Small cap cyber security stocks are riskier than you think
The cyber security space is one of the most in-demand UK technology investment themes. Market appetite has been encouraged by a combination of high profile hacking attacks (TalkTalk (TALK), the NHS, Sony, eBay, Uber; it’s a long list) plus tightening regulations on organisations.
For example, European general data protection rules (GDPR) are set to come into force from May 2018.
In tandem with the growing risks associated with personal and corporate data, the size of the UK stock market cyber sub-sector has roughly doubled in the past three years.
Abingdon-based Sophos (SOPH), the FTSE 250 end-user and networks defender, joined the London Stock Exchange in June 2015, valued at approximately £1bn. Today the company is worth more than £2.6bn thanks to a succession of robust growth updates.
Identity verification technology specialist GB Group (GBG:AIM) and cyber security consultancy NCC (NCC) have been on the stock market for longer and both have grown substantially in recent years. More recently NCC has endured a difficult time with several profit warnings.
Investors need to pick cyber stocks carefully
Sadly, not all cyber security specialists are equal. We believe there is a growing army of smaller companies that remain sub-scale and are struggling to juggle the demands of customers and investors thanks to a concentration on early-stage niche markets and often long sales cycles.
Since the end of 2015 the cyber security small cap ranks have grown including the stock market flotation of mobile phones and PCs back-up and protection tools designer Defenx (DFX:AIM).
It was followed on to AIM in April 2016 by Osirium Technologies (OSI:AIM), which provides privileged person access controls (in other words, administrator access permissions). ECSC (ECSC:AIM), a mini IT security consultancy, floated in December 2016.
Each has had its own challenges. For example, ECSC said in June: ‘Whilst the board is pleased with new sales pipeline generation, the conversion of sales pipeline into reported revenue is taking longer than anticipated.’
In other words, lower sales and bigger losses this year to 31 December, news that saw the share price collapse 31% on the day. The stock has more than halved again despite trading appearing to stabilise since.
On 25 October Defenx said: ‘The conversion of opportunities into firm orders is taking longer and requiring more investment than was initially anticipated.’
This means Defenx’s 2017 financial results will be materially below previous market forecasts and the company is expected to report a loss for the full year.
Unlike ECSC or Osirium, which are relatively young start-up type businesses, Defenx had a record for posting pre-tax profit that stretched back over the past five years.
Beholded to big companies
The Defenx update spells out why some of these smaller specialist cyber defenders are not entirely in control of their own destinies.
‘Full year revenue outcome is particularly dependent on when a small number of high value contracts start,’ the company said in October.
This follows a very similar pattern to other small cap cyber security companies on the stock market, most obviously Intercede (IGP:AIM).
The AIM-quoted digital identity management and access company floated in 2001 and has a highly regarded MyID product line, yet it has always been hostage to large organisation implementations and possible delays.
The company issued its umpteenth profit warning on 7 November this year, and that’s unlikely to be its last given the lack of contract visibility, in our opinion.
It’s an issue that distributed denial of service (DDoS) attacks platform supplier Corero Network Security (CNS:AIM) has worked hard to address itself, making the painful shift from multi-year licences to a cloud-based software as a service model.
But progress has been slow and there is still little sign of the £25m market cap business making its long awaited break into profit.
Patience is required
Cyber security is defined by its evolving nature, with both the threats and the defenders having to constantly innovate. That’s partly why there are so many security vendors with so many products – there’s a lot of ground to cover and new threats appear every day.
Some of these small stock market cyber specialists will prosper in the long-run, but most will not.
Trying to separate the winners from the losers is unnecessarily risky for most investors. The safer options are cyber security companies with decent scale, or a fund, investment trust or exchange-traded fund that will cover a lot of bases on your behalf.
In our view that means investing in the likes of NCC, Sophos and GB Group rather than trying to pick a tiddler which has the potential for fast growth, but also the potential for damaging shocks to its share price. (SF)