E 2016E 2017E E 2016E 2017E

Transcription

1 E 2016E 2017E COMPANY ANALYSIS 10 June 2015 Summary Verisec (Veri.st) The Growth Story Continues Verisec is positioned as a security software player within digital identity and information security in the Nordics, and is currently expanding its business in EMEA. The company is well financed (40 MSEK in cash) and has the prerequisites for fulfilling its expansion plans and product development, with an aim to achieve 200 MSEK in sales within a five-year period. Verisec is led by the former Protect Data business team, and they retain significant ownership. The company will likely enjoy significant growth momentum in the coming years within the banking and public sectors. This is largely due to the untapped potential in its respective niches and the gradual transition to strong authentication software solutions. However, the competition is fierce and the company must be able to quickly adapt to its changing competitive environment. List: Market Cap: Industry: CEO: Chairman: First North 202 MSEK Information Technology Johan Henrikson Dragoljub Nesic Our DCF value of the company is 50 SEK per share in our base case, while our bear and bull case scenarios indicate 30 SEK and 85 SEK, respectively. Furthermore, the security software market is currently a hot investment theme, trademarked by intense M&A activity along with premium valuations. Redeye Rating (0 10 points) Management Ownership Growth prospect Profitability Financial strength 8.0 points 8.0 points 6.5 points 6.0 points 5.5 points Key Financials E 2016E 2017E Revenue, MSEK Growth 42% -3% 22% 25% 22% EBITDA EBITDA margin 19% 5% -4% 7% 9% EBIT EBIT margin 17% 3% -10% 0% 5% Pre-tax earnings Net earnings Net margin 3% 2% -8% 2% 5% Dividend/Share EPS adj P/E adj EV/S EV/EBITDA Share information Share price (SEK) 50.5 Number of shares (m) 4.0 Market Cap (MSEK) 202 Net debt (MSEK) -39 Free float (%) 23 % Daily turnover ( 000) 100 Analysts: Philip Skogby Philip.skogby@redeye.se Important information: All information regarding limitation of liability and potential conflicts of interest can be found at the end of the report. Redeye, Mäster Samuelsgatan 42, 10tr, Box 7141, Stockholm. Tel E-post: info@redeye.se

2 Redeye Rating: Background and definitions The aim of a Redeye Rating is to help investors identify high-quality companies with attractive valuation. Company Qualities The aim of Company Qualities is to provide a well-structured and clear profile of a company s qualities (or operating risk) its chances of surviving and its potential for achieving long-term stable profit growth. We categorize a company s qualities on a ten-point scale based on five valuation keys; 1 Management, 2 Ownership, 3 Growth Outlook, 4 Profitability and 5 Financial Strength. Each valuation key is assessed based a number of quantitative and qualitative key factors that are weighted differently according to how important they are deemed to be. Each key factor is allocated a number of points based on its rating. The assessment of each valuation key is based on the total number of points for these individual factors. The rating scale ranges from 0 to +10 points. The overall rating for each valuation key is indicated by the size of the bar shown in the chart. The relative size of the bars therefore reflects the rating distribution between the different valuation keys. Management Our Management rating represents an assessment of the ability of the board of directors and management to manage the company in the best interests of the shareholders. A good board and management can make a mediocre business concept profitable, while a poor board and management can even lead a strong company into crisis. The factors used to assess a company s management are: 1 Execution, 2 Capital allocation, 3 Communication, 4 Experience, 5 Leadership and 6 Integrity. Ownership Our Ownership rating represents an assessment of the ownership exercised for longer-term value creation. Owner commitment and expertise are key to a company s stability and the board s ability to take action. Companies with a dispersed ownership structure without a clear controlling shareholder have historically performed worse than the market index over time. The factors used to assess Ownership are: 1 Ownership structure, 2 Owner commitment, 3 Institutional ownership, 4 Abuse of power, 5 Reputation, and 6 Financial sustainability. Growth Outlook Our Growth Outlook rating represents an assessment of a company s potential to achieve long-term stable profit growth. Over the long-term, the share price roughly mirrors the company s earnings trend. A company that does not grow may be a good short-term investment, but is usually unwise in the long term. The factors used to assess Growth Outlook are: 1 Strategies and business model, 2 Sale potential, 3 Market growth, 4 Market position, and 5 Competitiveness. Profitability Our Profitability rating represents an assessment of how effective a company has historically utilised its capital to generate profit. Companies cannot survive if they are not profitable. The assessment of how profitable a company has been is based on a number of key ratios and criteria over a period of up to the past five years: 1 Return on total assets (ROA), 2 Return on equity (ROE), 3 Net profit margin, 4 Free cash flow, and 5 Operating profit margin or EBIT. Financial Strength Our Financial Strength rating represents an assessment of a company s ability to pay in the short and long term. The core of a company s financial strength is its balance sheet and cash flow. Even the greatest potential is of no benefit unless the balance sheet can cope with funding growth. The assessment of a company s financial strength is based on a number of key ratios and criteria: 1 Times-interest-coverage ratio, 2 Debt-to-equity ratio, 3 Quick ratio, 4 Current ratio, 5 Sales turnover, 6 Capital needs, 7 Cyclicality, and 8 Forthcoming binary events. 2

