CTEK Second Quarter 2018 Earnings Transcript

C O R P O R A T E   P A R T I C I P A N T S

Bryan Flynn, Investor Relations

Mac McMillan, Chief Executive Officer

Paul Anthony, Chief Financial Officer

JD Abouchar, Chairman

C O N F E R E N C E   C A L L   P A R T I C I P A N T S

Brian Flynn, Investors Relations

Matt Hewitt, Craig-Hallum

Andrew D'Silva, B. Riley FBR

William Gibson, Roth Capital Partners

Bill Sutherland, Benchmark Company

P R E S E N T A T I O N

Operator:

Good day, everyone, and welcome to the CynergisTek Second Quarter of 2018 Earnings Call. Today's call is being recorded, and at this time, I would like to turn the conference over to Brian Flynn, CynergisTek Investor Relations. Please go ahead.

Brian Flynn:

Thank you, Operator. I want to welcome everyone to CynergisTek's Second Quarter 2018 Earnings Call. Joining us today from the Company includes Mr. Mac McMillan, President and Chief Executive Officer, and Paul Anthony, Chief Financial Officer. Before we begin the formal presentation, I would like to remind everyone that some statements made on the call and webcast, including those regarding future financial results and industry prospects among others, are forward-looking and may be subject to a number of risks and uncertainties that could cause actual results to differ materially from those described in the

conference call. Certain of these risks and uncertainties are or will be described in greater detail in the Company's SEC filings. Cynergistic is under no obligation and expressly disclaims any such obligation to update or alter its forward-looking statements, whether as a result of new information, future events, or otherwise. At this time, I would like to turn the call over to our CEO, Mac McMillan.

Mac McMillan:

Thank you, Brian (phon), and good afternoon, everyone. Q2, saw multiple signs of improved performance in both operations and sales. We continue to strengthen and enhance the account management with existing clients and are seeing the results of that in contract expansions and strong renewals. This quarter saw our first big renewal in NPS with the addition of three more years to one of our large academic medical centers. We also saw a multiple managed security service renewals and expansion, several new managed service accounts added and a large win in professional services. Bookings for Q2 and security were nicely up over Q1. We are very excited about the prospects going forward if these trends persist. There are many factors contributing to this, not the least of which is the continued pressure that healthcare is under from cyber criminals and incidents.

The healthcare industry continues to find itself the target of cyber-attack. Black Book's annual cyber security survey revealed that healthcare enterprises are not maturing fast enough. In fact, cyber security will continue to be underfunded in understaffed in 2018. Additionally, over 90% of healthcare organizations have experienced a data breach since Q3 of 2016, and nearly 50% have more than five data breaches in the same timeframe. Proactive threat monitoring is still not at the forefront of an executive's mind. Less than 20% of healthcare organizations monitor properly despite the fact that they know so many of these breaches now come from commonly missed endpoint devices such as printers, biomedical devices, IoT, and imaging equipment. Healthcare organizations continue to fall behind as a majority of them are not conducting regular cyber security incident response drills, even though the number of data breaches remains constant, and the impact to the business worsen. The continual rise in healthcare data breaches illustrates the need for increased vigilance.

This quarter, the FDA has released two plans to increase cyber security around medical devices and software. The first, titled Medical Device Safety Action Plan: Protecting Patients and Promoting Public Health, seeks to provide patients with access to safe medical devices that meet their healthcare needs. This plan aims to establish a robust medical device patient safety net in the United States, as well as spur innovation towards safer medical devices and advanced medical device cyber security, and development of new technologies that facilitate device recognition and security evaluation.

Second, the software pre-certification pilot program which calls for cyber security to be baked into product design, would be applied to developers and vendors who are looking to introduce new software products in the marketplace, requiring them to do the baseline of security protocols into their software. As these standards start to be rolled out and deployed via hospitals using these products, it opens up new opportunities and requirements for security assessments and compliance. The combined effect of GDPR and newly released state security or state-level privacy legislation has also driven heightened interest in privacy concerns for health plans, healthcare clearing houses, and healthcare providers who electronically transmit health information. Many of these laws, like those in California and Colorado, significantly change the landscape for companies doing business in those states, or handling the sensitive information related to personnel that are citizens of those states.

