Welcome, dear guests. I see people are joining online. Happy to see that. Valued shareholders, investors, customers, and media, welcome to our investor call on SSH Communications Security financial statements released for January-December 2023. This meeting will be recorded, and the recording, alongside the presentation, will be available on our webpage after this call. My name is Lauri Koponen, and I'm the Communication Lead at SSH Communications Security. I will be the host of this call. Results will be presented by our CEO, Teemu Tunkelo, and CFO, Michael Kommonen. You can ask questions at the end of the event by asking to speak in the chat or by writing your question there. Please keep your mics muted whenever you don't have the floor. At this stage, I hand out the floor to our CEO, Teemu Tunkelo.
Thank you, Lauri. Welcome, everybody. We will start. As you can see, this meeting is done with our new product, which is a safe way of sharing information in a B2B environment. We will start with a short video explaining what this product is all about.
Handling secrets in a regular email is like sending them on a postcard, too exposed and risky. Fortunately, secure business communications is easier than you could ever imagine. Introducing the SSH Secure Collaboration 2024. Secure your sensitive human-to-human communications with government-grade security. The SSH Secure Collaboration 2024 is a super simple solution that makes secure business communications a breeze. Put a stop to data leakage. Ensure your organization doesn't get exploited by cyber criminals. Stop identity theft and data leakage. Protect yourself from identity theft. Manage access and rights per task, role, policy, or data classification levels. Identify, track, and audit every transaction. Verify both sender and. Collect and collaborate on sensitive data just like before, but with ironclad security. From Nordic specialists in secure communications, trusted by some of the most demanding businesses.
It gives you a free, you know, what we are doing in security between human systems and networks. Now I would like to hand over to Michael to tell about the numbers. The safe harbor statement is normal, as you know. So Michael?
Shortly, our agenda today, we'll walk through the financial results, and then we'll give you the CEO review, along with our outlook, and after that, we'll have the Q&A. So next slide, please. So the financial results for 2023, our top line, our net sales increased by 5.4%, and our EBITDA reached EUR 1.8 million. Underlying, under this, total net sales growth of 5.4%, we had subscription sales growth of 27% for the full year. Our total ARR grew 5%, broadly in line with the overall sales increase, and reached EUR 19.3 million. Looking at the fourth quarter, the last quarter of 2023, EBITDA was EUR 0.5 million and declined 56% versus the comparison period, the last quarter of 2022.
This was mostly explained by lower net sales and, to some extent, also, an increase in costs as we continue to spend in R&D and market activities. The fourth quarter of 2023 was our 11th consecutive quarter of positive EBITDA. During 2023, we secured several multi-year subscription and maintenance sales with UPM and PrivX, and specifically in the fourth quarter, we provider in the U.S. region. In the last quarter, we also launched the Secure Messaging 2024, which we are using right now on this call. This is for compliant digital communications between humans. It offers a variety of features, such as video and voice calling, file sharing, and group chats.
We also moved to position our SSH Zero Trust Suite as a bolt-on, as the best bolt-on to Entra ID to help manage your secure key users. So typically, one out of 200 users would be our the users we target with the Zero Trust Suite. So next slide, please. Looking at the fourth quarter, so as mentioned, the overall net sales decreased and underlying or to a large extent, explaining this decline in sales is the reduction in license sales. So we had in line with our strategy, we are focusing less on license sales and increasingly on subscription sales. In the fourth quarter, our subscription sales grew 16%, and for the full year, a healthy 27% increase. Maintenance sales were broadly stable. There was a slight decline in them for the full year.
The deferred revenues at the end of 2023 was EUR 12.6 million. This is down from EUR 14.1 million a year prior. This is mostly explained by lower invoicing. In 2022, we have invoiced some major multi-year bills, which increased invoicing, particularly towards the end of 2022, and then correspondingly increased our deferred revenues. EBITDA, as mentioned, for the full year, was EUR 1.8 million, and EBIT, - EUR 1.6 million. The cash flow from operations last year was EUR 3.2 million, so an improvement from 2022, EUR 3 million cash flow from operations. Finally, our total liquidity in 2023 was EUR 3.7 million.