3 Table of contents Investment case... 4 Valuation... 9 Background Products and services Two Major Segments Digital Identity Information Security Open standards Double-Edged Sword Competitive Dynamics of Products and Solutions Summary Revenue Model Direct Sales Model Partnership Model Granular Depiction of Revenue Streams Market Analysis Primary Market Drivers Competitive Landscape and Verticals Potential in The Banking Vertical Regulatory Effect on Demand for Security Solutions Estimates Valuation DCF Scenario Analysis Peer and Earnings Analysis Key Catalysts for The Verisec Share Summary Redeye Rating Income statement, Balance Sheet and Cash flow

4 Investment case Seasoned and adaptable management permits future strong growth Verisec is a software security company providing digital identity solutions, including mobile ID, and information security solutions such as encryption and decryption. Since it was founded, Verisec's skilled management team has been quick to adapt to the market environment, enabling the company to outgrow the security market as a whole. Verisec's management originates from the successful Protect Data business, and they retain significant ownership in Verisec of approximately 80 percent. Verisec's compound annual growth rate has been substantial, at around 30 percent, and its EBIT margins have remained relatively stable at around 15 percent over the past 12 years. The company's target is to achieve revenues of SEK 200 million on an annual basis over the coming five-year period, with an EBIT margin of percent. The figure below shows Verisec's historical growth and profitability since Verisec Growth and Profitability Trend Source: Verisec Presentation, Redeye Our Case Rests on Double-Digit Revenue Growth Redeye's investment case rests on strong annual revenue growth of percent over the coming years, which is partly factored in by the market, along with subsequent margin expansion at the maturity phase. The maturity phase is the likely future scenario where its investments decreases, enjoying decent sales momentum on its existing solution portfolio through existing reputation and sales force. Ultimately this leads to a higher and sustained margin. To meet these estimated growth expectations, the company aims to increase its market position in EMEA, and we expect this to develop further in the future. The company increased its sales in EMEA by approximately 100 percentage points in 2014, while total revenues were largely flat, indicating the strength in achieving future EMEA growth. Of the total 30,000 banking institutions and local councils across EMEA, we regard the smaller-tier banks as important primary targets for Verisec, and an essential component in 4

5 meeting our growth expectations. Furthermore, the company's broad reference customer base, with BBVA (50 million customers), SEB and UK local councils, will provide a strong foundation to quickly build trust and, assuming that Verisec can retain the competitiveness of its solutions, will help with this growth. Relatively good revenue distribution between its customers Reviewing the revenue distribution among Verisec's customers, its ten largest account for approximately 50 percent of revenues. In the longer term we expect Verisec's customer concentration to decrease as its customer numbers increase. The variety of solutions purchased will also tend to minimize customer risk over time as they become a necessity in customers' daily activities. Verisec currently holds a strong position for personalization of physical log-in devices and this is a significant part of the group s revenues from the major Nordic banks. Banks in the Nordics and across Europe are expected to gradually transition to software solutions over time. However, Verisec will have trouble gaining market share in Sweden as there is a mobile authentication alliance among the banks. Verisec holds a significant position in the information security segment, as a preferred supplier to Thales within the EMEA region, providing data encryption. This business is likely to continue to grow in absolute terms but will probably remain static as a proportion of total revenues in the longer term. Verisec's reseller network for Thales also plays an important role in gaining, widening and intensifying its sales of proprietary solutions for Freja ID. Finally, the growth of both the information security and digital identity segments are also gaining support from a general uptick in avoidance of US security majors following leaks of confidential information to governmental organizations. Underlying Stability of Recurring Revenues Approximately 20 percent of the company's total revenues are recurring, with the average length of recurring revenue streams at approximately three years and with a proper time-spread of contracts. These revenues cover approximately half of personnel costs, and recurring revenues will remain an important component in covering fixed costs during non-growth periods, such as in 2013/2014, for Verisec due to the alignment into its expansion stage. It is likely that the company will enjoy a higher degree of recurring revenues in the future relative to personnel expenses as the company reaches the maturity phase. With its segments, including Freja Mobile, requiring increasing support, we estimate that the company will grow its share of recurring revenues over the longer term. This will become evident in the maturity stage, when nonrecurring revenue will decline, thus inducing a margin expansion. 5

6 Overall, the company has quite significant revenue visibility in the short term as its services are often fairly predictable on a yearly basis, as is maintenance support during the contract period. Achieving economies of scale along with hardware to software transition will help in expanding margins Expect Margin Expansion at Maturity Stage Verisec has the potential to expand its margin significantly once it achieves maturity, with its EBIT margin eventually reaching around 20 percent. At that point in time, investment costs related to personnel and expansion in EMEA will decline in relation to revenues, but this will be partly offset by an intensification of the competitive environment. Another important factor in Verisec's margin expansion will be the ratio of software relative to hardware, which is expected to gradually increase over time. Assuming the company can also retain a high degree of direct sales it will have further room for margin expansion as orders start to be realized from the existing sales force. Expect strong online banking growth for Verisec, a prime contributor to growth Aligned for Online Banking Growth Representing 80 percent of sales for the digital identity segment, online banking is a core focus for Verisec and is likely to remain so in the future. Online banking customer penetration is relatively low in Europe, at approximately 38 percent, and the growth rate of online banking users is expected to be 48 percent in the US and Europe over the next four years. This aligns the company for attractive business growth for many years to come, assuming that it continues to provide the right solutions. Online banking penetration is one important factor for Verisec's continued growth but, more importantly, capturing the next frontier solution requires rapid adaptation to user convenience. With smartphones expected to be available to 2.5 billion people in 2017, a non-standalone device that covers the majority of people will be required in the future. Mobile IDs or software tokens are expected to experience CAGR of 50 percent by 2016, and TechNavio estimates that in 2019 the software token market will represent approximately 20 percent of the total security token market. The hardware token market (proprietary physical log-in devices) is expected to grow only by around 8 percent. This is explained by the changing climate in the industry: Hardware tokens are not cost-efficient per user over software solutions, and upgrade or replacement costs for hardware tokens add another layer of cost relative to software. Additionally, many organizations are attracted to full security suites along with a dedicated security provider, which is where Verisec is positioned. The backbone of a mobile solution is a full-solution portfolio, from user registration and user management to support services, and covering the required spectra of security management services for banks. 6