Many other states are considering their own versions of enhanced privacy protection as consumers become weary of waiting for the federal government to enact a national standard, something it’s been hinting for more than a decade. Like the European law, these new rules carry financial penalties that are cause for attention. This has generated much discussion around the industry, and in particular, with business associates, many of whom do business in multiple states, as well as overseas. With increasing regulatory awareness and the ever-growing attack surfaces within the healthcare environment, organizations must strengthen their cyber security defenses. Cynergistek's focus has always been on helping organizations meet regulatory requirements, and proactively build buildings cyber threat awareness within their environments through our cyber security and privacy services.

Just this quarter, Class recognized Cynergistek as the top comprehensive cyber security firm in the country, providing services to healthcare. This validates our market-leading position and the ability to quickly and effectively respond to our client's needs. We will continue to offer services and innovation that address the ever-changing threat landscape and deliver long-term success to our clients.

Turning back to the second quarter, I'm pleased with our results. As I said in my lead in, we had two large wins, one in professional services offerings, and the other a renewal in a long-standing managed print services client. We made great strides forward with our professional services offering by signing a multimillion-dollar contract expanding services at one of our larger accounts. Cynergistic will place additional security resources in the health system to augment that organization’s existing security team, helping to overcome security personnel shortage facing the healthcare industry. We continue to see healthcare organizations of all sizes struggle to recruit and retain talented cyber security professionals which are critical for addressing the ever-evolving threat landscape. This new expanded engagement is a testament to our successful prior relationship with this health system. It also demonstrates the growing demand for security experts to help manage comprehensive security initiatives. Overall, we saw an increase in professional services in Q2 with the addition of five new engagements. We will continue to focus on growing our professional services program to take advantage of the labor shortfall.

On the managed prep side of the business, as we've discussed, we were able to extend the large academic medical center contract for an additional three years. As I stated in Q1, our focus was our strengthening those relationships with our client. This early renewal is a testament to the hard work and dedication our teams have exhibited over the last six months in 2018. We continue to work with our client to make sure we are exceeding their expectations of learning the best overall managed service programs. In addition, we are capitalizing on the continued consolidation within healthcare, working with our MPS clients to expand services under the newly acquired entities in Q2, further demonstrating our progress towards strong relationships and improved service.

We continue to see strong demand for all of our managed service offerings and experience steady growth in (inaudible) pipeline. We increased the number of service clients by 12. Renewals remained at 95% and 20% of those renewals included expansions through additional services. Last quarter, we began to roll out new service offerings in incident response and biomedical device security management. We're excited to report that we have had wins in both of these new categories, and are seeing an increase in the pipeline of opportunities for both of them. Our biomedical device security solution incorporates the technology I mentioned earlier that is enabling our ability to find and manage these devices more effectively, improving both cyber security and patient safety.

In addition to expanding our service offerings with existing customers, we are continuing to grow our overall client base. Our sales team has made significant progress in bookings growth and are off to a strong start for the first half of the year, putting us in a good position for the remainder of 2018. I will now hand it over to Paul to review the financial highlights for the second quarter of 2018. Please go ahead, Paul.

Paul Anthony:

Thanks, Mac. Breaking down the revenue into the new categories for Q2 2018 versus '17, managed services revenue was $13.2 million, a decrease of 9%. This decrease was the result of the MPS non-renewals which we discussed (inaudible). Consulting and professional services decreased by 8% to $1.8 million due to growth in the security-related consulting and professional services provided to both new and existing customers. Equipment and hardware, software resales increased by 226% to $1.9 million. We maintained a gross margin of 26% of revenues in the second quarter of '18, as compared to the same period of '17.

