Description

OneSpan Inc. (NASDAQ:OSPN) (“OneSpan”, “OSPN” or the “Company”) is a well-established mobile and identity security software leader within the financial services industry, yet a relatively underfollowed stock.  We discovered the name through a screening process and at first blush, the financials looked terrible.  But after digging in, we discovered the Company was going through a massive multi-year transformation and had just inflected.  In 2018, OneSpan rebranded from VASCO Data Security International, signifying a new era of accelerating growth, margin expansion and FCF generation.  We believe the stock has over 100% upside potential over the next two years.  We have interacted with the management team on multiple occasions and have worked diligently on a financial forecast and valuation analysis.  First a summary before diving into detail:

Mobile and identity security leader catered towards financial services for over 20 years

• Majority of top 100 global banks are customers; 10K+ customers in total

• Company provides software and hardware security solutions to help banks authenticate their end users, facilitate digital transactions and mitigate fraud

• Main software product is a Mobile Security API platform – allows financial services institutions to directly integrate a variety of security features into their mobile apps

• Given banks lose billions and billions of dollars to fraud annually, they are amongst the biggest spenders on security solutions – mobile represents the latest frontier in need of advanced security

• OSPN has almost never lost a significant customer to a competitor or in-house solution

#3 e-signature player behind DocuSign and Adobe

• In 2015, the Company acquired Silanis (eSign) for $85m, the top provider of e-signature solutions in the financial services industry

• Company has accelerated the growth of eSign post-acquisition by cross-selling to its existing customer base – the business grew over 50% in 2017

• DocuSign (“DOCU”) IPO has heightened attention on the fast-growing e-signature space and provides investors a direct public comparable for OneSpan’s eSign segment

• The segment is driving $200m+ of value today (vs. ~$500m total enterprise value) per our estimates

What’s misunderstood? Financial transformation masked immense, underlying value creation

• OneSpan’s legacy hardware solutions are in a secular decline and caused the entire Company’s revenue to decline for multiple years as newer high margin software offerings started to ramp

• Company invested heavily to grow software side, both in S&M and R&D, which caused overall operating margins to decline despite positive mix shift in gross margins

• Company returned to positive total Company y/y growth in 2H’17 – last several quarters have shown strong y/y growth and margin expansion

• OneSpan’s margins are projected to expand significantly as software offerings carry ~20-40 points higher gross margins than legacy hardware and have continued strong double-digit growth in 2018

• EBITDA margins should roughly double to 20%+ in a few years, primarily driven by gross margin mix shift to software over time

• Sellside coverage is minimal and street is not modeling any gross margin improvement despite obvious path of margin uplift

Valuation exceptionally cheap on a DCF and Sum-of-the-Parts basis – 100% upside in one year

• Our DCF implies $31 present value and our SOTP on 2021E estimates imply OSPN is worth $33 in a year vs. ~$15 today.  SOTP breakdown below:

  • eSign: DOCU forward EV/Revenue, worth $14/share

  • Mobile Security: in-line with other security software peers’ forward EV/Revenue, worth $11/share

  • DealFlo: in-line with other enterprise SaaS peers’ forward EV/Revenue, worth ~$3/share

  • Hardware: worth ~$3/share based on a 5.5x distressed EV/EBITDA multiple

  • Cash adds ~$3

• Company has $92m in cash and no debt, $156m of NOLs and incurs minimal capex

Lastly, we believe OSPN is an extremely attractive acquisition target with no shortage of potential strategic and financial buyers.  Security is a red hot space and their platinum customer base is a true validation of the technology.  At the nexus of “mobile”, “identity” and “security”, we believe exposure to this theme is attractive. Similar examples include Cisco’s acquisition of Duo Security and Vista Equity’s acquisition of Ping Identity.

The Company has ~600 employees with a Worldwide HQ in Chicago and International HQ in Zurich.  ~50% of revenue comes from EMEA, ~25% from the Americas and ~25% from APAC.