7 Verisec expected to expand its local council retention in UK and EMEA Public Sector an Interesting Opportunity for Additional Growth Furthermore, revenue growth will be enhanced by Verisec establishing itself in the public and enterprise sectors. The company has already established strong market shares in some niches, with around percent of all UK local council users utilizing Verisec solutions. This confidence of UK local councils will likely help its market share to expand to approximately 50 percent by 2018 along with significant opportunities in other EMEA local councils. Unlike banking, this sector is not as keen to use two-factor authentication, and a complex and regularly changed password is often considered more cost-efficient by enterprises in solving security issues. However, given that 80 percent of data breaches are through hacking of traditional passwords this security choice does not look promising relative to the cost consequence. It is important to note that the cost of hacking includes not only the consequences of the breach itself, but also the unnecessary hours spent by IT managers on solving issues outside their primary duties. Furthermore, there are many other sectors like gaming, hospitals and universities that will require strong authentication solutions and its associated solutions. Regulatory Framework Poised for Implementation of Strong Authentication The European Banking Council (EBA) guidelines for internet payments are likely to be implemented by August 2015, enforcing strong authentication solutions for financial institutions. Furthermore, the planned implementation of a new European data protection law by 2016 will impose significant fines on corporations if they do not comply with the regulations. Leaders are Changing The Competitive Landscape There are a number of significant risks in the long term that relate to product obsolesce caused by innovative solutions from existing and emerging competitors. Major security companies like Vasco, Gemalto and RSA still use digital identity solutions based on proprietary standards, and we expect that these will eventually have to start adapting to more costefficient open standards. Essentially, this could lead to an intensified pricing war, with Verisec needing to quickly adapt to avoid becoming a price taker. In addition, the majors may well resent having to transition to open standards due to their belief in the superiority of their product, which could be a significant threat given the large amount of capital and resources available and allocated by majors to develop their next-generation security solutions. Innovators are gaining ground but still struggling to compete with traditional security software players Furthermore, solutions such as Google Authenticator can cut software token costs in using solutions like mobile IDs, which are without doubt attractive to millions of users. Plenty of local councils have chosen to cut their software token costs by implementing Google Authenticator, but many banks and local councils have nonetheless sought out a dedicated company 7

8 and maintenance support with a full-service suite. These organizations will likely not be satisfied with Google Authenticator alone. The solution currently lacks server-side PINs, which enables easy hacking, and will not be tolerated under the EBA guidelines. However, we do not see the current differences in technology as significant barriers for competitors to breach. Overall, even though the company is expecting more intense competition, the market is growing and a small player like Verisec can quickly grasp growth through its experienced sales team. The company is subject to biometric security identification risks from other solutions, such as Apple's Touch ID, which was recently implemented by two major UK banks (RBS and NatWest). Biometric solutions could however also act as an complement to Verisec current solutions. Other innovative solutions that could challenge the long-term standing of Verisec's solutions are cryptograms, like Vasco's purchase of Cronto, iris scanners and facial recognition. Alliances like FIDO could standardize software solutions, making them a commodity One other major and probable risk is an increase in alliances or bank consortiums making all or parts of Verisec's solutions portfolio a standard across a sector. This could be a consequence of meeting regulatory security requirements or for organizations to control their own security solutions. Business alliances, whether or not as a consequence of regulation, could result in serious competition for a market participant such as the FIDO (Fast Identity Online) Alliance, which has seen momentum in implementing biometric and software-token strong authentication from Alibaba to Windows 10. Another alternative to buying Verisec's solutions would be to create a consortium of participants to share development costs, rather like the Swedish consortium for mobile bank ID solutions supplying the major banks. Organizations reproducing this strategy and type of technology within EMEA should not be disregarded. Conclusion of the company s prospects Verisec enjoys momentum due to a highly selective approach of strategy, building on niche focus, and a seasoned management team that has been able to outgrow the security market in general. The company is subject to several significant risks such as gradually increased competition from majors, innovators and alliances with relatively small barriers of entry for strong authentication solutions. 8