If you look at this in detail on our balance sheet, you will notice that we have EUR 2.2 million, or had at the end of 2023, in cash and cash equivalent. But this was in a money market is, an investment vehicle with a low duration, low maturity, and which is, and which is liquid. And with this, we are taking advantage of the current interest rate environment to improve the yield on our cash position. Teemu?
Yeah, thank you, Michael. Yeah, I guess the main topic on the position is that we are working like the extra against. We were able to put in cash to build and deliver interest, which shows that we are stable. We have been stable now for over 10 quarters. We are driving the company in a stable way forward, and the key point is that endpoint security is all about access control, and that's what we have been doing with PrivX since 2008. And we are communication security between humans, systems, and networks. So we have three product families: collaboration, Privileged Access Suite, and Network Suite, which all run under PrivX, which controls who did what where. We are making Zero Trust comprehensible for people, which means that people should be recognized not by passwords, not by keys.
They should be recognized by their biometric things, be it your pupil, be it your face, be it. In today's world, it doesn't matter if you're on the internal network, if you're on the internet, the world is borderless. What we do is defensive cybersecurity. All of these products, we do cryptographic agility, which means all of our products can be also bought in a post-quantum safety algorithms. So that's us in a nutshell. Now, as you have seen from the video, and you can see it all the time, we want to make secure communication that is recordable for the companies, because what the Securities and Exchange Commission in the U.S. has said, same way as you do telephone service, also digital service between you and your customers have to be able to be recorded so that afterwards you can know who did what, when.
That's why it is not acceptable that people use their private WhatsApp or standard Outlook or Teams. There needs to be a secure collaboration environment, and that is what we are launching now with the CollabX Suite, that you can share the information, and the company can fulfill their legal requirements on being able to record who said what when. The other main point we have traditionally had is that most of the connections are automated between applications. SSH, so Tectia SSH client can do interactive sessions, but the main topic are the automated connections. What we do with Tectia, what we do with PrivX, and these are, are not well documented, and that is the invisible risk we are addressing now. So what we have seen with our customers is that the SSH keys, which is what Tatu Ylönen originally created, are not well documented.
This picture, what we call the Death Star, is from one of our customers' connections between their different servers, who is talking to who, because we are communication security. That we are able to visualize this, we are able to act on this to say, "What is the world you are living in?" It's not about what does the computer do, it's a question of communication security. With whom does the computer talk to? That is what we can do better than anybody else in the world. On the network side, NQX is a way to make cheap connections with high bandwidth over the network. It is between the cloud and the office, the operations and the office.
Data center will stay there longer than I will ever live, and NQX enables you to use normal internet to provide you a low-cost connection and still secure connection between the plant and the cloud and back. That's what for our NQX product is all about. On the last year results, PrivX has been growing. We have been still focusing on getting bigger deals. Some of the deals I would have wished would have come last year, but the customers buy when they buy. We have gotten very good response, and we have better pipeline than ever, so the base for the 2024 is strong. We have the service provider version, MSP, and the OT edition for factories, and our customers are extremely happy. Our product is made in the cloud age for the cloud age, and we see a really positive impact with the market.
So I feel very confident that what we did in 2023, which was okay year, it could have been better, but it was what it was. I see we built a solid base on driving bigger deals, driving more customers for PrivX, for our CollabX Suite. So the reason why we need CollabX is coming from the fact that one of the biggest fines ever done by SEC was that the companies that are providing investment advices to their customers do not control the communication, or they don't record the communication, but because people use their private devices. And we can already see that some of the even Finnish banks are moving to the state that they will have private phones replaced by company phones, where you cannot load applications, because the companies have to control the communication between them and their customer.