Now here are the details:

Industry Overview

• OSPN operates in the “Identity and Access Management” space – essentially user authentication and advanced security to safeguard critical applications

• Today, with applications both in the cloud and on-premise, and users increasingly eager to access apps from their mobile devices, successful identity and access management demands more than just passwords

• First evolution beyond simple passwords was two-factor authentication

• However, additional security features are needed to address highly sensitive applications and stringent regulatory requirements

• This certainly applies to the financial services industry, which is a prime target for hackers (just follow the money) – 35% of all known data breaches in 2016 targeted the finance industry

• Banks lose billions of dollars annually to fraud – a figure that keeps growing

• Security is paramount given possession of sensitive user data – without trust, there is no business

• Yet most customers desire online/mobile access to account information and transaction processing, driving the need to ensure secure transactions without ruining the user experience of the mobile app

• Mobile banking users will grow to ~3bn by 2021 and are typically more profitable for banks –

  mobile customers buy 2x as many products as non-mobile customers, and mobile app features help materially reduce branch traffic (i.e. mobile check deposits reduced bank traffic by 33% for Bank of America) – providing a high quality mobile experience is of utmost importance for a bank’s bottom line, yet it must be secure

• OneSpan’s solutions help banks’ mobile apps remain secure while helping drive tangible business outcomes – as mentioned, they are trusted by the majority of the top 100 global banks.  Select customers include HSBC, Bank of America, Citi, UBS, Mizuho, BNP Paribas, ING, Santander, and many more

Business Overview

• The easiest way to break apart the multiple segments is: the legacy Hardware segment, the Mobile Security software segment, the e-signature business called eSign, and the digital onboarding business they recently acquired called DealFlo.  There is also a steady high margin stream of Maintenance revenue as typical with the software licensing model

• Hardware

  • You may recall RSA tokens that we all carried around – the tiny plastic keychain devices that spat out random numbers so you could log into your banking portal

  • OSPN was a major player here too.  But now you can obviously do this through an authenticator app on your smartphone

  • The Company is at the forefront of hardware-based authentication – their latest products incorporate Cronto cryptography to authenticate / secure transactions via cryptogram.  Users scan an HD color QR code using their Cronto-enabled device in order to verify their identity / transaction information

  • Despite the secular shift from hardware authentication to software, these are still widely used throughout the world.  In fact, OSPN acquired the Cronto technology in 2013 for ~$22m and went on to generate $100m+ in revenue over the subsequent two years

  • Given the 4-6-year lifecycle of hardware devices and cultural affinity / perceived security (no internet connection, thus “never” at risk of being hacked), OSPN mgmt. believes it could take almost 20 years to wean off hardware

  • The segment contains many of OSPN’s biggest clients who will layer on the new software offerings over time, so we don’t believe there’s much rationale to selling it off.  In addition, it generates substantial cash flow at ~20% EBITDA margins by our estimates

  • The segment is in slow decline – management has guided to flat to down 5% y/y

• Mobile Security software

  • In 2009, OSPN launched a software-based authenticator that can operate on any non-OSPN device (desktop, laptop, smartphone, tablet, etc.)

  • Software-based authenticators are replacing hardware tokens – they are far more cost efficient for OSPN customers, and far easier to use for end users (hence, the Company is undergoing a transition from hardware to software)

  • In 2013, OSPN launched a mobile security API platform (software development kit or “SDK”) that offers a variety of security APIs that can be directly integrated within a mobile application – this has become the primary mobile security software offering today

  • The SDK allows OSPN’s customers to integrate next-generation security features into their own mobile apps to enhance identity access / reduce fraud

  • For example, the Chase mobile banking app can integrate OSPN security features such as authentication (via facial recognition, fingerprint, or behavioral, etc.), geolocation tracking, fraud prevention, device identification, and more

  • The segment grew 20%+ in 2017 and has accelerated to 60% growth YTD (Q3’18)

  • It is primarily licensing software revenue stream

• eSign

  • In 2015, OSPN acquired Silanis for $85m, the provider of eSign e-signatures solution and #3 player behind DOCU and Adobe (EchoSign)

  • The acquisition enabled OSPN to expand vertically into a fast-growing market (e-signatures) – the segment grew 50%+ y/y in 2017

  • OSPN has been successfully cross-selling the product across its vast financial services customer base, and integrated e-signature capabilities into its mobile security SDK