9 Valuation We provide a short summary of our scenario analysis results from the DCF valuation, peer and earnings analysis conclusions, presentation of key catalysts along with some insight regarding the possibility of Verisec being an acquistion target. Our valuation scenarios range from 30 to 85 SEK per share. Bull case scenario: 85 SEK per share Base case scenario: 50 SEK per share Bear case scenario: 30 SEK per share Peer and Earnings Analysis We estimate that on an EV/EBIT and an EV/S basis the company, with its characteristics and its competitive position in the future, has an intrinsic value of MSEK (approximately 35 to 60 SEK per share). Key catalysts The catalysts presented below are analysed thoroughly on page Hardware to Software Token Transition Margin Expansion in The Maturity Phase Rapidly Deteriorating Competitive Standing Verisec Possible Acquisition Target in The Longer Term? As growth is realized in EMEA and if Verisec's competitive standing is retained, it is not implausible to suggest that Verisec will become an attractive acquisition target. These are the essential components in being acquired, and if either of the factors fails it is unlikely that the company will be acquired. Additionally, as the company progresses its competitive endurance will be revealed which opens the possibility for an acquisition for a particular product or skillset. This can be observed by the acquistion of Nordic Edge by Intel for example. 9

10 Background Verisec has a track record of growth in security and hardware services from when it was founded in It has gradually transitioned itself into a software player in the digital identity and information security sectors. Verisec conducted an IPO in December 2014 on the First North exchange in order to access the capital markets and to meet funding for its expansion in EMEA (raised approximately 35 MSEK). They are planning to expand in Germany, Spain, Dubai and UK. The company has a goal of 200 MSEK in sales within five years accompanied with EBIT-margins between percent. Growth enabled by an open but stringent strategy on niches and adapting to user convenience needs Management Aligned for Value Creation Verisec's management team originates from the successful Protect Data a well-run, high-growth security company that was eventually acquired. An important pillar in the success of Protect Data was its efficient sales activities, and partly spearheading this growth adventure were Johan Henrikson, Anders Henrikson and Tony Buss. All of these Protect Data people were founders of Verisec, along with Jakub Missuna, which means that the transition of these individuals to Verisec, as an emerging highgrowth security company, seems like a natural step for them. The management has grown Verisec in a non-volatile manner and with a CAGR on revenues of approximately 30 percent during the period Underlying this development is the company's adaptation to new ways of capitalizing on market trends in digital identification and information, with one recent example, the Freja Mobile application, launched in conjunction with the IPO. Although there is no guarantee that this strategy will work in the longer term, it is certainly what is needed for success in this highly competitive and dynamic industry. In order to align and sustain its focus on research and development, more than half of Verisec's workforce is occupied with R&D. Constant Adaptation is The Key to Success Verisec has been a highly dynamic company ever since it was formed, beginning with services for physical devices and then gradually transitioning itself towards strong and innovative ID solutions for the online banking industry. In addition to banking, it is now positioned to conquer market share with its sales efforts for the non-banking vertical, including the public sector, by covering the entire spectrum of digital identity services. Ultimately, this will likely enhance Verisec's potential to outgrow the market. The company is showing several significant signs of international presence and success for its products, including continued strong local council retention in the UK and a presence with multinational banks like BBVA, plus the signing of several new partnerships in EMEA during Last year, EMEA rose in strength to approximately 30 percent of sales (2013: 20 percent). 10

11 Concentrated Ownership Verisec is aligned to maximize shareholder value, with approximately 77 percent of the company owned by the founders and former executives from Protect Data. Our research indicates no material anti-shareholder-friendly policies among the key owners currently and, on the contrary, we noted below-average salaries for executives, cost control and an associated high degree of shareholding. The level of support offered by its key shareholders will become clearer in December 2015, when the founders are able to sell their holdings under the terms of the lock-up. 11

12 Products and services This section presents and evaluates the solutions offered by Verisec in its two segments digital identity and information security along with their core features, competitive advantages and challenges. Two Major Segments Verisec's products can be divided into two major segments as illustrated below. Verisec - Segment Presentation Source: Redeye Research, Verisec Diversified portfolio of security software to offer a complete solution package Digital identity (currently percent of total revenues) is Verisec's dominant segment and is very likely to remain so. At the core of this segment lies the Freja suite, covering user management and mobile ID solutions. Most of Verisec's software development costs for these products have already been taken, although there are regular maintenance expenses associated with additional investments in technology development. One such investment is OEM encryption for mobile apps, which may play an important role in ensuring a competitive standing in future. The company also offers products and solutions in information security, providing the remaining percent of total revenues, which involves encrypting and decrypting data. The bulk of these sales originate from its Thales partnership encryption product, which represents a major part of the company's hardware sales. Verisec capitalizing on the transition from physical log-in devices to mobile devices Verisec is Aligned for Future Hardware Transition One key aspect for Verisec is its bet on a transition from physical log-in devices to mobile devices, which cost significantly less, are more convenient for the user, and which are easier for the provider to scale. Nonetheless, instead of a mobile ID solution, the future may, instead lie with a cryptographic or other solutions that turns out to be more user-friendly. It is clear, however, that utilizing two authentication factors increases resistance to external attacks. The factors used in two-factor authentication systems are generally the following: something you know (e.g. password); something you have (e.g. smart card, mobile phone); and something you are (e.g. biometric). The current trend is to use a mobile phone, one of the most commonly used pieces of hardware, equipped with a password. This kind of solution is in widespread use in banking, government, defense, travel, health care and commercial security. 12