And this, the whole market, is coming more and more to the point of communication security. You need to be able to control your communications between human systems and networks, and that's what we do. So this is the point I mentioned about SEC. They have issued fines for 30 different organizations, basically on the topic that you need to know what people do. And it is similar if you call, let's say, for an example, a bank. The bank on the phone says, "You know, wait for a while, the next service engineer might come and talk to you in the next 15 minutes. By the way, this call might be recorded for quality and process improvement purposes." This requirement also goes to digital communication between people in your organization and people with your customer.
That need is driven by the big fines, because big companies only do things because they have to. So this is a threat, which the traditional products, be it WhatsApp, be it SMS, that are out of the reach. You need to have control when you, your organization is communicating with your customers. You at least have to be able to record the communication. And that's what we do on these calls, we call that, "This call will be recorded," so everybody knows who's there to work with. And that's what we are doing with the secure messaging. I think it is increasing our traditional Deltagon offering to a new level, which I believe is needed by the market because emails are dead. Secure emails are dead. We just have to bury them. The future is instant messaging.
The future of instant messaging, we can see, or I can see at least, I don't communicate with my children with email. I communicate with them with instant messaging. That will come to business as well, and we believe we are leading the pack at the moment. Now, if we then look at the problem of going to the cloud, and this is another paradigm that I want us all to understand. Today, 20% of all the transactions in the world are in the cloud. The cloud is growing. The light blue is not growing, but even if the cloud is growing, in 10 years, still half of the cost of an IT department of major corporation will be still on the light blue side.
If we go to the next step, we have the mainframes, and I believed when I graduated in 1986, the mainframes are dead, but I will die before that. Data centers, we have a good partner with Kyndryl in the U.S., which is the ex-IBM consulting service. They go down from 800 data centers to four, but the four are pretty big ones, because the biggest users of processing power in the world are companies like American Express, like Visa, and they will not go to cloud, because you go only to cloud when you have a variable load. If you have stable load, you do it yourself. Technically, you can do it with cloud technology, with your private cloud. But for the small to medium-sized companies, the big game that we are entering is about who is providing the clouds.
Amazon started because they saw they had a lot of compute clouds. They wouldn't know what to use them, they started to sell it as a service. Google has gone there. IBM has bought a big thing. Microsoft is completely different because all of us, we are at least in one Microsoft Active Directory with our password and username. And Microsoft, by renaming Microsoft Azure AD to Entra ID, is going to take the identity market. Access management is us for the 100 or 200 users. Entra will provide access to the people who get into the bank office. We provide the access to the world. And in this game, I think Okta is an interesting player, but they don't have a cloud. The really underlying message is, who gets the volume of the cloud traffic?
And the big boys, the boys we work with, they do private clouds. And this is the environment where we are providing what we have always provided already from Tectia over 20 years ago.... We have single access to any cloud, any environment you have. You don't lose your keys to the kingdom if you use PrivX. That's our big value. That's what we are driving. And that means that we want to sit on top of Entra, adding there the super users, the power users, and adding there who did what, when. And with UBA, with behavior analysis, we can also predict and prohibit misuse of the credentials before it actually happens. And that is where we have, I feel, a good understanding with Microsoft. We only do the one out of 200 users.
They can do the 199 users, so both of us has enough game to play because for the time being, we are a little bit smaller than Microsoft. I think we have also, at least in Europe, been able to convince the analysts that our product, PrivX, our technology, PrivX, is made for the future, in the future time. The competitors have been made in time of dinosaurs. We are made in the time of cloud. Open interfaces, easy to use, on-demand volume, on-demand processing power, so we can live in a cloud. Compared to most of our competitors, we can also live on-premise equally well. We are a private cloud, we can sit in a public cloud, and that is the strength, because PrivX was only done in 2018, when the technology was already available.
So looking forward for the 2024, I know I cannot say a lot. W e remain with our traditional guidance, and I do believe we will have a very good foundation that we have built in 2023. So we will grow. We will increase our profitability. We will be very, very happy, most likely, when we talk to you once again somehow. So with these words, I would like to hand over to, back to Lauri.