Non-GAAP adjusted EBIDA, after adding back stock-based comp was $1.1 million or 7% of revenues for the second quarter of '18, compared to $1.2 million or 7% of revenues for the same period of '17. Non-GAAP adjusted earnings was $0.8 million or $0.08 per basic and diluted share for the second quarter of '18, compared to $0.8 million or $0.09 per basic and $0.08 per diluted share for the same quarter of '17. The reconciliation of our GAAP to non-GAAP information can be found in the earnings release that came out earlier today.

As of June 30, 2018, deferred revenue was $2.4 million, up from $1 million at March 31, 2018. This increase to deferred revenue was a result of approximately $1.2 million in equipment delivered but not installed in one of our larger clients. The Company had $5 million of cash and cash equivalents at the end of the quarter, along with $23.5 million in short long-term debt. The Company maintains a line of credit with a commercial bank up to $5 million subject to borrowing base limitations, of which this credit line has no outstanding balance as of today. This concludes the prepared remarks. Operator, please open the floor for questions.

Operator:

Thank you. If you would like to ask a question, please signal by pressing star, one on your telephone keypad, and if you're using a speakerphone, please make sure that your mute function is turned off to allow your signal to reach our equipment. Again, press star, one to ask a question.

We will hear first from Matt Hewitt of Craig-Hallum.

Matt Hewitt::

Good afternoon. Thank you for taking the questions.

Mac McMillan:

You're welcome, Matt.

Matt Hewitt:

First one for me, you announced a couple of days ago. the renewal with New Haven. I'm just curious. You've talked about, historically, when you get to the tail end of those big deals, you typically are seeing your best margins. As we think about the next three years with this contract, is it a continuation of those higher margins or was it a competitive bidding situation where maybe you don't get the full benefit?

Mac McMillan:

In this case, actually, the margins remain flat. They will remain at what would be considered kind of our target margins. This specific renewal was related to some operational changes and some other things that were being done that allowed us the opportunity to extend it for a longer period of time and take advantage of the situation. We did that. Fortunately, in this case at least, we did not see maybe the normal margin impact that you would see for an account that saw something towards the end of its original term.

Matt Hewitt:

That's good to hear. Shifting gears. Maybe a little bit higher level. I think back to when the companies merged, there was a lot of excitement and opportunity from a cross-selling perspective. I think we spoke a little bit about this last quarter. As you look at the installed base today, even the new wins that you announced here just a few moments ago, as you look at the installed base, how many of those customers today are simply buying one service or one offering, versus two, versus more than that, and where do you see the opportunity going over the next year or two?

Mac McMillan:

We still have a fairly low percent in terms of penetration rate of multiple offerings. I think we have about 20% of our customer base that has more than one managed service, and we typically measure that by managed services not just one-off discrete services. Many of our customers will buy one-off discrete services throughout the tenure that they're part of the program. But what we really look for is in terms of incremental growth is when they start adding additional managed services. That's still a big area of focus for us, and we're trying to move that needle further to the right. We are beginning to see some progress there. We're beginning to see more customers buying our VSM offerings and our privacy monitoring offerings. Now, we have a lot of customers that we’re having conversations with around managed print. As we learned, a lot of our existing customers were already in some form of managed print relationship. We're in the process, obviously, of working to be in the mix when they either renew or displace whoever is in there now. But we still see that as a big opportunity and it's something that we're focused on in terms of our sales team. In fact, we have sales training coming up next week and that's going to be one of the big focuses of that training, is moving customers into multiple managed service relationships.

Matt Hewitt:

Okay. Maybe one last one for me, Mac, you had kind of touched on a recent report highlighting that personnel remain a challenge, finding the right people for your customers. You, historically, have had a great success in attracting and bringing those types of people in-house. Given where we are at from an unemployment rate standpoint here in the states and some of the other bigger issues that are occurring, it

doesn't seem like that's going to change. I would think that that would accelerate adoption of some of your managed services, rather than some type of new training platform that brings more people into the workforce to help, am I thinking about that right?