13 Differing needs between customer verticals Different Client Needs in Different Verticals Verisec's solutions can be divided into a banking vertical and a non-banking vertical (public and enterprise sector), each of which has different needs and different competitive features. The banking sector, for example, usually implements strong authentication with dedicated security providers, irrespective of whether or not this is required by regulations. The public and enterprise segment is more governed by a question of need to implement. The range of implementation and cost efficiency can lead enterprises to seek non-dedicated solution providers such as Google Authenticator. Digital Identity The digital identity segment provides solutions and services for identification and for the administration of user rights. This segment provides a secure way to perform transactions across a wide array of sectors. It is fundamental in providing secure transactions and verification of identity in sectors such as banks and for enterprises. The illustration below summarizes the key areas of this segment. Digital Identity Segment Presentation Source: Redeye Research, Verisec Open standard important in order to remain competitive Freja ID Freja ID enables authentication and identity management across an organization's staff. It features compatibility with a wide range of devices, along with user management at no additional cost. Freja ID permits integration with multiple devices because of its open standard support for OATH and SAML2, for devices and applications respectively. The application is a cost-efficient solution that pose no less greater security threat than proprietary solutions. If Google Authenticator is used in an organization then Freja ID can help with the authentication process for that system as well. The customer pays for a license and/or subscription, independent of users. This segment is unlikely to offer any durable competitive advantage, but should be seen as an effective support system that complements Verisec's entire solution suite. Freja Self Service Portal (SSP) The Freja Self Service Portal is an add-on solution tool to Freja ID that helps to connect the right device to the right user using, for example, Google Authenticator. This solution is sold with the Freja ID portfolio. 13

14 Freja Connect Freja Connect is an identity provider which can simplify the process of identity verification to cloud services and the use of external applications with single sign-on. This segment faces intense competition from both SaaSPass and Vasco s services. The penetration of IT services in the Swedish market is close to 60 percent for both cloud and own data centers. In Europe it is around 45 percent, according to Radar, showcasing the potential but also the overall relatively low levels. Currently, 22 percent of Swedish cloud services are handled by external partners. User convenience is fulfilled with strong authentication solutions for mobiles Freja Mobile Freja Mobile is equivalent to a two-stage authentication method and is more practical than traditional digital identities with physical devices, commonly used by banks. This segment is subject to intense competition, but can likely grow among small to medium-sized banks that offer online banking, and where the scale is appropriate and the competition less intense than in the larger bank segment. However, the company s aim is to sell this solution suite to large sized banks where it can enjoy economics of scale. Customization of Hardware Tokens (log-in devices) This segment delivers hardware tokens to meet the specific needs and budgets of its customers. The company has delivered 9.5 million devices and continues to deliver these to banks, but has not produced any since the company's inception which is a intentional decision as the competition is exceptionally high within this segment. OEM for Apps This segment enables application security during payments; most mobile applications are not secure. The segment provides services as a tool-kit in order to secure apps. Although these revenues are considerably lower than for mobile log-in software the model could still generate substantial recurring revenue in the longer term. It seems likely that many security operators are planning to develop similar systems. 14

15 Information Security Information security covers encryption and decryption of data through proprietary and partnership solutions. Below is a brief description of each core business solution. Information Security Segment Presentation Source: Redeye Research, Verisec Thales e-security Thales e-security offers hardware encryption, with Thales equipment handling the majority of transactions worldwide of approximately 80 percent. Verisec is a non-exclusive distributor of the Thales system in Europe, with a license to sell the system until The license is likely to be renewed since Verisec is one of the company's larger partners and has a longstanding relationship. Chiave Chiave is a cryptographic solution built to support the most common key types used by banks for decryption. Chiave RA As smart cards have become more common, a need to successfully create encryption keys has become more important and so the company has developed a product for this particular application. Chiave POS This is a system that can handle personalization of encryption keys for payment terminals. Open standards Double-Edged Sword Verisec's products in both its segments are based on open standards. This means that the company is able to switch and be more dynamic to changes, but can be the consequence of intense price pressure. Open standards provide agility for Verisec relative to proprietary solutions which among the larger competitors rely on an established customer clientele, which could pose a greater threat in the longer term if heavily relied upon to boost margins. Competitive Dynamics of Products and Solutions Verisec does not possess any technically superior capacity relative to its competitors. The markets for both its information security and its digital identity products face significant competition, and the development of dynamic solutions remains rapid. Verisec's key strengths are being early to 15

