In a world where protecting against cyber crime is high on most big business agendas, a U.K. provider of IT security to clients as small as dentists and neighborhood stores is outpacing the best that Silicon Valley has to offer.
Sophos Group Plc shares have more than doubled in 2017, beating every other stock in the Nasdaq CEA Cybersecurity Index, including larger California-based peers such as Symantec Corp. and Palo Alto Networks Inc. The stock has also left domestic equities trailing, being one of the top five performers in the U.K.’s FTSE All-Share Index.
Investors’ appetite is understandable. After this year’s global WannaCry ransomware attacks and headline-grabbing hacks at Uber Technologies Inc. and Equifax Inc., demand for cyber security has never been greater — whether you are a multinational corporation or a local shop owner. It’s a platform that’s giving Sophos some lofty ambitions in a British technology sector that was jolted by the $32 billion Japanese takeover of ARM Holdings in July 2016.
“We should be, we will be, the U.K. tech champion,” Chief Financial Officer Nick Bray said in an interview.
To get there, Bray will need to overtake software giants including Sage Group Plc and his former employer Micro Focus International Plc, whose market value of about 10.8 billion pounds ($14.5 billion) dwarfs Sophos’s 2.5 billion pounds.
The executive’s optimism is mostly shared by analysts, with nine out of 10 having buy recommendations on the stock and none advising clients to sell. Morgan Stanley named Sophos its top European technology sector pick for 2018 in a note on Friday. Yet, after this year’s gains, not all are bullish: KeyBanc’s Rob Owens cut Sophos to sector weight last month when it was trading about 12 percent above its current price of 541 pence.
“It’s had a heck of a run,” Owens said in an interview. “It’s not overly expensive, but it’s not overly cheap anymore.” Trading about 31 times calendar 2018 free cash flow, the stock is “fairly valued” compared with companies like Symantec and Qualys Inc., he said.
Demand for Sophos’s services is growing as cyber crime tactics evolve. According to Bray, criminal gangs are changing tack and aiming hacks at a large number of smaller companies instead of a handful of bigger corporations, making cybersecurity “very relevant’’ for smaller firms.
Sophos’s products are aimed at mid-market businesses with up to 5,000 employees, but also include very small companies that are “playing catch up” with the need to protect against cyberattacks, he said. A dental practice could lose access to its patient records, for example.
While knowledge of IT security remains in the “very embryonic” stages, both general awareness and the sophistication of customers is increasing, Bray said.
Read more: A QuickTake Q&A on how ransomware works
The same game of catch-up appears to be happening with investors. Bray said Sophos was initially “misunderstood” when it sold stock in a 2015 initial public offering at 225 pence a share, having pulled a previous attempt at an IPO in 2007. A challenge of listing in London over the U.S. was that “we had to get the awareness up of what we did,” Bray said.
Sophos has “spent a lot of time educating” investors on the size of its addressable market, its competitive position and its financial model, specifically the size of its customer base and its renewal rate, the executive said. In November, the company raised its outlook for the 2018 financial year, reporting 22 percent first-half billings growth and hailing its renewal rate, a growing base of subscription revenue and a 220 percent rise in sales of its Sophos Central cloud platform.
After riding a wave in technology stocks for much of the year, Sophos shares have slipped back with the sector in recent weeks, also weighed down by a share placing by early investor Apax Partners. That and some recent share sales by directors led to oversupply, a weak share price and “misplaced concern about the fundamentals, which are very strong,” said Numis analyst David Toms, who upgraded the stock to add from hold last week.
Organic growth remains Sophos’s primary focus, according to Bray. The company is always evaluating “targeted technology tuck-ins” to boost its offering via mergers and acquisitions. Any deals it does pursue, like the 2015 purchase of Dutch endpoint protection firm SurfRight and this year’s acquisition of the software product arm of Invincea, would be done to expand the product offering and boost cross-selling scope, burnishing its organic growth potential.
Yet the pace of the company’s growth raises the question of whether Sophos may itself become a target. While no board members want to sell, “it’s not impossible,” Bray said. “You can never stop somebody knocking at the door.”
— With assistance by James Cone