Mac McMillan:

You are. In fact, we're seeing more customers go straight to a managed service option as opposed to a one-off service. That's one of the things that sort of changed our deal mix a bit in terms of—because we basically put things in professional services, consulting services, and managed services buckets, if you will, in terms of how we track things. We've seen an increase on the managed service side and the professional service side, and a decrease on the consulting side. A lot of that is because a lot of our customers, instead of just buying a one-off risk assessment, are going straight through a three-year cap. Because they're having so many challenges of getting the people that they need on staff and being able to retain them, the whole managed service model is becoming more and more attractive to those hospitals in particular.

Matt Hewitt:

Excellent. Okay. Great. Thank you very much.

Operator:

We will hear next from Andrew D'Silva of B. Riley FBR.

Andrew D’Silva:

Thanks for taking my question. Just a few quick ones. I'll start with a few for Paul. Could you just explain maybe a little bit what the rev mix was from a security versus documents stand point? I'm just confused on how your gross margin increased year-over-year, and sequentially, if equipment sales increased so much. Then, just looking at the balance sheet, accounts payable are way off historic norms, what's causing that, and will that return to more historic levels going forward?

Paul Anthony:

(Inaudible) to the product mix or services mix. Security was just over $4 million for, really, both quarters, $4.4 million or so for Q1 and $4.2 million for Q2 on the security side. As it specifically relates to the balance sheet, we also see that we had a drop in our accounts receivable as well. A large portion of our business on the managed print services side includes paying agent role for clients. In many cases, we don't make payment on a number of our expenses associated with a given client until we're paid by our client. It's really more of a timing issue specifically related to Q2. There is no trends that we noticed necessarily, we just happened to collect more money in that quarter, and then the resulting payout against the vendors that support those accounts was done as well. If you remember back in Q1, we actually saw an increase in AR because we hadn't seen some collections that came in later. It really is just a timing difference, no trends that were seen or changes in the trend.

Andrew D’Silva:

Okay. Great. As you look at the business, I know that we've discussed this last quarter, but are there still headwinds on the document side of the business, or are most of the ones that you experienced in the first half of the year behind us now? Or has the competitive landscape evolved enough that it couldn't make that segment more unpredictable than perhaps how it was over the previous, call it, three years?

Mac McMillan:

Sure. I think it's safe to say that there's still a pretty strong headwind in front of those services. That entire business is still facing a lot of downward pressure with respect to price and cost, and a lot of the competition is—I mean, it's becoming, as we've said before, not becoming. It is a commodity-based market, but it's actually, I think, even becoming more affected than that in the sense that we have the equipment manufacturers who provide managed services. We have the folks like ourselves who provide a managed print service, and then we have what I call all the local folks, meaning the local office shops, et cetera, who will also provide a managed service around the equipment that they sell a particular business, which I think is actually growing in terms of numbers.

There is just a tremendous amount of competition out there for that business, and a lot of it is all price-based in terms of the competition. Obviously, the local vendor doesn't have the overhead of travel or the organization to support a disbursed client-base that's outside of their geographic area. The manufacturers who sell the equipment, their focus is primarily selling the equipment, so they'll discount the managed services in order to sell more boxes into the client. Really, those folks that are like ourselves that are the kind of in that middle sector of the business where we are pure Managed Print vendors, we really have pressure coming from both ends, and on top of that, you're talking about a marketplace that is extremely saturated. What I mean by that is, as we're finding, as we found when we started cross-selling into our existing security clients, it was incredibly rare for us to run into somebody who didn't already have some form of a managed service relationship in place. You're not only dealing with the pressure in terms of price, but you're dealing with the pressure in terms of having to display whoever's currently there, and whether or not they're either happy or not so happy with whoever they are currently doing business with.

I don't think that those headwinds have gone away. I don't know that it's any more volatile than it was before, meaning I don't know if it's any more unpredictable than it was before. I think it's still very predictable that it's going to be a difficult sell, and then it's going to be competition every time you go in there.