16 market, the services and support associated with its products, and its intense and effective sales efforts. Convergence to openstandard solutions means more cost-efficient solutions but more competition Another factor going forward will be Verisec's degree of adaptability to both the unique circumstances of individual sectors and technological development. For example, if companies request specific biometric security then the company should act swiftly to grasp this opportunity. Both Chiave's and Freja's solutions utilize open standards that support different devices that create competition between the developers, thus offering favorable prices for customers. This means that many prospective customers will most likely transition to non-proprietary solutions that are more adaptable than proprietary solutions. The decision from majors entering the open-standard segment could severely affect the margins of the company. R&D expenditure can be large if a state-of-the-art solution is to be created, which might require capital injections. Being an early mover is a key strength of Verisec's momentum in the ongoing, but somewhat slow, transition from traditional passwords to strong authentication solutions. However, it is important to not underestimate the currently available solutions using traditional passwords, since techniques such as changing a password more frequently can often be adequate for many organizations. Strong authentication solutions themselves are bound to change Strong Software Authentication Poised for Growth, but Significant Challenges Remain Software solutions are likely at an early stage, posing an interesting growth opportunity in the medium to long term. However, new innovative technologies and cost-efficient techniques will always be considered and, with considerable R&D expenditure for the security sector, could render Verisec's current product portfolio obsolete in the longer term. Disruptive technologies pose an imminent risk, such as biometrics or cryptograms like the Vasco purchase of Cronto. If sufficiently suitable for professional organizations, these innovations could become serious competitors within Verisec's segments in the longer term. Furthermore, management and operations of mobile ID through sector organizations or governmental organizations could eliminate the pay model for mobile solutions, which poses a real threat to the company in future. The FIDO Alliance, for example, has put forward an internationally recognized standard and could possibly commoditize the whole strong authentication process across industries. With other governmental or non-governmental institutions contributing to these efforts, commercial software solutions for many companies within the sector could become obsolete. Another interesting development will be whether Intel and other chipset makers integrate their security solutions directly into their hardware. For example, Intel has integrated its McAfee software solution (which Intel acquired) with its hardware. In terms of cost efficiency, a consortium of banks in Sweden has developed its own mobile bank ID to cut further costs, which effectively hinders Verisec from entering the arena of the bigger banks. We cannot exclude 16

17 both consortiums and identity alliances becoming significant threats to Verisec's competitive standing in the relatively near term. Microsoft to Enhance Strong Authentication Competition Microsoft recently made clear its intent to have strong authentication for Windows 10 using its own proprietary software, called Hello, and applying biometrics (iris scanner and/or fingerprint) through its co-operation with FIDO. Using this, its Azure Active cloud solution will enjoy strong authentication sign-on, and making these free to use could pose a serious challenge to Verisec. The question is not whether Microsoft will solve this problem, but rather when an enterprise will produce a cheap or free solution. Unlike Verisec currently, these services support biometrics, and the company could have significant trouble in fulfilling commercial biometric technology. Expect contracting margins over time for security software Evolution of strong authentication solutions, standard-setting and limited barriers of entry are significant issues that Verisec must cope with today and in the future Google and Alliances Could Spearhead a Full-Thrust Reversal of The Strong Authentication Industry Just as physical devices were a real margin-business ten years ago and now have rapidly falling margins, we expect security software solutions to become more mature and to have incrementally contracting margins over time. Perhaps one of the pillar solutions for strong authentication in the future will be similar to Google Authenticator. While Google Authenticator poses a risk with its cost-efficiency, it has fundamental restraints in its limited support function and in security concerns due to high usage, which will be taken into account by organizations in choosing a supplier of security systems. It is a highly real and imminent threat in the public and enterprise sectors but not currently in the online banking sector, and we note that that many local councils already use Google Authenticator today. However, Verisec will not go penniless from such arrangements since, as previously mentioned, the company seeks to complement Google Authenticator with user management and support services if the customer wishes to cut software token costs. What if (or, rather, when) Google with its FIDO membership (or other) wants to make its mobile ID solution into a standard? It is evident that many strong authentication companies face severe threats if they do not align with or challenge their peers. FIDO has been existence since 2013, and in 2014 the member network exploded and, with significant development of its product portfolio, is likely to take the strong authentication processes to a global level. Verisec's involvement in supplying software could be limited relative to the many cutting-edge security companies with significantly more resources. Summary In conclusion, we believe that Verisec may enjoy some momentum during the transition from hardware to software in the strong authentication sector. However, it is not certain that the company will be able to exceed its growth targets through its competitive standing during the evolution of strong authentication solutions, international standard-setting and limited barriers of entry. There are three general key factors we regard as essential for Verisec to nurture in order to retain its competitive standing today and in the future: cost efficiency, user convenience and security. We believe the company will be able to benefit from all three given the market momentum 17

18 in the short term but the market is evolving quickly, both through alliances and with leaders poised to transition to open-standard solutions. 18

19 Revenue Model This section of our report presents and explains Verisec's revenue composition and models. Digital identity segment key determinant for future revenues We estimate that digital identity accounts for approximately percent of Verisec's revenues, and will likely remain at the upper-level of this interval in the future. Other revenues relate to information security solutions and products. There is no obvious operating margin distinction between information security and digital identity solutions, and the largest difference in margins depends on whether sales are software or hardware related, and whether through direct sales or partnerships. Verisec will use partnerships initially, as expansion plans progress and in order to gain recognition for its products. However, the aim in the longer term is to utilize direct sales in the majority with partnership sales model. It should be noted that although the majority of sales are non-recurring it is probable that the company can secure a majority of revenues due to the somewhat predictable nature of orders. The figure below explains revenue composition and its components. We expect that the relationship will remain roughly similar in the future, with the exception of the final maturity stage, with the degree of recurring sales becoming more prominent over time and inducing margin expansion. Representation of Revenue Composition By Segment Source: Redeye Research The relative shares of digital identity and information security differ from year to year, depending on the timing of orders, thus resulting in the volatility of revenues that can arise between the segments. We expect in the future that the digital identity segment will dominate total sales, in accordance with Verisec's strategy. The majority of sales within the digital identity segment are direct sales. Thales e-security accounts for the majority of sales in the information security segment, and is sold either directly or through other resellers. Although the current sales model for Thales is largely non-recurring, Verisec's position in this market is predictable and stable. Furthermore, both segments enjoy recurring revenues of around percent, which to a degree cover fixed personnel costs. Banking is a core in both segments, 19