  • DOCU has ~40% market share and Adobe has ~10-15% market share per Gartner.  OSPN has 5-10% market share

  • Most industry analysts forecast the e-signatures industry to grow at a 30%+ CAGR for the next several years – OSPN is currently outpacing those estimates

  • eSign can be delivered via on-premise licensing or cloud SaaS.  The current split is 50/50, but is rapidly shifting to the cloud (we assume eSign will be 100% SaaS by 2020).  It’s important to note that this shift to SaaS is creating a near-term revenue headwind, but substantial value creation over the long-term given higher profitability and recurring nature

  • eSign is the leading provider for the financial services vertical as it offers a “white label” (brandless) solution for customers.  At a local Chase bank you’ll likely see “Chase e-signature”, not the OneSpan logo

  • eSign is offered as a standalone solution or available through OSPN’s mobile security SDK so mobile banking apps can incorporate e-signing directly

  • e-signatures can also serve as an advanced form of user authentication, enhancing the security process around transactions

  • As such, OSPN has a “platform” approach of offering its e-signature capability as part of a broader mobile security suite – we believe this will continue to serve as a key differentiator within the financial services vertical for years

  • This stands in contrast to DOCU – despite being a larger company, they have not been successful in deeply penetrating the financial services vertical given the mass market focus of providing e-signature capability as a feature, not a product.  While this works for the masses, banks need more complex customizable solutions that incorporate e-signatures

• DealFlo

  • In May 2018, OSPN acquired DealFlo, a SaaS provider of “digital onboarding” solutions for $53m

  • In a subsequent 8K filing we can see that DealFlo grew 43% y/y in 2017 and carried 77% gross margins.  It will add $4m of revenue to 2018 (7 months) per management guidance and we conservatively expect ~$9m in 2019 (full year)

  • The solution enables financial institutions to verify new/unknown identities and securely onboard them as a customer through a mobile app, eliminating the need for a customer to come into a physical branch

  • DealFlo already utilizes OSPN’s eSign solution as part of the verification process – the teams know each other well and there is natural technology / go-to-market synergy

  • DealFlo vastly improves conversion/completion rates for new customer applications, and expands banks’ overall market reach, driving tangible business results

• Maintenance –  essentially 100% attach rate on licensing revenue with annual renewals

• The Company’s solutions are extremely sticky – they have almost never lost a significant customer

  • OSPN customers must implement backend software (a controller API) on their servers that will manage/sync with all software and hardware tokens

  • This is a proprietary software offering and is the same for managing both hardware and software tokens, making it easy for customers to transition from hardware to software, or offer both

  • Because this is proprietary and sits on the customer’s backend servers, it is very difficult for a customer to switch vendors:

    • Customer would have to tear out backend software which could be very disruptive to entire security paradigm / end customer base

    • Replace ALL tokens across customer base in one shot (practically impossible)

    • If 10% of tokens don’t work, they’ll likely lose 10% of their client base

    • Run both solutions concurrently for a while, offsetting any potential savings

  • Only exception where they have lost a customer is when a customer went bankrupt or was acquired and forced to adopt their parent company’s platform

Financial Overview

• After multiple years of declines, the Company inflected in Q3’17 – we have now seen several quarters of positive y/y growth and margin expansion

• Software offerings carry high 70s (SaaS) or mid-80s to mid-90s (licensing) gross margins versus legacy hardware in the high 50s

• The mix shift in gross margin should account for roughly half of EBITDA margin expansion over the next several years – by our estimate, overall gross margin should improve from 70% in 2017 to 77% in five years

• Modeling out each segment reveals topline acceleration and margin uplift over time – the breakout we used below is based on management’s historical commentary on each individual segment, company filings and peer comparable metrics

• Roughly 50% of revenue from EMEA, 25% from Americas and 25% from APAC

Key Assumptions

• Revenue

  • Hardware: reported within “Product and licensing” line, as well as broken out in the supplementary section of filings.  Management has suggested “flat to down 5% y/y” into the future – we have assumed down 3% y/y every year in our forecast, although the segment has been outperforming our expectations lately (grew 2% in Q3’2018)

