1 Significant Risk of Investing In Okta

Many people consider Okta (OKTA -0.89%) a vital cog in the security of data in cloud computing. Yet despite its importance in the cloud ecosystem, its stock has dropped 73% year to date, primarily due to the poor macroeconomy. However, some of this company's underperformance is its own doing. Okta made a bad decision early in 2022 that could come back to haunt it.

Here is one big risk that could disrupt the cybersecurity specialist's business.

A data breach and some loss of trust

Okta is the cloud's first independent identity and access management (IAM) company. IAM technology ensures that people are who they say they are and authorizes them to perform specific actions. Since many security experts consider Okta's service essential for preventing bad actors from accessing, stealing, changing, or deleting data in the cloud, any loss of trust can potentially devastate this business.

Therefore, when a hacker group named LAPSUS$ published screenshots of what they claimed was internal access to Okta's platform on March 22, 2022, the company's customers and investors were shocked -- especially after everyone learned that the actual breach occurred two months earlier on Jan. 20.

As a result of the long delay between when the event occurred and when it acknowledged the breach, security experts severely criticized the company. For instance, Tenable CEO Amit Yoran wrote an open letter to Okta on LinkedIn that lambasted the company. Yoran said in the letter, "This compromise should have been disclosed when Okta detected it in January or after a competent and timely forensic analysis." Tenable is not only a cybersecurity company but also an Okta customer.

Okta admitted its mistake in handling the incident in a blog on March 23 and later in a FAQ on March 25. Within those communications, management stated that only around 2.5% of its customers have potentially had their data viewed or used for malicious purposes. Luckily, the hackers could not create or delete users or download customer databases. The LAPSUS$ group was limited to viewing data and triggering a password reset for users but could not choose new passwords or log in to the service.

Still, it was too late to prevent the adverse reaction from the market. The stock dropped 17% from March 22 to March 25.

The short-term impact of the breach

Since the LAPSUS$ incident occurred at the end of the March quarter, investors knew that the late-June financial report could tell more about Okta's ability to retain and grow customers.

According to CEO Todd McKinnon, the company does not believe the hacking incident had a measurable impact on its second-quarter results. He also said, "We spend less time discussing the details of the incident with customers and prospects with each passing month. In fact, many customers have expressed their increased confidence in Okta after we implemented a series of additional security measures as part of our security action plan."

McKinnon appears to be correct. Since Okta derives 96% of its total revenue from subscription revenue, the best way to determine whether demand is rising or falling for its services is to look at the dollar-based net retention rate (DBNRR). This number compares a company's annual subscription revenue to the previous year's. You want to see a number above 100% -- an indication that a business is adding more revenue from new subscriptions and upgrades than it is losing from canceled subscriptions. 

Data source: Okta.

A DBNRR above 120% indicates a company with solid demand for its products. Since this metric shows no signs of tailing off so far, investors can conclude that Okta is seeing little impact from the LAPSUS$ breach. However, investors should follow DBNRR trends in future quarters for a sign that it may be losing customer loyalty.

Any long-term impact?

Although Okta's second-quarter results didn't show much immediate financial damage from the security incident, management lost some credibility due to its poor judgment in response to the hack. For instance, immediately after becoming aware of the breach, Matthew Prince, CEO of Cloudflare, tweeted that his business was considering alternatives to Okta for its identity needs.

The likely reason that Okta has yet to see a significant loss of business is that it still has the best IAM solution. But that might not always be the case. For example, some believe Ping Identity can eventually provide stiff competition. Consequently, one significant long-term risk for Okta is that it could have lost some customer loyalty, and its clients might be quicker to seek other options if the company fumbles the ball again.