SSH Communications Security Oyj

OMXH:SSH1V

Welcome to SSH Communications Security's Investor Call for Q3 of 2024. My name is Aino Virolainen. I am a member of the SSH finance team and responsible for our Investor Relations.

The results will be presented by our Interim CEO, Rami Raulas; and our CFO, Michael Kommonen. After their presentations, we will have time for questions and answers. If you have any questions during the call, you can ask by writing in the chat. The call is hosted with our own solution, SalaX Secure Messaging. The call will be recorded, and the recording as well as the presentation material will be available on our website.

And now, I think it's time to start the presentations. So, I would like to invite our CFO, Michael, to start with the financials. So, please go ahead.

Thank you, Aino, and good morning also on my behalf, and welcome to our third quarter 2024 investor call.

So in the third quarter of this year, we grew net sales by 1.5%, and EBITDA was EUR 1 million, so on the same level as in the previous year third quarter. Sales reached EUR 5.2 million. Subscription ARR grew 1.8%. And within the subscription business, PrivX sales -- subscription sales grew 15.6% in the third quarter. Year-to-date, PrivX subscription sales growth is now 25.7%. As mentioned, the quarterly EBITDA was EUR 1 million, same as previous year. So despite the moderate overall sales growth, we were able to maintain a stable profitability in the third quarter.

During the quarter, our pipeline growth continued. We secured PrivX deals both in EMEA and APAC. We also made progress on achieving NATO approval and solution approval for NQX by the Finnish authorities. Looking at the quarterly trend, as we see here, basically the same sales and profitability numbers as in the previous quarter, but maintaining a positive trend over the year. Subscription sales overall grew 2.4% in the third quarter.

Deferred revenues decreased slightly and were EUR 11.5 million at the end of the third quarter. EBIT was also positive in the third quarter, and also in line with the EBITDA on a similar level as last year in the third quarter. Cash flow from operations was negative EUR 0.7 million. So, depending on seasonal fluctuations in invoicing and cash collection, negative this year versus a positive number in the third quarter last year.

Finally, on the financial side, we are reiterating our outlook for 2024. So, we continue to expect net sales to grow in 2024 compared to last year, and we estimate that EBITDA and cash flow from operating activities will be positive in 2024.

With that, I'm happy to hand over to our Interim CEO, Rami. So Rami, welcome.

Thank you, Michael.

While Q3 was good, it was the 14th consecutive quarter with positive EBITDA and we made a positive net profit. The growth numbers did not yet really meet our expectations. Though our solutions are really taken up well, and we have satisfied customers, the functionality and value of our solutions with the total cost of ownership and return of investment is superior in the market. And we are not losing opportunities. I need to say that I'm disappointed that in the turmoil of this warfare and digital attacks of phishing and ransomware and extortion and data theft situation, customers seem to be pretty slow to make decisions and implement solutions even if the attacks are on the rise. But we certainly will continue that, and I see positive outcome on our growing pipeline there. But I wanted to open up a little bit about what we indeed have been doing in the past months and highlighting a few areas in there.

So first of all, we earlier announced a couple of certifications, ISO 27001 and the certification for facility security by the Finnish Defense Forces. Now what happened in Q3 is that we got a new approval for our network encryption solution, NQX, for confidential level from the NCSA, National Cybersecurity Authority and got approved for NATO as a supplier for the NATO procurements. This, especially the NATO procurement agreement and the continuous steps following that will definitely give us an opportunity to expand our market opportunity in Europe and worldwide as well. And we will be taking further steps, getting also approvals for the solution for NATO and Europe on the solution level as well. And this is not just restricted for the network encryption, but our whole portfolio. But let's see also the other trend.

We've been talking about Quantum-Safe and post-quantum cryptography. So what is happening there? This has taken now a step forward to protect the government entities and infrastructure. There is a legislation law in the U.S. for this. And now the officials in Europe and in the U.S., government and NIST, national standardization organization in the U.S., announced now the final release of post-quantum and Quantum-Safe algorithms or technology, which we have implemented and as you saw earlier, indeed, announced it in our product, NQX 3.0. So it's one of the first, if not the first to implement these new technologies. And it also does it in a very effective way. So because of the architecture of the solution, we can claim that the solution is up to 6x faster than traditional solutions even on the highest network level of up to 100 gigabits per second, which is where the networks are growing and going altogether.