20 and this is expected to remain at a high level in the future, alongside strong online banking growth. We estimate that 20 percent of revenues in the digital identity segment originate from subscription and support-related activities, both from partnerships and from direct sales. These revenues could be defined as recurring since the contracts run on three-year periods and the current distribution should not contribute to significant volatility in revenues in the foreseeable future. Around 80 percent of revenues are of a non-recurring nature, related to upfront licenses, services and registrations. Illustration of a simplified view of a three-year contract of SEK 5 million for Verisec in the future including maintenance support (20 percent): Generalized Accumulated Contract Example (5-MSEK) Source: Redeye Research Revenues largely on threeyear contracts Sweden still accounts for the majority of sales but EMEA is expected to expand in the future The initial contract value is usually established before maintenance support fees (although it is usually included) which in this case is approximately 4.2 MSEK. The duration of contracts typically averages three years, usually followed by one automated 12-month subscription which includes support activities. Licenses are usually paid up-front with all the infrastructure that is needed. Note that registrations may vary significantly between quarters, which could induce high volatility in revenues but, that said, the company states that its contracts are well distributed, which means the effect should be somewhat limited. Thus, the amount of registrations can heavily affect the value of a three-year contract and could easily outweigh the initial license fee for a larger customer. Approximately 80 percent of sales originate in Sweden, and this share has been growing since the company's inception it is clear that the direct sales component is currently high in more mature markets. In the future, we expect partnerships to initially rise to fifty percent of total revenues before then contracting to lower levels of around 10 percent as contacts and sales expertise are gained in each region. Finally, banking accounts for approximately 80 percent of revenues for the digital identity segment, and this ratio is expected to be static, although the non-banking vertical is predicted to grow in absolute terms. 20

21 Direct Sales Model The company sells both its digital identity solutions and its information security solutions through licenses, which are paid upfront and are where the majority of revenues originate. This sales model offers a far higher operating margin as the investment costs have largely been already taken operating profit margins are up to approximately 20 percent on certain contracts where direct sales are prevalent. This model is dependent on the efforts invested by personnel to successfully achieve a deal. In some less mature markets it is likely that the company is required to invest more resources to gain a foothold and is more likely make use of partnerships, such as it did recently in the Middle East and Germany. This puts significant downward pressure on margins in less mature markets, and when combined with the associated long sales cycles can give the perception of volatile revenue. The recurring revenues component will play an important role in the future to counteract this effect and to achieve revenue stability across quarters. In contrast, in more mature markets like the UK the company can easily play on its reputation to bind further customers and can thus operate on a lower cost basis. Partnership model important in gaining wide recognition for Freja ID portfolio Partnership Model Partnership revenues are an important factor in gaining recognition for the Freja ID portfolio and sales of Thales e-security. The company is set to increase the amount of partnership revenues in the future with its proposed expansion. For the information security segment the company currently sells the majority of Thales products as a reseller directly itself or through its reseller network, which it is currently expanding. Partnerships in both segments offer services similar to those using the direct sales model, resulting in recurring revenue streams for Verisec. Granular Depiction of Revenue Streams We estimate that the gross margins for Verisec's software solutions are around percent of revenues (before initial investment costs). The key factors for its gross margins include hardware sales relative to software, which are expected to have a ratio of 15/85 in the longer term. For hardware, we estimate gross margins to be in the range of percent, which drags down the overall gross margin somewhat. Essentially the operating margins can be 5-20 percent depending on the amount of sales relative to fixed costs, software or hardware along with partnership or direct sales. In general, software tokens and associated services can be simplified along with hardware tokens (physical log-in devices (services) & Thales) and are presented in the following figure from an operating margin perspective. Note that the figure below serves only as a general guideline to represent the differences in operating margins between software solutions (SS) and hardware (H), along with the partnership and direct sales models. 21

22 Presentation of Operating Margins Source: Redeye Research Thus, as seen above, the composition of sales (software vs hardware) will affect the margins reported, especially in individual quarters. In the future, if successful with the transition to software solutions, the company will likely enjoy higher margins for its software sales in general even when competition intensifies to a certain degree. However, the margin will likely be volatile in the future depending on the maturity level of the market and investment needs. The above example assumes that the company improves its competitive standing and can add further layers of software to the endcustomer while still investing significant resources in marketing and personnel. For hardware, however, it is evident that pricing will remain under pressure from implementation and replacement by software solutions. This does not apply to HSM (Hardware security modules) like Thales which is not a commodity in relation to hardware tokens. Once scale in revenues is achieved in individual markets, a transition to the direct sales model becomes clearly more beneficial for Verisec. This leads to a significant margin expansion that would likely trigger an enhanced perception of the earnings power of the company. 22

