2018 | 2019 | ||||||
Price: | 15.34 | EPS | 0 | 0 | |||
Shares Out. (in M): | 40 | P/E | 0 | 0 | |||
Market Cap (in $M): | 613 | P/FCF | 0 | 0 | |||
Net Debt (in $M): | -92 | EBIT | 0 | 0 | |||
TEV (in $M): | 521 | TEV/EBIT | 0 | 0 |
Sign up for free guest access to view investment idea with a 45 days delay.
OneSpan Inc. (NASDAQ:OSPN) (“OneSpan”, “OSPN” or the “Company”) is a well-established mobile and identity security software leader within the financial services industry, yet a relatively underfollowed stock. We discovered the name through a screening process and at first blush, the financials looked terrible. But after digging in, we discovered the Company was going through a massive multi-year transformation and had just inflected. In 2018, OneSpan rebranded from VASCO Data Security International, signifying a new era of accelerating growth, margin expansion and FCF generation. We believe the stock has over 100% upside potential over the next two years. We have interacted with the management team on multiple occasions and have worked diligently on a financial forecast and valuation analysis. First a summary before diving into detail:
Mobile and identity security leader catered towards financial services for over 20 years
Majority of top 100 global banks are customers; 10K+ customers in total
Company provides software and hardware security solutions to help banks authenticate their end users, facilitate digital transactions and mitigate fraud
Main software product is a Mobile Security API platform – allows financial services institutions to directly integrate a variety of security features into their mobile apps
Given banks lose billions and billions of dollars to fraud annually, they are amongst the biggest spenders on security solutions – mobile represents the latest frontier in need of advanced security
OSPN has almost never lost a significant customer to a competitor or in-house solution
#3 e-signature player behind DocuSign and Adobe
In 2015, the Company acquired Silanis (eSign) for $85m, the top provider of e-signature solutions in the financial services industry
Company has accelerated the growth of eSign post-acquisition by cross-selling to its existing customer base – the business grew over 50% in 2017
DocuSign (“DOCU”) IPO has heightened attention on the fast-growing e-signature space and provides investors a direct public comparable for OneSpan’s eSign segment
The segment is driving $200m+ of value today (vs. ~$500m total enterprise value) per our estimates
What’s misunderstood? Financial transformation masked immense, underlying value creation
OneSpan’s legacy hardware solutions are in a secular decline and caused the entire Company’s revenue to decline for multiple years as newer high margin software offerings started to ramp
Company invested heavily to grow software side, both in S&M and R&D, which caused overall operating margins to decline despite positive mix shift in gross margins
Company returned to positive total Company y/y growth in 2H’17 – last several quarters have shown strong y/y growth and margin expansion
OneSpan’s margins are projected to expand significantly as software offerings carry ~20-40 points higher gross margins than legacy hardware and have continued strong double-digit growth in 2018
EBITDA margins should roughly double to 20%+ in a few years, primarily driven by gross margin mix shift to software over time
Sellside coverage is minimal and street is not modeling any gross margin improvement despite obvious path of margin uplift
Valuation exceptionally cheap on a DCF and Sum-of-the-Parts basis – 100% upside in one year
Our DCF implies $31 present value and our SOTP on 2021E estimates imply OSPN is worth $33 in a year vs. ~$15 today. SOTP breakdown below:
eSign: DOCU forward EV/Revenue, worth $14/share
Mobile Security: in-line with other security software peers’ forward EV/Revenue, worth $11/share
DealFlo: in-line with other enterprise SaaS peers’ forward EV/Revenue, worth ~$3/share
Hardware: worth ~$3/share based on a 5.5x distressed EV/EBITDA multiple
Cash adds ~$3
Company has $92m in cash and no debt, $156m of NOLs and incurs minimal capex
Lastly, we believe OSPN is an extremely attractive acquisition target with no shortage of potential strategic and financial buyers. Security is a red hot space and their platinum customer base is a true validation of the technology. At the nexus of “mobile”, “identity” and “security”, we believe exposure to this theme is attractive. Similar examples include Cisco’s acquisition of Duo Security and Vista Equity’s acquisition of Ping Identity.