Paul Anthony:

We're definitely focused on the security angle that we've got that the competitors don't have. It's definitely an area that we're focused on to differentiate ourselves.

Andrew D’Silva:

Okay. Great, great color, and then I know you touched on this, but just looking at it from a slightly different angle, any thoughts on how Legacy customers reviewing some of the new offerings that you have come through security? I know you mentioned the 20% adoption, is there an adoption rate you'd be disappointed with if you weren't able to hit on a quarterly or annual basis? Any benchmark that you can give us would really help us think about it from a modeling standpoint.

Mac McMillan:

That's a good question. We haven't really, I don't think, sat down and thought of it from that perspective. Right now, the model that we've put forward to our teams is we'd like to see every one of our customers have two to three different managed services a piece. But I haven't really thought of it in the sense of, does it have to be 20%, or 30%, or 40% penetration. That's a different way of thinking about it, and we can probably give some thought to that, but we haven't. I don't know. I wouldn't know what to tell you today.

Andrew D’Silva:

Okay. How about this, you mentioned the goal will be two to three managed services a piece. What's the norm right now?

Mac McMillan:

The norm right now is the overall majority have one, and then they'll buy other discrete services on top of that. The percentage, I think it's somewhere around 20% right now, has anywhere from two to three, and we’d just like to see that grow. That's what we'd like to see grow.

Andrew D’Silva:

Okay. All right, fair enough. Then, just final question. You mentioned a 95% retention rate, is that based on revenue or total clients? Then, is that a rate we should model as our base, or what would be the best retention rate we should use as a base case going forward?

Mac McMillan:

I'll let Paul talk about the numbers piece of it, but that percentage is just based on client.

Paul Anthony:

Yes, client count.

Mac McMillan:

It's client count.

Paul Anthony:

Then, I would say, historically, we've targeted 97% for the security business and, historically, prior to end of 2016, 2017, we would've had high 80s into the 90s for the MPS side. I think now what we'd like to see is right in that mid to high 90s, it's still our target as it relates to renewity.

Andrew D’Silva:

Okay, and that is quarterly or annually? Sorry, from a timeline standpoint, that's going to be annual numbers?

Paul Anthony:

Annually.

Andrew D'Silva:

Okay. All right. Perfect, thank you. That's it for me and best of luck going forward this year.

Mac McMillan:

Thank you.

Operator:

As a reminder, if you would like to ask a question, please press star, one on your telephone keypad. We'll hear next from William Gibson of Roth Capital Partners.

Mac McMillan:

Hello, Bill.

William Gibson:

Hi, Mac. Say, can you give us a little more color on the biomedical, medical security wins? How many are out there, and how big could it be, and what's the ramp, and sort of the timing of when it starts showing up in revenue?

Mac McMillan:

Yes, that's one of the things that we're actually very excited about. It seems like every time our sales guys have a conversation with anybody out there about this topic, they come away with an opportunity to present something to them. The number of opportunities in the pipeline just continued to grow. I think we've had two or three wins already on the biomedical side.

Paul Anthony:

I think they're 11 in the platform.

Mac McMillan:

Yes. We're really excited about what's going on there, and this is just the front-end because right now we're dealing with doing the assessments, helping them to understand how many medical devices they actually have that are connected, where those devices are, what the issues are related to those devices, what the vulnerabilities are that need to be addressed.

The second piece of that is the managed service on the back-end, which is the second part of that coming down the pipeline, which is what we're really aiming for. But it just seems like every single health system that we talk to—in fact, I just saw two more opportunities this morning that we're going to proposal for biomedical device security assessments. It just seems like every hospital we talked to, that they're anxious to jump on that, and they're very excited about the fact that we've incorporated the new technology into what we're doing so that we actually have the ability to accurately find those devices and identify what's wrong with them.

But on the other side of it, there is also some great partnering opportunities that are going on right now. We're working with two of the large biomedical device manufacturers who also manage those devices for a lot of the hospitals that they work in. We're working on a partnership with both of them to actually be their security partner, and come into their hospitals, and work side-by-side with them to address the security fees while they're addressing the maintenance fees. Those biomedical devices as well, and those obviously are opportunities that we just can't wait to see where those go.

