Cybersecurity powers through 2020 despite COVID-19

Despite the pandemic’s disruptions – including shutdowns and worker displacements – business-focused cybersecurity company performance in terms of revenue growth, ability to beat guidance on the top and bottom line, and share performance was very similar to what we’ve seen in past years.

Based on consensus estimates, aggregate 2020 revenue growth is expected to be 16.4% versus 18.4% actual growth in 2019. This universe typically beats consensus, so when final fourth-quarter numbers are reported early next year, we expect the actual 2020 growth rate to be slightly higher – perhaps 17.4%.

Companies on average and at the median reduced their revenue guidance over the course of 2020 by 1%. This compares to the 1% average guidance increase we saw last year in the same analysis, a difference we view as immaterial.

The one significant variance we identified was the outsized benefit cloud-migration-focused leaders showed in the magnitude of their guidance increases and the positive stock-price response.

The overall continued stalwart performance in the face of the pandemic underscores the favorable qualities of the business-focused cybersecurity market.

Introduction

Given how unusual this year has been, and since we now have final 2020 guidance for those publicly traded companies on a calendar or Jan. 31 fiscal year, we see this as an opportune moment to examine how COVID-19 and other factors affected cybersecurity sector growth, earnings and stock performance in 2020.

We focus on pure-play cybersecurity companies supplying solutions to businesses. Each year we adjust the names in the group to adhere to this focus. Among this year’s adjustments, we added McAfee (MCFE) back to the analysis for revenue trends due to its relisting in October. However, since it was not public earlier in the year to give initial 2020 revenue and EPS guidance, we exclude it from the guidance analysis. We removed Forescout due to its acquisition by Advent and the delisting of its shares in August. We also removed Splunk (SPLK) because security has declined as a percent of its overall revenue and because we feel non-cybersecurity trends have become the primary drivers of its business and stock price. As in past years, we exclude consumer-focused cybersecurity companies such as NortonLifeLock (NLOK).

Overall revenue growth dynamics little changed vs. 2019

While we use revenue as a proxy for demand, we acknowledge the limits of doing so:

• Many companies are transitioning their business models to more subscription sales, which depresses reported revenue during the transition. We note two companies for whom revenue is expected to decline this year – OneSpan (OSPN) and Radware (RDWR) – were significantly affected by this dynamic, so while these companies show expected revenue declines, the metric investors increasingly focus on, their annual recurring revenue, increased.
• Some companies recognize most of their revenue from contracts already booked (from deferred revenue balances), making bookings or changes in short-term deferred revenue better indicators of current momentum.
• Revenue can include acquired revenue; however, we note this is less a factor this year than some other years as there were no blockbuster transactions by these companies in 2020.

Despite these limits, we think the data sheds light on high-level industry growth and demand trends. As Table 1 shows, based on consensus calendar-year forecasts, aggregate 2020 revenue of the cybersecurity companies is expected to total $20.2 billion, which would be 16.4% higher than in 2019. The is a modest deceleration from the 18.4% actual growth in 2019. This universe typically beats consensus, so when final fourth-quarter numbers are reported early next year, we expect the 2020 growth rate to be slightly higher – perhaps 17.4%. Considering the headwinds many companies face due to converting to subscription models, we view these results as an indication that demand growth for these companies is consistent with previous years at a mid-teens rate.

We have always believed the group is less sensitive to economic cycles than many sectors; the cybersecurity threats organizations face do not decline with economic activity, and disruptive events like the pandemic and the accompanying shift to work at home actually make it easier for bad actors to execute their scams and infiltration activity. We are glad to see the high-level data suggests our thesis is correct.

Looking beyond the aggregate growth, the sector strength is broad. The average growth rate among the companies is 17.6% as is the median, both higher than the aggregate growth (suggesting larger companies are growing a little slower than the smaller ones). This is consistent with the trend seen last year. So COVID-19 and related impacts did not seem to harm smaller companies at the expense of larger ones.

And while a higher average company growth rate than the aggregate growth rate means smaller companies grew faster than large ones, we note large companies did not see a negative impact from COVID-19. In fact, expected revenue growth rates for all four companies with over $2 billion of expected 2020 revenue – Palo Alto Networks (PANW), Fortinet (FTNT), Check Point Software Technologies (CHKP) and McAfee – declined less than one percentage point. We think the fact that Palo Alto can grow by 20% and Fortinet by 19% shows the broad-based nature of the opportunity in the sector.

The wide range of growth rates – from negative 19.4% for OneSpan to 78.5% for Crowdstrike (CRWD) – shows the tide is not lifting all boats equally. At a high level, we see the overall strength as broad-based with no major subcategory being hurt this year by COVID-19. The fastest growers in 2020 tended to be companies with cloud-based platforms that are also helping their clients migrate to and secure their own cloud environments. These companies were the fastest growers in 2019 as well, so comparing full-year 2020 to full-year 2019 growth rates suggests no significant COVID-19 effects (though upward guidance revisions discussed below do suggest these companies may have benefitted disproportionately). And while the four largest companies noted above all have some cloud offerings, the fact that they’re not pure cloud companies and saw sustained strong growth in 2020 – including Palo Alto’s 20% and Fortinet’s 19% – indicates the strength extends beyond the cloud-only players.

TABLE 1: Publicly traded business-focused cybersecurity company revenue and growth rates (ranked by 2020e revenue growth)

Source: Company data, Capital IQ.
Notes: (1) Revenue and growth rates for ZS and PANW are based on their reported revenue of the last four quarters ending January (their fiscal second quarters).