  • eSign: management disclosed the business produced $16m of revenue in 2015, then “grew 25% in 2016”, then “grew 50% in 2017” per transcripts/presentations.  This would imply $30m of revenue in 2017.  We are assuming $28m to be conservative.  Current SaaS/licensing mix is 50/50, but transitioning to 100% SaaS very quickly.  As such, we assume revenue takes an optical hit in 2H’18 and through 2019 before bouncing back in 2020 to growth levels consistent with 2017 performance as it laps the tough compares.  eSign licensing revenue is gone by end of 2019, thus 0 for 2020 onwards.  While the licensing portion is included in the “Product and licensing” bucket, the SaaS portion is included in the “Services and other” bucket, although all SaaS revenue is broken out in the supplementary section as “Subscription” revenue

  • Mobile Security: we model this segment as 100% licensing (although a small portion is SaaS).  Since we know the rough amount of eSign licensing revenue $ (~50% of total eSign revenue historically), the remaining licensing revenue reported can be attributed to mobile security.  Similar to Hardware, licensing is reported within the “Product and licensing” line but also broken out in the supplementary section.  Subtracting eSign’s licensing revenue from total licensing revenue should reveal Mobile Security revenue

  • DealFlo: 8K filing post acquisition discloses 2016-17 historicals that show DealFlo grew 43% in 2017.  Management said it would add $4m of revenue to 2018E guidance (7 months of ownership) which factors in a revenue recognition impact.  We are assuming ~40% growth in 2019 to get to ~$9m of revenue and modest deceleration onwards.  Since DealFlo is 100% SaaS, it is included in the “Services and other” bucket, as well as the “Subscription” bucket disclosed in the supplementary section

  • Maintenance: included in the “Services and other” bucket, as well as broken out as “Maintenance” and “Professional Services” in the supplementary section.  We assume modest growth consistent with historical patterns and recent management commentary suggests current revenue levels as appropriate for the next couple of quarters

• Gross Margin

  • We estimate licensing and maintenance components at ~85% gross margin, consistent with the broader software licensing industry (85-95%+).  This is applied to Mobile Security, eSign’s licensing revenue, and Maintenance

  • DOCU has gross margins of 77% and DealFlo had 77% gross margin last year.  As such, we estimate 77% gross margin for the SaaS components (eSign SaaS and DealFlo), with improvement to 82% over 5 years, consistent with successfully scaled SaaS peers

  • Hardware is said to have “high 50s” gross margin per management, which we assume is currently 57% and declines gradually to 52% over 5 years given its eroding importance

• Operating Expenses

  • The Company has ramped opex notably over the past few years as it invested in the software side and built out a more robust salesforce – now with the bulk of their cost structure in place, we should begin to witness notable operating leverage in the coming years

  • S&M – currently ~30% of revenue and we expect modest leverage going forward.  We take S&M as a % of revenue down ~100bps y/y

  • R&D – per management commentary on the Q2’18 earnings call, OSPN is ramping R&D a bit more through 2018 as it integrates DealFlo and prepares for the launch of the new Trusted Identity platform.  As such, we model R&D stepping up in 2018 to 15% of revenue (up from 12% in 2017), but expect operating leverage starting in 2019 and normalization back towards 13% over time

  • G&A – we expect operating leverage on this line going forward and management does not expect any meaningful G&A growth from 2018 to 2019 (per commentary in a sellside note).  We expect to witness notable leverage here over time  from what we expect as 21% of revenue in 2018

• EBITDA margins

  • Hardware: our estimate is that this segment operates closer to 20% EBITDA margins during “normal periods”, and high 20s during “high volume” periods.  In 2014-15, OSPN received a huge order from Rabobank for hardware authenticators.  In case you were wondering, this was the reason why the stock spiked during that time frame.  For our forecast, given the secular decline, we’re assuming the Company manages 20% margins going forward with modest opex reductions over time to offset the decline in gross margins