The Company has ~600 employees with a Worldwide HQ in Chicago and International HQ in Zurich. ~50% of revenue comes from EMEA, ~25% from the Americas and ~25% from APAC.
Now here are the details:
Industry Overview
OSPN operates in the “Identity and Access Management” space – essentially user authentication and advanced security to safeguard critical applications
Today, with applications both in the cloud and on-premise, and users increasingly eager to access apps from their mobile devices, successful identity and access management demands more than just passwords
First evolution beyond simple passwords was two-factor authentication
However, additional security features are needed to address highly sensitive applications and stringent regulatory requirements
This certainly applies to the financial services industry, which is a prime target for hackers (just follow the money) – 35% of all known data breaches in 2016 targeted the finance industry
Banks lose billions of dollars annually to fraud – a figure that keeps growing
Security is paramount given possession of sensitive user data – without trust, there is no business
Yet most customers desire online/mobile access to account information and transaction processing, driving the need to ensure secure transactions without ruining the user experience of the mobile app
Mobile banking users will grow to ~3bn by 2021 and are typically more profitable for banks –
mobile customers buy 2x as many products as non-mobile customers, and mobile app features help materially reduce branch traffic (i.e. mobile check deposits reduced bank traffic by 33% for Bank of America) – providing a high quality mobile experience is of utmost importance for a bank’s bottom line, yet it must be secure
OneSpan’s solutions help banks’ mobile apps remain secure while helping drive tangible business outcomes – as mentioned, they are trusted by the majority of the top 100 global banks. Select customers include HSBC, Bank of America, Citi, UBS, Mizuho, BNP Paribas, ING, Santander, and many more
Business Overview
The easiest way to break apart the multiple segments is: the legacy Hardware segment, the Mobile Security software segment, the e-signature business called eSign, and the digital onboarding business they recently acquired called DealFlo. There is also a steady high margin stream of Maintenance revenue as typical with the software licensing model
Hardware
You may recall RSA tokens that we all carried around – the tiny plastic keychain devices that spat out random numbers so you could log into your banking portal
OSPN was a major player here too. But now you can obviously do this through an authenticator app on your smartphone
The Company is at the forefront of hardware-based authentication – their latest products incorporate Cronto cryptography to authenticate / secure transactions via cryptogram. Users scan an HD color QR code using their Cronto-enabled device in order to verify their identity / transaction information
Despite the secular shift from hardware authentication to software, these are still widely used throughout the world. In fact, OSPN acquired the Cronto technology in 2013 for ~$22m and went on to generate $100m+ in revenue over the subsequent two years
Given the 4-6-year lifecycle of hardware devices and cultural affinity / perceived security (no internet connection, thus “never” at risk of being hacked), OSPN mgmt. believes it could take almost 20 years to wean off hardware
The segment contains many of OSPN’s biggest clients who will layer on the new software offerings over time, so we don’t believe there’s much rationale to selling it off. In addition, it generates substantial cash flow at ~20% EBITDA margins by our estimates
The segment is in slow decline – management has guided to flat to down 5% y/y
Mobile Security software
In 2009, OSPN launched a software-based authenticator that can operate on any non-OSPN device (desktop, laptop, smartphone, tablet, etc.)