23 Market Analysis This market analysis evaluates three major topics that we expect to drive demand for Verisec's products: Primary market drivers Competitive landscape and verticals Regulatory effect on demand for security solutions Traditional passwords account for the majority of cyberattacks Primary Market Drivers According to Verizon, 80 percent of cyberattacks are possible due to simple passwords. Along with this comes a convenience issue, namely the increasing number of passwords used. A study by the Ponemon Institute of approximately 2,000 participants indicated a general mistrust towards passwords, as shown in the table below. In essence, almost half of consumers do not trust systems or websites that rely on passwords, making this a significant issue for companies to solve going forward if they are to avoid losing consumers. Traditional Password Evaluation Source: Ponemon Institute This means that it is natural for corporations to consider strong authentication using hardware tokens along with software tokens. Since 2013, the Breach Level Index has reported 3 billion security breaches and it is likely that the majority of records were not encrypted. According to Ponemon, 43 percent of its sample companies experienced a data breach in 2014, which is a 30 percent increase from the previous year. This increasing number of breaches and the greater use of online banking ought to lead to an increased need for software ID solutions. 23

24 Breaches by Industry and Size Source: Verizon Data Breach Investigation Report Finance, information and public sectors are targets for hackers The table above suggests that attacks occur more frequently in the finance, information and public sectors. That said, all sectors are exposed to vulnerabilities and, if large enough, could represent a client for Verisec. The "Unknown" sector above is relatively large, and we believe that a significant number of minor finance institutions could be included in this number. Overall, considering the large increase in the frequency of cyberattacks, it is evident that companies will choose to seek out or support services and solutions from specialized security firms like Verisec. Breaches by type Source: Verizon Data Breach Investigation Report 24

25 The percentage of internal attacks has diminished, and external attacks still dominate overall cyberattack numbers. Two-factor authentication market large potential for a small dedicated security software provider Strong underlying growth for Verisec, focus within security software solutions Size and Dynamics of The Strong Authentication Market According to Gartner, the market for two-factor authentication is worth USD 2 billion, and represents around 3 percent of the total security market. Given the intensity of the competition, even a 0.1 percent stake (approx. SEK 150 million) of this market is strong performance. In general, product demand is at its greatest where high security is most critical, such as in banking and finance, e-government, defense and enterprise security. It is clear that there is general need for security as the methods for distributing and gathering data multiply. Furthermore, around 88 percent of IT technology decision-makers regard existing threats and vulnerabilities as having high or critical priority. Software tokens such as Freja Mobile are expected to experience strong growth, with a predicted CAGR of 50 percent in the period , and with 20 percent market share, according to TechNavio. On the other hand, the hardware token market (proprietary physical log-in devices) is expected to grow by only around 8 percent, claims TechNavio. This trend is being led by strong smartphone growth, expected to reach approximately 2.5 billion people by Two Major Emerging Trends Software tokens that use smartphones are one major component in achieving both cost efficiency for banks and maximum utility for customers. This segment is expected to grow with a CAGR of 50 percent until 2016, according to TechNavio. Biometrics represent another security layer that is growing rapidly, and their implementation is visible among the numerous market leaders. We expect that Authentication as a Service (AaaS), and its associated cloud services, will grow significantly in both the banking and the non-banking verticals, and Verisec is fully aligned for this development by its Freja Service solution. In terms of market potential, Gartner expects cloud-based authentication implementations to grow from 10 percent in 2014 to 50 percent in This should be considered alongside strong growth in cloud services themselves during the same period. With Freja Connect and a strong authentication solution, the company is positioned to participate in this growth. Although it is far from certain that Freja Connect will be the preferred choice for customers or the most cost-efficient solution in the future, there is clear underlying demand for these solutions. Redeye does not exclude the possibility that solutions like SaaSPASS and Google, among many current and future competitors, will dominate this sector with cheap and effective solutions in the future. For organizations seeking dedicated security providers, this will likely entail a full-suite solution including cloud services. 25

26 Competitive Landscape and Verticals We start by depicting the competitive landscape for Verisec by segment and describe the current leaders and prospective leaders. Competitive Landscape by Segment Source: Redeye Research, Verizon Data Breach Investigation Report Major threat and opportunity from disruptive technologies The figure above indicates that the leaders specializing in security are mainly from the US. These companies typically have a high level of exposure to the banking sector and aim to diversify their portfolios. For example, Vasco's management recently intensified its focus on cloud solutions and the non-banking vertical. Pursuing hot trends, however, may not be the best option for Verisec in the long term since competition will be significant. These companies regularly make acquisitions to keep up with the latest technology, which could pose a risk for a smaller player like Verisec, which may not have the expertise or the financial strength to acquire disruptive technology. The landscape is poised to change significantly in the coming years since innovators such as Google may become leaders in this sector with their solutions. We can expect cloud solutions to be heavily disrupted by Google Authenticator, especially in the public/enterprise sector, where this is a serious consideration for any head of IT. Google can be seen as mimicking what the other leaders are doing, but for free, and its solution has already gained widespread utilization across industries. Nevertheless, Verisec's edge lies in its dedicated support, adaptability and full-service solution, along with strong market momentum which it will probably be able to continue to rely on. The information security segment is dominated by a small number of players, with Thales accounting for almost 80 percent of worldwide payment transactions. Verisec acts as a reseller for Thales. Safenet (acquired by Gemalto) is the company's strongest competitor in this segment. Potential in The Banking Vertical We regard the banking sector as Verisec's most important vertical going forward, since we believe it generates the majority of revenues. The cost of breaches can be significant to banks due to their responsibility for fraudulent transactions. There is a clear growth trend in online banking usage, with Gemalto forecasting 48 percent growth in the US and Europe over the next four years. Online banking has an approximately 30 percent 26