And we're also part of the consortium -- this consortium. Suvi Lampila, who you see speaking there in the small picture is our representative. We are one of the very few European companies part of that, this American standardization for post-quantum technologies and algorithms and key exchange protocols. And we have an interesting other project ongoing and soon finalizing, something called AIQUSEC. I need to read this out loud. So, AI-based quantum secure, cybersecurity automation and orchestration in the edge intelligence of future networks, meaning OT, manufacturing and critical networks. How we deploy monitoring, vulnerability analysis, secure connections using also AI technology, which we have already had. We have AI technology in our solutions, especially in PrivX already a few years, which gives me a nice segue to move on a little bit to operational technology, OT markets.

OT, operational technology, manufacturing companies, logistics, ports, maritime, critical infrastructure, electricity, water and so on and so forth, continue to be the most attacked domain in cybersecurity according to IBM's X-Force intelligence -- threat intelligence report. So, manufacturing is the most attacked cybersecurity target since three years in a row. So, we kind of feel obliged to do a favor and help companies protect against that. Also, the new legislation or mandate, NIST 2 came into force five days ago in Europe, October 17.

The local legislation in the countries is late, but the directive and its consequences are now in play, are in force as we speak. And we were very active in third quarter in promoting that. We were also participating in many OT, operational technology events in Hamburg, in Germany, in Rotterdam in Holland, you see there are plenty of customers joining that, and we had a booth and presentation there, you see our team there. And right after the quarter end, we also had a successful event in Chicago, ManuSec. You see our team there as well. And this week, we've been now participating in ISC in Atlanta in the U.S. as well, collecting new opportunities and having face-to-face time with manufacturing companies, logistics companies, and critical infrastructure operators.

And indeed, in the past months, have added about a dozen new opportunities for OT, increasing the pipeline by a tremendous amount. And this is a strategic area we chose a few years ago to focus on OT, but looking at it from the IT/OT convergence point of view because OT used to be a separate domain. And I will cover that in a minute. So, our portfolio has been developed further. So, we have made -- we came up with a new branding for our secure collaboration, SalaX. PrivX Zero Trust Suite has seen a lot of progress and new versions. And as you saw, we announced new versions for -- and functionalities for the network encryption as well, all connected together.

And what is now kind of new and what we've been working on is to integrate that these are not three different solution areas of our portfolio, but they actually integrated. Like, if you think about it from the middle there, so what Privileged Access Management solutions like PrivX Zero Trust Suite typically protects? Typically, it protects access to databases where the critical data is or access to files -- server files. I mean, if you think of the leaks or attacks in Finland for Vastaamo and City of Helsinki, they were -- it was databases or file servers. But the world has changed and is changing. So, more and more of the data nowadays is not only on traditional IT, it's in our communication platforms, WhatsApp, Slack, Teams, places where no longer companies know where their secrets are. And there will be some alerting or alarming incidents there.

I mean, the SEC and CFTC, the governance bodies in the U.S. for finance, have slapped up to EUR 5 billion now for over 20 banks for using WhatsApp and Signal without the banks knowing how they communicate with their customers. Disney, over 1,000 Slack channels were robbed. And so everybody now -- it's public knowledge now what are the upcoming movies and scripts and actors and their payments. I thought that was company secret, but too easy to get hold of. And so it's logical that in our portfolio, we have access control to IT systems, but also for the human communication part, so PrivX and SalaX.

And we have now started to present how we also do just-in-time tunneling using NQX technology for the OT market combined together with PrivX because in the OT space, you just can't leave doors open or connections open in or out. They have to be governed, so that only the right actors and applications get access to the manufacturing, operational technology components when needed on the level of needed authority.

So with that in mind, let's have a quick look on how this IT and OT convergence is developing and how we have found a play, which is pretty unique on the market. So if you think about IT and OT, about -- in IT, it's about information confidentiality. It's about integrity and availability of information. On the OT side, it's about safety, reliability and availability. So, very different topics altogether. And the convergence of these areas was kind of not needed in the past decades. But now when everything is controlled digitally, we talk about Industry 4.0, digital twins, things are controlled separate -- remotely and with IT systems, these are now converging. So, these are typical requirements for IT access controls; integration, identity-based access controls, strong authentication, biometric authentication, no passwords. Let's get rid of passwords because they are the biggest threat factor in every case, modern architectures, automatic scalability up to millions of connections per day and monitoring and recording of what is happening so that there's control over activities.

On the OT side, it's more about governance, approving the right actors to access the critical solutions. It's about standardization. It's about support for legacy environments, which don't support modern security protocols and components and connection to Zero Trust access as well. And what we have managed to do is to actually combine these domains together as one solution area with PrivX OT and PrivX IT. And soon, we will be announcing some broadening of our OT offering, but stay put. We will -- you'll hear more about it in the coming weeks.