Thank you, Teemu. I can see already questions in the chat. Thank you. You can write your questions there, or you can also ask permission to speak. Traditionally, first questions have come from Fredrik Redeye. So Fredrik, the floor is yours.
Good morning, and thank you very much for taking my calls. We have been talking about the customers pushing forward these decisions for your product. Is this the case, would you say, or have you lost any prospects?
We, we feel that most of the projects have a funding problem. It is not that we have lost major customer cases, it is just that the customer senior management has not released the funds. And that is also big part of my belief that this year should be good. This year, already in our sales system, we can see there are a lot more projects coming in than ever before. So there is a new budget. We are gonna go for it, and I really hope that this year, the first half of the year, will cover up the things that we failed at the end of the last quarter.
Okay, and can you say something about the different geographies? I mean, it's more hesitant from European customers versus the U.S., or?
I wouldn't say there's a lot. Maybe Europe is more conservative, yes. I think we have seen very good progress in Asia. Asia has been more active. U.S., I would say, is how it is. I think we are strong in U.S. We have kept our position. I would say I'm expecting this year Europe to deliver more than they did last year.
Okay. You talked about the new competitor in your report here, entering the identity market. Can you give us some more color there?
Only when we talk about our IAM market, identity and access management, Microsoft has all our passwords and usernames in their Active Directory, which is, by the way, an on-premises application. Microsoft renamed Azure AD to be Entra ID, Entra meaning enter. So they want to position themselves as the sole identity provider in the world. Okay, not maybe everybody wants to go there, but that will be the main topic. So the IAM market will be split between identity and access management. Identity includes all the users. Access management is extremely important for the people to go the safe. So 1 out of 200 users, that's what we do. So we want to be like ServiceNow, like Salesforce is with SAP. We want to be the vault owner for the people who go to the holy grail of really important, sensitive, and critical data.
One out of 200 users need to use PrivX. For others, identity management by Microsoft is enough.
Okay, thank you. I mean, historically, Q4 has been strong in the license sales, and as you said, that it's migration towards more subscription-based now. But can you say something more about why license is so weak? I mean,
Well-
Did you manage to, you know, to migrate-
Well, we-
The customers up until the subscriptions, or?
We have been trying to push the customers to subscription because it's better for them. Because if I take myself, buying a leasing car three years ago was a great choice because I can give it back after three years. If I would have bought a car, I would have an old car now. In cybersecurity, the hackers get more and more clever, so you need to keep your product fresh. It needs to be fresh and future-proof, and that's when it doesn't make sense that you do a capacity investment in a product that will be old in three years. You want to keep it fresh, and that is the message we have been pushing for the customers over the last three years. And the customers have been listening to us. They understand.
They pay a little bit more yearly, but they pay it over time, and the product will live with them. Because the cybersecurity risk will change, so it doesn't make sense to buy a snapshot of the history and hope. It's better that you buy subscription, which of course, hurts our revenue, but we believe it's good for customers and for us in the long run.
Okay. Can you say something about the churn? I mean, did you lose any customers there in between, or?
Can you repeat? I didn't quite hear you.
No, I'm just thinking about the churn. I mean, if you will lose any customers. I mean, some customers maybe do not want to have the subscription, even if they want the product, so to speak. I mean-
Well, we still, we still do offer perpetual licenses, and that actually last year, it was still more significant that some customers wanted it. Now, we had. In the last quarter, we had one customer who bought a license, which was about EUR 200,000, which kind of is not a major thing for us. The previous year, we had over EUR 1 million of license sales. So our license sales went down by EUR 700,000 in one year because we believe that it's better for the customers to buy subscription instead of license, even though it hurts us in the short term.
Okay. Understand. Thank you. And, my last question is, the launch of this secure collaboration that we are using right now, is that the launch is on track, you think, or will it be faster or slower than you anticipated?
