, which is now picking up the whole notion of post-quantum encryption. We see large banks looking for alternatives to segregate their routing and firewall networks from encryption networks, and we've been having some initial test and trials there. We see some telecom operators, also segregating networks like that. And of course, for instance, we have a really good test results from a non-European defense organization for NQX in post-quantum encryption where the throughput using all the latest post-quantum technologies is 97% of the line speed. So hardly any degradation of performance, whereas a major -- another European competitor can only throughput 20%. So massive performance benefit and advantage over some competition. So let's have a quick -- and like I said, this portfolio becomes part of Leonardo's Made in Europe Zero Trust quantum safe offering. So let's have a few words about each of the 3 product segments. We -- by the way, what we have also done, we have integrated these together. So when you think about an OT environment, everything has to be secure and segregated. So no openings, no connections are open by default. Everything is not permitted until it is permitted. And we've integrated now our solutions so that when the access is controlled by PrivX for service engineer, for instance, to do maintenance work or update, PrivX will command NQX to open a tunnel, which is only valid for the duration of the work, and then it's done, gone. Really, really unique and advanced way of not having any ports, not having any connectivity open for wrong people to get into the right place from their side. Really fighting against these ransomware threats that we see so much nowadays in OT and critical infrastructure. I think the business opportunity for us is that, like I said earlier, the firewall networks and encryption networks are separating. There is also a standard for that from this National Institute of Standards and Technologies in the U.S., which many U.S. organizations are following. And there's a crave for high-performance networks with modern encryption as well. And indeed, the reason why this segregation is happening, we've seen -- maybe you remember, we've seen an attack to AT&T that was a state-orchestrated attack, getting access to the back doors of firewalls. We don't have a backdoor in our solution. And most recently now F5 has been hacked and customers are in a vulnerable situation. So relying the connectivity just on one network and one vendor can be vulnerable. And we announced -- for NQX, we announced additional deal in Q3 as well in the defense space. SalaX Messaging. We decided 2 years ago roughly to modernize and have kind of the next step to secure mail and secure rooms by beginning to offer also secure messaging platform like Slack type of or Teams type of solution, but in a secure way, in a way that customers can have their own sovereignty, managing the data and encryption keys in their own hands, that not being in the public cloud or American clouds for potential shutdowns like we've seen for some cases or other risks or access, for instance, AI training access like we've seen from some players in the U.S. We also integrated SalaX Messaging now into a couple of things. So we've integrated it with the kind of legacy public safety networks like Virve, which is TETRA-based networks. And we have now integrated into modern 5G public safety networks as well. And we have further customer engagements in Finland, in the Nordic market, in Central Europe and in Asia and also interest from the U.S. for out-of-band communication solution. Here's an example of how we actually use our own. This is a picture of -- I hope I'm not revealing anything sensitive here, I am not. How we did our due diligence with Leonardo. I mean, certainly, we wouldn't put all the material that is required in the due diligence into a SharePoint or Google Drive, I mean, come on. It has to be encrypted, it has to be available only for those people who have granted access and who are identified and authenticated very strongly. And only then there we'll share the information. That's indeed what we do. A massive project then went really smoothly and everything was protected, well guarded and only the relevant people had access to the relevant information. This is how you need to do it. We also -- by the way, our own Board communication, board meeting is done on our