But I mentioned about the human communication and the sensitivity of data. And so I wanted to say a few words about how we are repositioning our SalaX Secure Messaging offering on the market. So when we look at the secure collaboration platform, we have an existing platform with secure mail, secure rooms, secure forms, inputting data securely and secure sign. They continue to be represented strongly, and we are actually selling more of them as well. But we introduced a new portfolio now alongside that and as a transition moving forward with new secure mail based on PrivX technology and new secure messaging, which I wanted to share a few more words about.

Doing these kind of things like we do today, secure video conferencing, secure rooms, secure sharing, and so on and so forth; secure chatting, secure file sharing. And what we now are making a bit more public is that our technology, our solution, SalaX Secure Messaging, is based on a partnership with Element, which is the founder of something called Matrix technology, an open standard for secure -- open standard, open protocol for secure interoperable communications.

So let me, in a minute, show you after this, a few examples of where that technology is very widely and successfully being used already, just to demonstrate how, I would say, clever of a platform choice we made to develop our own solution, SalaX Secure Messaging on top of that. But if you look at some of the customer cases for secure collaboration, so typical area is health care, governmental use and HR. So get employment contracts, keep all employee-related information secure, send sensitive information, collect sensitive information. There was actually a rude hack into HR systems some while back. Somebody got access as an administrator to HR system and moved all the payment accounts of monthly salaries to Bahamas. Wow. I would not have wanted to work in that company, not being with salary for a month. So protect that, don't let that happen. There are tools to do that.

But let's have a look at some other cases now for messaging, customer cases or use cases that are using this platform technology, Element Matrix technology that we are building our SalaX Secure Messaging on. So, one use case is the German Army, Bundeswehr, which is about simple real-time communication via messaging services. I mean, they made the conclusion, like I mentioned the banks already earlier, is that you can't just really use public commercial solutions like WhatsApp, Signal, Telegram. There is a challenge for the public sector, especially when it comes to national security. So it's about the highest standards of security and confidentiality and data security and digital sovereignty. Bundeswehr in this case, owning the platform, owning the data, owning the communications, but then allowing external players to work there.

Another defense-related example is NATO, which is experimenting this. And in that case, the use case is more to allow external parties related to NATO, to connect with their own devices, bring your own device without having to get people's phone numbers but of course, strong identity verification on people who can then -- and systems who can then connect to the environment. And once again, it's end-to-end encrypted with strong encryption keys. And the use of that will very likely be enhanced within the NATO organization.

French Government has chosen this technology to -- actually, the French Government -- the French market is very advanced in digitalization. I mean, this is kind of a very modern way of communicating with 300,000 citizens per day in a very safe and modern efficient ways. I mean, Jerome Ploquin, who is responsible for this project in France said that data has to be on their own servers, probably in the country. They can't allow the data to be out of the country. There is Patriot Act in the U.S. that creates ambiguity. And the commercial providers' business models did not suit the security requirements or sensitivity requirements of the French government.

A huge upcoming solution area is German health care, Nationale Agentur fur Digitale Medizin, the German agency for medication and patient care. 150,000 organizations will join that to serve 74 million people in Germany to make sure that the communication is interoperable and all participants, whether they are doctors, pharmacists, hospitals or us as the consumers, patients are all interconnected and those conduct data can be found, but the messaging is done in a very quick and snappy way, in a very secure way.

And then the last example of users of this technology is Swiss Post, who's been building a messaging service for easy digital communication with customers. I think this is really cool. I mean, normally disruption doesn't happen from the industry in itself. In this case, the Swiss Post, delivering post, as we see in the picture here, is revolutionizing the digital communication using modern communication or messaging platform like this. So, these are some end-user customer cases using technology we have chosen and using our solutions. But let's have a look at our implementation for growth is to work through partners and with partners. So, there's been a quite a bit of positive progress with our partner network and partners in the past couple of months as well, and I wanted to share those with you as well.

We have plenty of partners. Here are some examples of global players and some local players. Oivan is in the Middle East. ISSP is in Ukraine. And we have pretty much partners in every country of the world. In the past, we have more and more customer cases coming up. And indeed, we have now signed quite a few new partners in the past couple of months. A few of them were in end of June, but the rest in Q3 in Central Europe, in the Nordics, in Ireland, in South Korea, in Taiwan, in Thailand and so on and so forth. At the same time, we have also trained or certified around 50 new on top of the existing ones, engineers, technical engineers on our solutions within the partner network. So, I see a lot of traction. And the pipeline, meaning new customer cases arising from our partner network is on the increase quite nicely.