The market handsomely rewarded upward revenue guides, most common among cloud-focused companies

While full-year 2020 growth rates suggest COVID-19 had little or no effect on demand, the guidance revision analysis in Table 2 does suggest some COVID-19 effect, particularly on revenue, over the course of the year. This analysis is most relevant for companies with a calendar fiscal year, as these companies generally gave their full year 2020 initial guidance with their 2019 full year results announced in late January or during February, before there was widespread understanding of COVID-19’s likely impact. The companies with a January fiscal year either had some inkling of this when giving guidance or had full knowledge of where things were headed (and in these cases often declined to give guidance). For companies that did not give guidance for revenue or EPS, we used as a proxy for initial guidance the consensus estimate roughly one week after their prior-year results were announced.

TABLE 2: Revenue and EPS guidance change in 2020* ($ in millions except per-share data; sorted by 2020 revenue guidance change)

Source: Company reports, FactSet, Capital IQ.
Notes: *For July and December year end companies, this is the fiscal 2020 numbers; for January and March year ends, this is the 2021 fiscal year guidance. For companies lacking initial revenue and/or EPS guidance, we refer to initial consensus as of approximately one week after reported year-end results. For companies lacking final revenue and/or EPS guidance, we refer to consensus as of early December 2020.

Companies on average and at the median reduced their revenue guidance by 1%. This compares to the 1% guidance increase we saw last year in the same analysis, a difference we view as immaterial. The range of guidance changes, from an 18% increase to a 21% reduction, was only slightly wider than the 18% increase to 16% reduction range we saw in 2019. Over the course of 2020, numerous companies announced a faster move to subscription revenue than initially expected and in some cases an intent to push customers to subscriptions more aggressively than was anticipated with original guidance. This dynamic is usually accompanied by lower full-year revenue guidance. However, the same thing happened with several companies in 2019 and, based on the similar numbers, it appears that it may have been at roughly the same rate. So at a high level, we see that 2020 looks a lot like 2019 despite the pandemic – a somewhat surprising finding.

And based on the incredible price gains for those companies that were able to meaningfully increase top-line guidance, we think we were not the only ones surprised by estimate-beating strength against the broader macro environment. The five companies that raised guidance by 6% or more for their 2020 year (as we define it) had year-to-date share increases through Dec. 7 ranging from 99-335%. The sixth-biggest revenue guidance increase was Check Point at 2%, so these five stand out. The sixth-biggest price gain was 62% for Varonis (VRNS), which reduced revenue guidance by 3% during the year; the positive price move may have been due to the positive EPS news discussed below.

TABLE 3: Security company performance (YTD 2020)

Source: FactSet. Capital IQ.
Notes: Market cap in millions.

The companies with the five largest revenue guidance increases also raised EPS guidance, so the revenue upside was profitable. However, revenue guidance changes appear to have been more important than EPS guidance changes: The correlation coefficient of 2020 revenue guidance changes to year-to-date stock movements is 0.65 compared to 0.59 for EPS guidance changes. In 2019, the correlation of revenue guidance changes to price changes was only 0.31, suggesting the much higher 2020 correlation reflects investors’ appreciation of revenue strength in the face of difficult market conditions.

We consider four of the five companies that increased revenue guidance the most – CrowdStrike, Cloudflare (NET), ZScaler (ZS) and Okta (OKTA) – to be the leading companies with solutions and marketing messages highly focused on helping companies secure their migration to the cloud. The fifth company, SailPoint (SAIL), like many others on the list, also helps in this migration, but we don’t think it has captured the mindshare position of a leader specifically focused on enabling this transition. We think the concentration of these companies at the top of the list shows COVID-19 and other factors combined this year to disproportionately help these companies. In our view, this was the most notable impact of the pandemic on the group.

EPS helped by swift actions, lack of T&E expense

The fact that only five companies reduced EPS guidance is a major positive considering 12 lowered revenue guidance. Last year, seven companies reduced EPS guidance while only five reduced revenue guidance. We attribute this relatively good bottom-line performance to two factors: Companies took swift expense control measures once they saw the pandemic effects coming, and spending on travel and entertainment (T&E) has been almost eliminated. Several companies have called out the T&E savings, highlighting it as a temporary boost to income that is not expected to repeat in 2021 as more normal travel patterns hopefully return.

Stock performance a mixed bag – as usual

We’ll assess full-year 2020 stock performance after the year is complete, but for now Table 3 shows that the average year-to-date stock gain of 57% through Dec. 7 is ahead of all relevant indexes. The median gain of 16% trails the Nasdaq’s 39% gain, which we consider most relevant, but is ahead of the S&P and Russell 2000. The range of stock performance within the cybersecurity universe was more than 400 percentage points, and there was no significant clustering within the range. These patterns match those seen in previous years that saw wide-ranging individual cybersecurity stock performance and overall performance often in the ballpark of indexes.

Despite the pandemic, results look mostly like a normal year

In summary, despite the pandemic’s disruptions, including shutdowns and worker displacements, business-focused cybersecurity company performance in terms of revenue growth, ability to beat guidance on the top and bottom line, and share performance was very similar to what we’ve seen in past years. The only significant variance was the outsized benefit cloud-migration-focused leaders showed in the magnitude of their guidance increases and the positive stock-price response. The overall continued stalwart performance in the face of the pandemic underscores the favorable qualities of the business-focused cybersecurity market.