  • Assuming the above for the Hardware segment, the remaining EBITDA is attributed to all non-hardware components.  Management has suggested that these software businesses are already operating at the “Rule of 40” where revenue growth plus EBITDA margin should equal 40 or higher, although this is prior to the mix shift from licensing to SaaS within eSign.  As a result, our estimates conservatively assume they achieve the Rule of 40 by 2021

  • As a result, we see EBITDA margins expand from 12% in 2017 to ~20% by 2021 and reaching the mid-20s shortly after – back to where it was prior to the transformation (EBITDA margins were 26% in 2015)

Valuation

• DCF implies $31 present value, or roughly 100% upside

  • Capex is minimal – we estimate ~$5-6m per year.  This compares to 2017 capex of $3m

  • Assume 30% corporate tax rate; $156m of NOLs not included in our analysis, but obviously worth something

• SOTP on 2021E figures using forward peer multiples implies a fair value of $34 two years out, or over 100% upside

  • eSign: DOCU forward EV/Revenue for the SaaS portion

  • Mobile Security and eSign Licensing: forward EV/Revenue in line with licensing software peers (CYBR, NICE, VRNS, SYMC, IMPV, PEGA)

  • DealFlo: forward EV/Revenue in line with ~35 enterprise SaaS peers

  • Hardware: distressed 5.5x forward EV/EBITDA

  • Assume $20m in annual share repurchases given high cash balance, although they may do another M&A deal

Management

• The Founder and former CEO, Ken Hunt, stepped back into a Chairman role as he knew the Company required new leadership to execute the transition into software

• As a result, a new CEO, CFO, CMO, and CIO were installed – all software professionals

• Scott Clements (CEO) joined in 2015 – he previously spent 11 years at Tyco (security company acquired by Johnson Controls for $16.5bn in 2016) as the former SVP of Corporate/Business Development, CTO and President of the Retail segment ($1bn+ revenue)

• Mark Hoyt (CFO) joined in 2015 – he is the former CFO of Groupon EMEA, bringing a North American and European background from an internet/software services company

• The Founder still owns ~20% of the stock – he is essentially retired in Switzerland and not involved in day-to-day operations, thus selling a little stock over time, but apparently still excited to be a long-term shareholder

Where could we be wrong?

• While there is certainly execution risk as the Company continues its transformation, we think there would be significant strategic and financial interest in acquiring OSPN in case they ever had to go that route, which in this scenario provides a nice “Plan B” to protect shareholder capital.  Here’s a short list of potential acquirers in our view:

  • Security: Palo Alto Networks, Fortinet, Check Point, Sophos, Thales/Gemalto, Dell/RSA, CA Technologies, Symantec, FireEye, Cisco, Trend Micro, VeriSign, IBM, etc.

  • Mobility / FinTech / e-Signature: Apple, Microsoft, Google, Visa, Mastercard, American Express, Adobe, DocuSign, etc.

  • Private Equity: Vista Equity, Thoma Bravo, KKR, Silver Lake, TPG, Vector Capital, Accel-KKR, Francisco Partners, Permira, etc.

• In terms of our model assumptions:

  • eSign revenue mix shift to SaaS could create bigger optical headwinds in the near-term than we modeled, causing a “miss” versus street expectations (as discussed on the recent Q3’2018 earnings call).  We would likely view any negative reaction to the stock in this situation as a buying opportunity as SaaS recurring revenue is far more valuable than licensing

  • Hardware growth/margins could deteriorate faster than we expect; however, we are not attributing much value to this segment in our SOTP analysis

  • General quarterly lumpiness could cause volatility.  It is difficult for anybody, let alone management, to predict an accurate picture of the entire company for every 3-month period.  There may be times where they have a blowout quarter, and the subsequent quarter takes a breather – this gyration has happened throughout 2018, but as management pointed out, OSPN’s software offerings are still growing robustly YTD.  This all sounds extremely attractive and again, we would likely view any quarterly lumpiness as a buying opportunity

• M&A

  • They have shown a preference to use their capital towards M&A.  So far it’s been a home run, but we certainly hope they remain disciplined about it.  A bad M&A deal down the line could hamper financial metrics / valuation

  • The Company certainly has capacity to return capital to shareholders should they see fit

Catalyst

Transition to software model hits full stride

Sale of the entire company