Software-based authenticators are replacing hardware tokens – they are far more cost efficient for OSPN customers, and far easier to use for end users (hence, the Company is undergoing a transition from hardware to software)
In 2013, OSPN launched a mobile security API platform (software development kit or “SDK”) that offers a variety of security APIs that can be directly integrated within a mobile application – this has become the primary mobile security software offering today
The SDK allows OSPN’s customers to integrate next-generation security features into their own mobile apps to enhance identity access / reduce fraud
For example, the Chase mobile banking app can integrate OSPN security features such as authentication (via facial recognition, fingerprint, or behavioral, etc.), geolocation tracking, fraud prevention, device identification, and more
The segment grew 20%+ in 2017 and has accelerated to 60% growth YTD (Q3’18)
It is primarily licensing software revenue stream
eSign
In 2015, OSPN acquired Silanis for $85m, the provider of eSign e-signatures solution and #3 player behind DOCU and Adobe (EchoSign)
The acquisition enabled OSPN to expand vertically into a fast-growing market (e-signatures) – the segment grew 50%+ y/y in 2017
OSPN has been successfully cross-selling the product across its vast financial services customer base, and integrated e-signature capabilities into its mobile security SDK
DOCU has ~40% market share and Adobe has ~10-15% market share per Gartner. OSPN has 5-10% market share
Most industry analysts forecast the e-signatures industry to grow at a 30%+ CAGR for the next several years – OSPN is currently outpacing those estimates
eSign can be delivered via on-premise licensing or cloud SaaS. The current split is 50/50, but is rapidly shifting to the cloud (we assume eSign will be 100% SaaS by 2020). It’s important to note that this shift to SaaS is creating a near-term revenue headwind, but substantial value creation over the long-term given higher profitability and recurring nature
eSign is the leading provider for the financial services vertical as it offers a “white label” (brandless) solution for customers. At a local Chase bank you’ll likely see “Chase e-signature”, not the OneSpan logo
eSign is offered as a standalone solution or available through OSPN’s mobile security SDK so mobile banking apps can incorporate e-signing directly
e-signatures can also serve as an advanced form of user authentication, enhancing the security process around transactions
As such, OSPN has a “platform” approach of offering its e-signature capability as part of a broader mobile security suite – we believe this will continue to serve as a key differentiator within the financial services vertical for years
This stands in contrast to DOCU – despite being a larger company, they have not been successful in deeply penetrating the financial services vertical given the mass market focus of providing e-signature capability as a feature, not a product. While this works for the masses, banks need more complex customizable solutions that incorporate e-signatures
DealFlo
In May 2018, OSPN acquired DealFlo, a SaaS provider of “digital onboarding” solutions for $53m
In a subsequent 8K filing we can see that DealFlo grew 43% y/y in 2017 and carried 77% gross margins. It will add $4m of revenue to 2018 (7 months) per management guidance and we conservatively expect ~$9m in 2019 (full year)
The solution enables financial institutions to verify new/unknown identities and securely onboard them as a customer through a mobile app, eliminating the need for a customer to come into a physical branch
DealFlo already utilizes OSPN’s eSign solution as part of the verification process – the teams know each other well and there is natural technology / go-to-market synergy
DealFlo vastly improves conversion/completion rates for new customer applications, and expands banks’ overall market reach, driving tangible business results
Maintenance – essentially 100% attach rate on licensing revenue with annual renewals
The Company’s solutions are extremely sticky – they have almost never lost a significant customer
OSPN customers must implement backend software (a controller API) on their servers that will manage/sync with all software and hardware tokens
This is a proprietary software offering and is the same for managing both hardware and software tokens, making it easy for customers to transition from hardware to software, or offer both
Because this is proprietary and sits on the customer’s backend servers, it is very difficult for a customer to switch vendors:
Customer would have to tear out backend software which could be very disruptive to entire security paradigm / end customer base
Replace ALL tokens across customer base in one shot (practically impossible)
If 10% of tokens don’t work, they’ll likely lose 10% of their client base
Run both solutions concurrently for a while, offsetting any potential savings
Only exception where they have lost a customer is when a customer went bankrupt or was acquired and forced to adopt their parent company’s platform
Financial Overview
After multiple years of declines, the Company inflected in Q3’17 – we have now seen several quarters of positive y/y growth and margin expansion
