I recently discussed why I bought shares of CyberArk (NASDAQ:CYBR) and how the Israeli cybersecurity company makes money. However, investors should also understand the challenges that CyberArk faces. Let's take a closer look at four of the biggest risks which the company highlights in its latest 20-F filing.
1. Top and bottom line declines
CyberArk has delivered solid top and bottom line growth in recent quarters. Revenue rose 43% annually last quarter as non-GAAP net income improved 46%. But looking ahead, CyberArk warns that as "we invest in the growth of our business, we expect our operating and net profit margins and our revenue growth rate to decline in the near-term."
CyberArk's outlook for the current year reflects its plans to reinvest more cash into its business. The company expects sales to rise 30% to 31% this year, which exceeds analyst expectations for 28.5% growth. But on the bottom line, CyberArk expects non-GAAP net income to fall 9% to 13%, due to the development of new products and an aggressive expansion of its sales and marketing team. That didn't surprise Wall Street, which already expected CyberArk's net income to fall 13% for the year due to those investments.
CyberArk considers the timely growth of its workforce to be crucial to its future growth. The company warns that if it does not "effectively expand, train and retain our sales and marketing personnel," it could "be unable to acquire new customers or sell additional products and services to existing customers."
2. Being unable to sell new products to existing customers
A "significant portion" of CyberArk's product and service sales are generated by its existing customers. The company uses a "land and expand" model. It sells a customer an initial license for a basic password vault product, which can be expanded to cover more accounts and include additional services, like its licensed application identity manager and expanded privileged session manager services.
Since the land and expand strategy unfolds over several years, CyberArk needs to continuously develop new products and services to lock in its customers and generate higher revenues per customer. CyberArk states, "If we are unable to sell additional products and services to our existing customers, our future revenues and operating results will be harmed." To continue launching new products, CyberArk's R&D expenses will also rise. That's why its R&D headcount, which rose by 48% last year, is expected to continue growing alongside its sales and marketing teams this year.
3. Intense competition from bigger IT players
CyberArk dominates the niche market of protecting privileged accounts, which are often used by hackers or disgruntled employees to gain access to data. However, many bigger companies have started bundling similar services into broader security platforms. CyberArk warns that the company faces "intense competition from IT security vendors, some of which are larger and better known than we are, and we may lack sufficient financial or other resources to maintain or improve our competitive position."
CyberArk's most dangerous rival is CA Technologies (NASDAQ:CA), one of the biggest independent software companies in the world. In a Dec. 2014 presentation, research firm IDC noted that CA was evolving from a "major player" in the privileged account market into a "market leader" like CyberArk. CA is a threat because it offers a wider array of security and network monitoring solutions than CyberArk, which gives it the ability to bundle similar services at lower prices. Other challengers include IBM, Microsoft, and Oracle, which all offer bundled access and identity solutions.
4. Losing its "best in breed" reputation
CyberArk dominates the privileged access market because it offers a "best in breed" solution. That's why its platform was recently certified by the U.S. Department of Defense, and why its customer list includes 40% of the Fortune 100 companies and 17 of the 20 biggest banks in the world.
However, CyberArk notes that its sterling reputation "could be harmed based on real or perceived shortcomings, defects or vulnerabilities in our solutions or the provision of our services," or the "failure" of its customers to "correctly implement, manage and maintain our solutions." Therefore, if CyberArk's R&D fails to keep pace with the hackers and result in embarrassing breaches, its longtime "land and expand" customers could embrace bigger IT rivals.
Be aware of the risks, but don't panic
Investors should be aware of these risks, but they shouldn't fret over them. CyberArk's expenses will rise this year, but the company has a solid track record of controlling costs and preserving GAAP profitability. Competitors are eyeing CyberArk's market, but its recent launch of the C3 Alliance with FireEye, Symantec, Intel, and others could widen its moat. Therefore, investors shouldn't worry unless CyberArk posts sudden and steep declines in sales and earnings growth.