Well, I think we have gotten very good customer response. We have now about less than 10 pilot customers who are testing the product. We are using the product extensively inside the company. I think the product is ready to sell, and it depends on the customer's speed on making decisions, buying, the rollout speed. But I do see that the theoretical potential, what we have with CollabX, can be equally big as PrivX. So getting out of secure email to instant messaging, to video calls, to calls like this, in a way that they are safe and they are company-controlled B2B connections. They are not like Slack, they are not like WhatsApp. That is the huge opportunity we are embarking on now.
Okay. Thank you. That was all for me.
Thank you, Fredrik. We had also a couple of questions in advance, which came by email. We could start handling those and then proceed with the chat questions. So first question was that: Is there recently announced Entra/PrivX solution, the type of joint and collaborative product solution that is marketed or sold by both SSH and Microsoft, or is it that SSH has integrated PrivX to fit Entra and is marketing it as its own solution?
It's the latter one. Microsoft is open for partners. Microsoft, at this stage, is not selling SSH products. We might agree with them in the future that we would put PrivX also on their platform. Then, basically, technically, Microsoft would be invoicing PrivX products, but that remains to be seen how the negotiations go.
Thank you. Next question, which came in advance: Is the recently announced EUR 1.8 million secret deal part of the EUR 20 million multi-year deal announced a couple of years ago, or is it separate?
It's separate. It's on top, it's different. It's close to what we traditionally do, but this deal is completely separate from the frame contract, which is progressing slower than we thought, but it's progressing well. So this is on top.
In the light of the current situation, what is the timetable and scope of this latter deal?
We will deliver the product during this calendar year, and then we will, in the forthcoming years, we will provide support for the solution. What we have now agreed is the EUR 1.8 million, out of which more than half will come as revenue this year. The rest is committed for support for coming years. It might lead to additional development efforts that would be maybe charged on top, but the EUR 1.8 million won't be a deal out of which half will come revenue this year. This is what we have agreed. So this is different to the EUR 20 million frame agreement, which was a frame agreement. This is a fixed deal. We get cash this year.
Thank you. Does the SSH Secure Collaboration 2024 product have a significant potential for success in the wider international market, and what are its competitive advantages?
We believe that it has potential. You know, take a gateway, the traditional Deltagon suite is limited to Sweden and Finland. And we do believe that the new product with the new technology, also leveraging the PrivX technology, has the possibility of breaking out of Scandinavia or breaking out of Nordic. So it remains to be seen. It will take some time, but this is a global product. This was made for the global market. We will continue to serve the traditional Deltagon customers because they like what they have, and this product is a step change on the globalization of secure collaboration between humans.
Thank you. Last question in advance: Are expectations for NQX unchanged or changing, and if so, in what respect?
NQX, as a product, has potential beyond the current market, but the positioning, you know, we might have not done a really perfect work on that. So we are looking at alternatives on getting an efficient global market with the logic of making NQX a connection over internet cheaper than flying modems, especially in the OT environment. So from the factory to cloud and back, from the harbor to cloud and back, from the ship to cloud and back, that's the big opportunity we see for NQX, and we are working on it. We have some limited success to date, and based on our capabilities, we will continue to try to expand the market that NQX would be the chosen solution for the connection between the cloud and the factory.
Thank you. And then questions from the chat. First question: Recurring revenue, ARR, was EUR 19.4 million, quarter three 2023. Now you reported recurring revenue RR, EUR 19.3 million . This means decline. Reason for this, what customers and in which area you are losing? What actions will you take in order to reverse this development?
I think I can take this one. So, there's. First of all, there's a slight currency impact that it's slightly negative in the fourth quarter compared to the third. And then we had one customer of a slightly large that to some extent explains it, discontinuing during the fourth quarter. I think we can't go into more detail of who this customer is and the reasons for for losing it. Overall, I think we can say the churn is low considering the amount of customers we have. The product is sticky, and customer satisfaction is high. So I think in the same way that we win over customers from others, and overwhelmingly, overwhelmingly, we win more customers than we lose. In some cases, some customers might, for some reasons, decide, discontinue. On the last question, what actions we will take?