Software offerings carry high 70s (SaaS) or mid-80s to mid-90s (licensing) gross margins versus legacy hardware in the high 50s
The mix shift in gross margin should account for roughly half of EBITDA margin expansion over the next several years – by our estimate, overall gross margin should improve from 70% in 2017 to 77% in five years
Modeling out each segment reveals topline acceleration and margin uplift over time – the breakout we used below is based on management’s historical commentary on each individual segment, company filings and peer comparable metrics
Roughly 50% of revenue from EMEA, 25% from Americas and 25% from APAC
Key Assumptions
Revenue
Hardware: reported within “Product and licensing” line, as well as broken out in the supplementary section of filings. Management has suggested “flat to down 5% y/y” into the future – we have assumed down 3% y/y every year in our forecast, although the segment has been outperforming our expectations lately (grew 2% in Q3’2018)
eSign: management disclosed the business produced $16m of revenue in 2015, then “grew 25% in 2016”, then “grew 50% in 2017” per transcripts/presentations. This would imply $30m of revenue in 2017. We are assuming $28m to be conservative. Current SaaS/licensing mix is 50/50, but transitioning to 100% SaaS very quickly. As such, we assume revenue takes an optical hit in 2H’18 and through 2019 before bouncing back in 2020 to growth levels consistent with 2017 performance as it laps the tough compares. eSign licensing revenue is gone by end of 2019, thus 0 for 2020 onwards. While the licensing portion is included in the “Product and licensing” bucket, the SaaS portion is included in the “Services and other” bucket, although all SaaS revenue is broken out in the supplementary section as “Subscription” revenue
Mobile Security: we model this segment as 100% licensing (although a small portion is SaaS). Since we know the rough amount of eSign licensing revenue $ (~50% of total eSign revenue historically), the remaining licensing revenue reported can be attributed to mobile security. Similar to Hardware, licensing is reported within the “Product and licensing” line but also broken out in the supplementary section. Subtracting eSign’s licensing revenue from total licensing revenue should reveal Mobile Security revenue
DealFlo: 8K filing post acquisition discloses 2016-17 historicals that show DealFlo grew 43% in 2017. Management said it would add $4m of revenue to 2018E guidance (7 months of ownership) which factors in a revenue recognition impact. We are assuming ~40% growth in 2019 to get to ~$9m of revenue and modest deceleration onwards. Since DealFlo is 100% SaaS, it is included in the “Services and other” bucket, as well as the “Subscription” bucket disclosed in the supplementary section
Maintenance: included in the “Services and other” bucket, as well as broken out as “Maintenance” and “Professional Services” in the supplementary section. We assume modest growth consistent with historical patterns and recent management commentary suggests current revenue levels as appropriate for the next couple of quarters
Gross Margin
We estimate licensing and maintenance components at ~85% gross margin, consistent with the broader software licensing industry (85-95%+). This is applied to Mobile Security, eSign’s licensing revenue, and Maintenance
DOCU has gross margins of 77% and DealFlo had 77% gross margin last year. As such, we estimate 77% gross margin for the SaaS components (eSign SaaS and DealFlo), with improvement to 82% over 5 years, consistent with successfully scaled SaaS peers
Hardware is said to have “high 50s” gross margin per management, which we assume is currently 57% and declines gradually to 52% over 5 years given its eroding importance
Operating Expenses
The Company has ramped opex notably over the past few years as it invested in the software side and built out a more robust salesforce – now with the bulk of their cost structure in place, we should begin to witness notable operating leverage in the coming years
S&M – currently ~30% of revenue and we expect modest leverage going forward. We take S&M as a % of revenue down ~100bps y/y
R&D – per management commentary on the Q2’18 earnings call, OSPN is ramping R&D a bit more through 2018 as it integrates DealFlo and prepares for the launch of the new Trusted Identity platform. As such, we model R&D stepping up in 2018 to 15% of revenue (up from 12% in 2017), but expect operating leverage starting in 2019 and normalization back towards 13% over time
G&A – we expect operating leverage on this line going forward and management does not expect any meaningful G&A growth from 2018 to 2019 (per commentary in a sellside note). We expect to witness notable leverage here over time from what we expect as 21% of revenue in 2018
EBITDA margins
Hardware: our estimate is that this segment operates closer to 20% EBITDA margins during “normal periods”, and high 20s during “high volume” periods. In 2014-15, OSPN received a huge order from Rabobank for hardware authenticators. In case you were wondering, this was the reason why the stock spiked during that time frame. For our forecast, given the secular decline, we’re assuming the Company manages 20% margins going forward with modest opex reductions over time to offset the decline in gross margins