SalaX platform, not on WhatsApp or Signal or God knows what. And finally, our main growth engine, as I said, PrivX, we introduced a new version again, PrivX 41. PrivX is really complete solution, our 41 version since 2017. In the afternoon, I will talk more about that and some analyst reviews, very positive analyst reviews we have just received recently in the past 2 weeks and in the coming weeks as well. I already did mention that we've also taken the effort to integrate PrivX and NQX together. That makes our offering unique. None of the network vendors can offer similar solution, and our PAM, or Privilege Access Management, vendors can offer the same solution. Not really even the market leader now that Palo Alto or CyberArk, they still have years of integration work ahead of them. And I wanted to share a few new customer wins that we announced through a press release some weeks back or months back, just to give you a flavor of what kind of new customers we are engaging with and are able to win. So this is just kind of a sample of some customer cases. So here's one customer case. This is another one, which is a public reference as well, the Ministry of Interior in Estonia, when we went through a competitive bidding process and won it. And it's about access to sensitive data, whether it's on databases, servers, files for the Estonian Government Agency for handling data that is related to police, border guard, rescue board, emergency response center, supporting both legacy environment and modern cloud environment. Estonia is very advanced in digitalization like Finland and very much using private cloud and generic cloud with secure protection and secure processes around it. And it just gives a lot of benefits, not only the security and auditing that the critical work can be monitored, it can be recorded. There's an output of audit data from that, but also for the high performance and ease of use for administrators and developers to use the systems. Then we have a really exciting new customer win. I actually ordered even more in Q3. One of the top 5 trading or asset management, trust fund management companies globally. Very modern IT architecture. There's some legacy in there, but there's -- mostly everything is fully automated and in a hybrid private cloud and public cloud environment, utilizing a lot of high-performance computing and AI in automating things. Actually, they needed a lot of AI capability, calculation capacity, which means NVIDIA H200 chips, couldn't get the resources enough from cloud service providers, so they built their own data center in Iceland. And the first -- and equipped that with NVIDIA HPC. And the first use case was the access to that data center through PrivX. And now it's expanding to other areas as well. And the reason why we were able to win that against the market leaders of like CyberArk and BeyondTrust or some of the newcomers like Teleport is the modernity and scalability and the high level of automation of PrivX. And now we, of course, aim to repeat that use case with similar kind of companies and continue to work with that company moving forward as well. And then in the Americas also, we were able to win a new service provider in the telecom area. And it's about access to virtual machines and applications, integrating the user data from identity management solutions. And once again, the performance and quick access to environments was important. This customer is one of quite a few that have actually dropped and changed on the market-leading solution because they -- and replaced that with Privax because they found that legacy system, which is about 20-, 25-year-old software already, found it too cumbersome, too expensive, too complicated to deploy, maintain and run. So the total cost of ownership and return on investment was a real benefit in the case of PrivX. So these were some of the examples of cases. And of course, where we aim to work on now, the effort we've been putting in the past couple of years in building our channel, building our partners, now getting the partner, Leonardo partnership together, changing now our marketing activities to create more demand and awareness for our solutions. Of course, we aim and aspire to continue to grow and to accelerate the growth as well. And with that, Michael, maybe you want to join me, and you can say a word about our forecast. Please, don't really say that much.