Then, we also have a couple of opportunities that were a bit of more longer term, but they’re with very large health systems that have many hospitals who are looking at more of, again, a partnership relationship where we come in and help them manage those devices across all of their hospitals. The biomedical device security piece right now is something that's very exciting, and it's got our sales team very excited because they don't have a negative conversation anytime they have one.

William Gibson:

Okay. What's the typical assessment period? Is that three months, nine months?

Mac McMillan:

The typical assessment period is about six weeks. Essentially, what you do is you deploy the technology into the hospital, it sits and passively records the communications between the endpoint devices and other devices on the network and through those communications, identifies the device, where it's located on the network, the type of device it is, the red version of the device, what its maintenance level is, and what its security issues are. We typically let the collector run in the client's environment for anywhere from three to four weeks because a lot of these medical devices are not online all the time. Giving you an example, hospital may have 20,000 devices that are connected to its network, it may only have 40% of those connected at any given time. But over a period of weeks, all of those devices will typically have been connected during that time frame, and so you will have been able to find them and catalog them, and identify the issues with them.

We leave the collector there for up to four weeks. Collect the data. Once we have the data, we do the analysis, write the report, make the recommendations with respect to the clients' program in terms of how they're managing those devices from a lifecycle approach. Meaning, we go all the way back to where they acquire those devices and what their processes are for acquisition, through maintenance, as well as through retirement of those devices, and that's looked at. We basically provide them with an analysis that allows them to not only tactically attack those devices that need to be addressed, but also look at things like segmentation, in terms of where they want to put them on the network, physical location in terms of

where they want to connect them, and then, of course, addressing the things like patching and fixing with respect to devices, as well as fixes to their processes. It’s about six weeks, all told.

William Gibson:

That sounds good. Thank you.

Operator:

Our next question comes from Bill Sutherland of the Benchmark Company.

Bill Sutherland:

The first half, as I look at past on the equipment sales, it feels kind of flattish, 2Q over 1Q of (inaudible) about the match grant and security. As I try to get my arms around some of the additional business you talked about, Mac and the expansions and then tie that to retention, and then also your pipeline, the time to convert, how do we think about the back half? Should we think about it as sequentially up from the front or from the first half of obviously ex-equipment sale?

Mac McMillan:

Yes, absolutely. We talked about it. We knew we had a slower Q1 from a booking standpoint. We had a real strong Q2 in which we caught up with. Made up for any shortfall we saw on Q1 as well as exceeded what we were planning for the six months combined. We'll start to see that those bookings start to materialize into revenue here going into Q3 and into Q4. We'll definitely start seeing additional growth as we get into the back-end of the year.

Bill Sutherland:

I guess for both sides of the business?

Mac McMillan:

Less so on the MPS side, with the exception of maybe some equipment. We (inaudible) around the deferred revenue that we have in there from the equipment. But most of the growth in the services side has been coming from the securities side.

Bill Sutherland:

Okay. That's just what I needed. Everything else has been answered. Thanks, guys.

Mac McMillan:

Thank you.

Operator:

It appears there are no further questions at this time. I'd now like to turn the conference back to Mac McMillan for any additional or closing remarks.

Mac McMillan:

Thank you, Operator, and thanks, everybody, for attending today and for all of your questions. Although the year started out slow, we're now gaining momentum in 2018 and are looking to build on the strong sales performance we saw in the second quarter, and the demand for security services we still see across the healthcare market. Our execution in the second quarter, along with our industry-leading position, will serve us well as a strategy for the remainder of the year. We will maintain focus on growing our pipeline in both new and existing offerings, and continue to deliver high-caliber managed services to our clients. I'd like to thank everyone for joining the call today and look forward to talking to you soon. Thank you very much.

Operator:

Again, that does conclude our call. We would like to thank everyone for your participation today and you may now disconnect.