Of course, we continuously strive to be close to the customers, and be sensitive to any kind of changes that happens at the customers and the customer needs regarding our products. So that's, I would say, is already actions that are in place and of course, which we are improving.
And if I can add to that, I would like to use the Matti Nykänen answer. 50-60 is absolutely correct. If it's 90.4 or 90.3, this is not a change. And looking at single numbers, when we go for bigger deals, comparing things behind the decimal point is irrelevant.
Thank you. Next question: Deltagon acquisition 2021. Plan was to pay acquisition during four years. How much SSH has paid until now, and how much is still to be paid, and when?
Yes, so the acquisition has been paid according to plan, and we will continue to pay according to plan. So, there was, after there were three final installments, of which two have been paid, so the final installment is to be paid in, during this year. So that's EUR 1.67 million that we expect to pay as the final installment of that acquisition during 2024.
Thank you. Next question is: In Q4 2023, how much new sales in currency did you receive direct and how much through partners? You have stated 50/50 in the past. Same still?
I think i t's not a number we give out, an exact percentage number. I think it has not changed materially, so I would say 50/50 is a reasonable rough number of our partner and direct sales split.
Next question: SSH Secure Messaging. How do you view the revenue potential for SSH during 2024 and 2025?
It is impossible for us to make any numbers on these. I would say potential is substantial, and the future will tell what we can deliver. At the moment, the starting point is good, but we are not able to give you a number at this stage.
Next question: PrivX is ranked as an overall leader and product leader by KuppingerCole. Has been for some time already. When will this translate to clear increase in PrivX deals, and what additional actions related to go-to-market do you need to take to make it happen?
Well, I think we have been able to increase the average deal size. Yes, there are still a lot of things in the, in the pipeline because customers need to make decisions, and we cannot control when the customers make the decisions. But we see for PrivX, the potential to go for bigger deals, very good, and we are doing a lot of investments in the go-to-market activities that we can make this thing going forward. So yes, we are working on it, and, and yes, we are a B2B market. We are not just a starfly in the sky. We do things predictably, credibly, industrial-grade software for B2B market. So you will see the growth coming, but it will not be a triple-digit growth. It will be stable and predictable.
Next question: Did SSH focus on target market change with the Microsoft Entra ID launch? And if so, how?
This is what I already answered earlier. Identity and Access Management market will be split between Identity and Access Management. We are in the Access Management market. We want to support Microsoft because we think that for 1 out of 200 users, we can provide a solution that Microsoft is not interested to provide themselves. Microsoft is going for the volume, we are going for the value.
More questions. As some of SSH products are claimed to be leading solutions in the market, is there M&A interest towards SSH which would support this view?
Well, there are always people who are kicking in the tires. For me, if I look at the past years, we are not for sale. We want to grow.
Thank you. And then last question in the chat, you have still time to post more. So if business develops according to plan, is operating cash flow sufficient to cover the upcoming Deltagon acquisition and interest payments?
We believe so.
More questions. Thank you. SSH Secure Messaging. You said the revenue will depend on what you will be able to deliver. Please elaborate on how much work is needed from SSH to deliver SSH Secure Messaging to one client in calendar time and FTA through speaking, proudly speaking.
The whole investment in CollabX, we, we are talking about a team of 4-6 people, which is about 5% of our R&D. The whole topic is not on how much we need, the point is the volume. This is highly scalable business. This is gross margin 95%+ . The question is not, can we invest in 4 people? Yes, we can. The question is: how can we ramp up the sale?
Thank you, Teemu. Thank you, Michael. Thank you, dear guests, for your questions. Let's wait for 10 seconds if there will be any more.
I think at this point, we don't have any more questions, so thank you, dear guests, for participating in our call. Materials for this call will be available on our webpage later this day. SSH Communications Security will release its business review for January-March 2024, Q1, on April 24. See you there. And thank you also on my behalf. See you next time.