Assuming the above for the Hardware segment, the remaining EBITDA is attributed to all non-hardware components. Management has suggested that these software businesses are already operating at the “Rule of 40” where revenue growth plus EBITDA margin should equal 40 or higher, although this is prior to the mix shift from licensing to SaaS within eSign. As a result, our estimates conservatively assume they achieve the Rule of 40 by 2021
As a result, we see EBITDA margins expand from 12% in 2017 to ~20% by 2021 and reaching the mid-20s shortly after – back to where it was prior to the transformation (EBITDA margins were 26% in 2015)
Valuation
DCF implies $31 present value, or roughly 100% upside
Capex is minimal – we estimate ~$5-6m per year. This compares to 2017 capex of $3m
Assume 30% corporate tax rate; $156m of NOLs not included in our analysis, but obviously worth something
SOTP on 2021E figures using forward peer multiples implies a fair value of $34 two years out, or over 100% upside
eSign: DOCU forward EV/Revenue for the SaaS portion
Mobile Security and eSign Licensing: forward EV/Revenue in line with licensing software peers (CYBR, NICE, VRNS, SYMC, IMPV, PEGA)
DealFlo: forward EV/Revenue in line with ~35 enterprise SaaS peers
Hardware: distressed 5.5x forward EV/EBITDA
Assume $20m in annual share repurchases given high cash balance, although they may do another M&A deal
Management
The Founder and former CEO, Ken Hunt, stepped back into a Chairman role as he knew the Company required new leadership to execute the transition into software
As a result, a new CEO, CFO, CMO, and CIO were installed – all software professionals
Scott Clements (CEO) joined in 2015 – he previously spent 11 years at Tyco (security company acquired by Johnson Controls for $16.5bn in 2016) as the former SVP of Corporate/Business Development, CTO and President of the Retail segment ($1bn+ revenue)
Mark Hoyt (CFO) joined in 2015 – he is the former CFO of Groupon EMEA, bringing a North American and European background from an internet/software services company
The Founder still owns ~20% of the stock – he is essentially retired in Switzerland and not involved in day-to-day operations, thus selling a little stock over time, but apparently still excited to be a long-term shareholder
Where could we be wrong?
While there is certainly execution risk as the Company continues its transformation, we think there would be significant strategic and financial interest in acquiring OSPN in case they ever had to go that route, which in this scenario provides a nice “Plan B” to protect shareholder capital. Here’s a short list of potential acquirers in our view:
Security: Palo Alto Networks, Fortinet, Check Point, Sophos, Thales/Gemalto, Dell/RSA, CA Technologies, Symantec, FireEye, Cisco, Trend Micro, VeriSign, IBM, etc.
Mobility / FinTech / e-Signature: Apple, Microsoft, Google, Visa, Mastercard, American Express, Adobe, DocuSign, etc.
Private Equity: Vista Equity, Thoma Bravo, KKR, Silver Lake, TPG, Vector Capital, Accel-KKR, Francisco Partners, Permira, etc.
In terms of our model assumptions:
eSign revenue mix shift to SaaS could create bigger optical headwinds in the near-term than we modeled, causing a “miss” versus street expectations (as discussed on the recent Q3’2018 earnings call). We would likely view any negative reaction to the stock in this situation as a buying opportunity as SaaS recurring revenue is far more valuable than licensing
Hardware growth/margins could deteriorate faster than we expect; however, we are not attributing much value to this segment in our SOTP analysis
General quarterly lumpiness could cause volatility. It is difficult for anybody, let alone management, to predict an accurate picture of the entire company for every 3-month period. There may be times where they have a blowout quarter, and the subsequent quarter takes a breather – this gyration has happened throughout 2018, but as management pointed out, OSPN’s software offerings are still growing robustly YTD. This all sounds extremely attractive and again, we would likely view any quarterly lumpiness as a buying opportunity
M&A
They have shown a preference to use their capital towards M&A. So far it’s been a home run, but we certainly hope they remain disciplined about it. A bad M&A deal down the line could hamper financial metrics / valuation
The Company certainly has capacity to return capital to shareholders should they see fit
Transition to software model hits full stride
Sale of the entire company
show sort by |
Are you sure you want to close this position ONESPAN INC?
By closing position, I’m notifying VIC Members that at today’s market price, I no longer am recommending this position.
Are you sure you want to Flag this idea ONESPAN INC for removal?
Flagging an idea indicates that the idea does not meet the standards of the club and you believe it should be removed from the site. Once a threshold has been reached the idea will be removed.
You currently do not have message posting privilages, there are 1 way you can get the privilage.
Apply for or reactivate your full membership
You can apply for full membership by submitting an investment idea of your own. Or if you are in reactivation status, you need to reactivate your full membership.
What is wrong with message, "".