Yes. So for the outlook, we are restating what we have said this year previously. So we expect net sales to grow in 2025 compared to the previous year. We estimate EBITDA and cash flow from operating activities to be positive for 2025. And here, you can see the numbers from the comparison period on the slide.

Thank you, Michael. I know I think it's time for Q&A.

Let me check the chat for questions. All right. We do have a question from our Redeye analyst. I guess I will get a lot of answers during the CMD later today. So I'll be a bit brief and ask some quarterly specific questions here. You recently announced several PrivX deals with a lot of different customers, so congrats on that. But should we interpret this as some kind of turning point in terms of growth acceleration, or was it more of a one-off in this specific quarter?

Yes. Thank you, Jacob. Excellent, excellent question. No, we've been putting a lot of efforts in building our pipeline because we need opportunities that we could win and turn into deals. I mean, you win some, you lose some. And eventually, the question is how many of the deals that we've been able to develop from events or marketing or peer referencing, can we actually turn into cases and win them. So we have built a pipeline of over EUR 20 million worth of cases and won quite a substantial part of that already. And these are part of that -- the pipeline of new established potential cases, opportunities have just materialized. Of course, they don't show in Q3 revenue because they are all subscription based. So they will be visible in the coming months based on that way of recognizing revenue. Maybe in addition to that, because I know you might probably be asking that, so what are the size of these deals, and what can we expect from that for the future revenue then. I would categorize our business so that when we talk about, for instance, PrivX type of kind of access management -- larger access management solutions that there are small deals, which are below EUR 50,000. And there are medium-sized deals, which are EUR 100,000 to EUR 0.25 million or EUR 300,000. And then you have -- then we also have large deals, which are EUR 0.5 million and beyond up to a couple of million. So these deals are all initially medium-sized. And many customers nowadays also start kind of small. They have a big landscape, but they take a use case, maybe it's a DevOps use case or database access use case, they prove the point and then they expand. Like I mentioned that one company actually expanded after 2 months, which is kind of record quick, but maybe a bit unusual as well. So in some of these customer environments, we start a bit smaller and then there's an opportunity to grow. By the way, with that ISP vendor, we're also negotiating now a continuation or addition to that. Sorry for a bit longish answer on that one.

All right. Thank you. Then regarding the EU and NATO certification process for NQX, is that going according to plan? And what will happen once certified? For example, do you already have dialogues with potential customers within NATO or EU that are waiting for you to get certified, or can you start actively working towards these prospects once the certification process is over?

Thank you for the question. So the certification process is ongoing with the National Cybersecurity Agency and is scheduled. We expect it to be on time, so towards the end of the year. We have, of course, discussions ongoing already on that. Some of potential customer cases will be pending on those approvals, but it doesn't stop us from going forward. And of course, now with the partnership with Leonardo, which is a really strong player in NATO, obviously opens us new opportunities to have dialogues in that space, which would have been a bit more difficult for a small player like ourselves even having the certification. So we're not waiting for the certification to come to push forward. And then by the way, there's also going to be another certification that we have started to work on recently, it is obviously, for instance, for the Italian government and defense.

All right. Thanks for the color on the PrivX deals. A follow-up on that land and expand strategy. Can we have a ballpark figure of how long the cycle is from land to expand to full rollout across large customers, 2 years, 3, 5?

Yes, very, very good question. First of all, the reason why this finance company, the trading or funds asset management company chose us was that they said that they won't be able to deploy in 2 years, which is the norm for these massive legacy monolithic applications, of which I've mentioned a few names earlier. They needed to deploy in months or weeks. And indeed, after the automation scripting and testing was done, they actually rolled out in production in 3 days. But okay, there was weeks ahead of that work of preparation for it. The deal through -- the throughput time to win deals is in the average, I would say, between 9 and 18 years. We have some cases, but they have taken...

Sorry, months.

Months, yes, sorry for that. What did I say?

Years.

No, okay. Not that long. 9 to 18 months. Some have even taken some customers 2 years, but I would say that's the average. I mean these 2 deals that I mentioned in the slides here took less. They were about 5 to 6 months' time. And the reason for that, I would say, is that we were able to get into the dialogue at the right time. Customer, they had a problem, they had a need, they were looking for solutions, and we were able to enter and entertain the dialogue early on. Now what comes to then potential landing and expanding from that? Well, surprisingly -- positively surprisingly, a couple of these new customers have started to do it after a month or 2 already once they have communicated the benefits and deployment model to their peers and other divisions in the organization. But I would say, typically, after the first rollout, the completion of the whole estate, will take typically for customers between 6 to 12 months. As an example, as a proof point for that, we have 2 of the top 6 paper and pulp companies in the OT space with PrivX. Both started deployment in a few sites, a few factories, the biggest ones, then they roll out to 40 sites, 70 sites, even in the other case, across 4 geographies in 9 months. To me, that's a good performance and a bit unusual in the industry. Normally, these projects would have taken with the legacy type of solutions 1.5 years up to 2 years.

All right. Thank you very much for your questions, Jacob. I do not see any other questions in the chat. So we will close the call. Thank you very much for everyone who joined. We, as Rami mentioned, have the Capital Markets Day later today. And then our next investor call will be in February when we publish our results for Q4 and full year 2025. So thank you again for joining us, and we hope to see you later today.