So with the streamlined and more effective organization, the change we made in the second quarter, a more active and proactive partner network with its growing pipeline for new opportunities. We aim to be more successful in our growth ambitions and continue to improve our profitability.

So with that, I would like to invite Michael back for potential Q&A session.

Yes. I will check the chat for any possible questions shortly. But as has been tradition, the first questions will come from Redeye's Equity Analyst, Fredrik Reuterhall.

So Fredrik, if you are ready, please go ahead.

My first question is regarding the customers delay that Rami is talking about in your report there. Can you give, I mean, more details on how the delay is distributed across the different regions and customers? And was there any larger orders or deals that was pushed forward that you can tell us into Q4?

Yes. I think this is a fairly generic. I mean, maybe earlier in the year, there was some uncertainty for investments, but now that interest rates and maybe overall investment willingness may be developing more favorably, that may have changed. But we just see that kind of the final decision-making kind of, if you wish, pushing the button to sign an agreement, issue a purchase order and get the project delivered. There are too many cases that for various reasons, some are organizational reasons, some are financial hesitance reasons, some are resource allocation reasons have just kind of postponed. Like I said, they're not gone. We feel confident that many of them will actually happen. And then we also have a few cases over the summer that we did win. We got the win. But the customers -- some of those customers do want to do more of a restricted pilot or initial installation and then expand it after four months to six months into the final production, which means that the revenue will also follow a bit later.

Okay. So it's not one thing. It's different reasons on customers.

Yes. And that's what makes it a bit of a challenge to kind of say how can we speed it up, how can we influence. Of course, we are doing all the tricks in the book of sales to encourage customers to buy faster and more quickly.

Okay. And you said that some was pushed forward, but you can't really say if it's going to be in next quarter or in Q4 or next year? Or is it...

No, not really. But there's -- I mean, the one that we mentioned in early of the year is about that EUR 1.8 million cryptographic solution and half of that has been recognized this year. That didn't recognize yet, but our plan is still to recognize it this year.

Yes. Okay. My next question is regarding the partner agreements. I mean, you signed a lot of agreements now. But I'm still waiting for this sales boost as you are, I'm sure. But when -- I mean, you have experienced and seen before, how long would it take before these new partners agreements start to kick in, so to speak? I mean, are we talking a few months or half a year or?

Yes. I think that's a great question. And it's not like we're just signing new partners, and we've been working with these partners. The partnership starts from having initial customer cases at hand and then you formalize the relationship for an agreement and train technical people and sales people. So it's not just a technical agreement. So, there are cases behind all of these partners. And we, for instance, with one of the partners, we just -- that was on the slide there. We just made a quote on offer for a major energy company. And doing that to going through the RFI, RFP process and presenting the solution took about three months from the customer side as a process. Now, they will evaluate and select and then the proof of concept and pilot will start. So, some of these projects take about six months, some much longer. So, I would say 6 to 12, even unfortunately, up to 18 months before they kind of from -- we are already working on it before they materialize into monetary terms.

Okay. And then on cash flow and liquidity. Michael, you talked about it and it's nothing to be worried about, I guess, or it just...

Yes. Well, I mean, as you can see from the report, the cash position was quite low at the end of the third quarter. And of course, we are well aware of that and have been well aware of that and follow it closely and taken measures to secure liquidity through operational cash flow measures. And as also mentioned in the release today, the cash position has improved since the end of the third quarter and we expect it to improve towards the end of the year as well.

Okay. That's good.

I have checked the chat, and there don't seem to be any more questions. We did just get one.

Can you read it out loud? It's a bit smaller.

Yes. Of course. Rami Raulas has been Interim CEO since early this year. Is SSH really actively looking for a new CEO, some progress in that? If not, why not end this interim status and make Rami permanent CEO, particularly to bring someone from outside SSH as a CEO as the SSH current situations looks risky? As owner and shareholder, I'm pleased with Rami's performance as Interim CEO, and I suggest to end his Interim CEO period soon and make him CEO unless the new CEO search really is ongoing and active. Can some SSH Board Member comment this issue, too?

Yes. Well, thank you for your confidence. This is a question I cannot address. I'm fully committed, and I'm trying to do my best. I think we have good results and good progress and development ongoing. So, I think you need to address the question elsewhere.

And I still don't see any more questions. So, I think we can start closing the call.

Thank you very much, Rami and Michael, and thank you to everyone who has been following us online. The material for this call and our previous calls can be found from our website, Investors section. Our next investor call will be for Q4, and it will be on the 14th of February 2025. So, thank you again for participating, and we hope to see you in February.