Welcome to SSH Communications Security Investor Call for Q2 of 2024. I'm Aino Virolainen. I'm a finance member here at SSH, and I'm responsible for our investor relations. Presenting the results is our Interim CEO, Rami Raulas, and our CFO, Michael Kommonen. After t heir presentation, we will have a Q&A session. You can ask questions during the call by posting in the chat. This call is hosted with our own solution, SSH Secure Messaging. The call will be recorded, and the recording, along with the presentation slides, will be available on our website. Now it's time to start the presentation, so I would like to give the floor to our CFO, Michael. Please go ahead.
Thank you very much, Aino, and good morning also on my behalf. So let's jump into the numbers of the second quarter of 2024. In the second quarter of this year, our net sales grew by 4%, and EBITDA was EUR 0.5 million. This was an improvement from the year-ago quarter, when the EBITDA was EUR 0.1 million, so EUR 400,000 improvement. Net sales reached EUR 5.1 million, and on the sales side, we can also see that subscription ARR grew 8.2%, while actual subscription sales of PrivX grew 21.2% in the second quarter. The improvement in profitability in the second quarter was mainly driven by cost optimization and cost controls throughout the organization, as the overall sales growth was relatively modest in the second quarter.
On the market and portfolio side, in the second quarter, we received new orders for NQX, and we also invoiced the first installment of the cryptographic solution that we announced in the first quarter of this year. Our pipeline grew across all geographies in the second quarter, and we also announced, or we also achieved both, new partnerships, and we also closed new deals through partners in the second quarter. On the product side, we launched SalaX, our solution for secure communication, and we also achieved the first customer wins. Rami will talk about that in a moment in a bit more detail. On PrivX, we had PrivX 35 launched in the second quarter with significant improvements, in functionalities, in the PrivX product. Here we can see the trend of the sales and EBITDA performance over the quarters.
So overall, the overall subscription sales grew nearly 11%, 10.9% in the second quarter. Deferred revenues declined somewhat, reaching EUR 11.3 million, or being EUR 11.3 million at the end of the second quarter. This deferred revenues fluctuation mostly has to do with timing of the invoicing, in between quarters and months. EBITDA, as mentioned, EUR 0.5 million, EBIT still negative, negative EUR 0.5 million, and the cash flow from operations, in the second quarter, which is typically seasonally weak, on the cash flow side, was negative EUR 0.8 million. So with this, I will hand over to Rami, who will go through the business highlights, in greater detail in the second quarter.
Thank you, Michael. Good morning, and good afternoon to some of you. While our revenue growth was maybe just moderate in Q2, we had progress in multiple fronts. For instance, our business in APAC grew 44%, slight growth in U.S. Europe was a bit flat. Many of the deals that we were anticipating were being delayed. And we, as Michael mentioned, we were able to get quite a bit more invoicing from new orders in Q2, which will show in revenue later on because of the subscription model. And we also, as said, we're able to increase our pipeline fairly significantly in Q2 in all the three regions. So with that, I'd like to share a bit more of the progress or background of other activities and achievements that we had in quarter two.
So we continue, subscription-based sales is now 95.5% of our business. We work through partners. Our growth is driven by partnerships and building stronger partnerships and building more partnerships globally. We are a security company, so we need to be a secure company, so we achieved yet another certification for that. SalaX came to market for deliveries. We announced maybe the biggest announcement ever for PrivX since its birth in 2017. We finished the organizational changes in two steps, first on the top management, then throughout the whole organization with the restructuring altogether. So those are the main areas, and I would like to go a little bit deeper in some of them as well. So, like I said, we had 11% growth for subscription-based sales. PrivX still continues to be our growth engine.
We had some significant progress in many fronts in that product and solution area, especially integrating that with key management. Our ambition always has been, in the past couple of years, to move Tectia also to subscription business. Now we are seeing some early signs on that as well, moving to subscription-based revenue for our main product there. Sorry, there are some mishap with my slides here. I don't know what happened. Here we go. All right. So we further strengthened our partner network, so we got a few interesting and important deals through partners. For instance, a banking mainframe security in Italy and in Europe, a heavy engineering manufacturing operational technology security case, fairly significant. Also, IT/OT convergent solution there, and an insurance company win through a partner in South Korea.
Like I said, we achieved also a security certificate for the ISO 27001, which is the international standard for information security management systems. So we passed that. We worked with DNV as an auditing company for that. And this is incremental to our earlier certifications that we have as a secure company. So I thought I would explain a little bit more what being a secure company delivering cybersecurity solutions actually entails. So, like I said, the ISO 27001 certificate was received. This is me and Pauli Haikonen, who is responsible for the process with us, proudly receiving the certification in Q2, in June. But we also have been certified by the Finnish Defence Forces as a facilities security company, in Finnish. Apologies for the Finnish language, for the international audience here.
This was received multiple years ago and has been renewed since. So it's just a statement of our secure operations and secure premises. We make sure that our solutions and products are safe and secure, as opposed to perhaps companies using open source, needing them to find support wherever. So PrivX, NQX, SalaX, Universal Key Manager, and Tectia. And the way that we work there is that for certain of our solutions, we also get accredited or certified by the National Cybersecurity Agency for confidential and restricted level, TL3, TL4 level. So we received yet another certification for that, for NQX, the network security solution, the latest version for that. And we do very rigorous testing of our products, and we use external partners to do pen testing and security, code security testing quarterly.
Actually, here's a result of the most recent pen testing for PrivX, as our lead product, where the rating for security was awarded to be excellent by the external auditor. Okay, so that was about security. A few words about what on products and organization. So on the solution side, we brought to market now secure collaboration. It was rebranded SalaX. In Finnish, it works like Salaiset huoneet, Salatut tiedostot, Salattu posti, and so on and so forth. We achieved first customers for the solution suite for secure mail, secure messaging, secure chats, secure rooms, secure file sharing, and secure video and audio calls as well, like today, where everything is encrypted, so no data can leak from the system to external parties.
We were engaging with campaigns to promote the new solution in the Nordics, especially, and we actually have now first trials in Central Europe as well. As I mentioned earlier, PrivX 35, it's come a long way in few years, was released in Q2. It is the biggest individual product launch since its birth, and we are driving the market to modern architecture, microservice architecture, immutable architecture, ephemeral certificate-based access or ephemeral access to modernize and get away from the huge overhead on infrastructure and having to manage with passwords or having to rotate passwords. That's where we have gained traction with PrivX in the past years.
But we also have recognized that there's a journey, there's a transition, so customers need to move, first getting control of their current secrets, and then moving to a modern way of handling them without having any permanent keys or passwords to be rotated or to be renewed. So with that in mind, we released a few new functionalities into PrivX. One is discovery of existing accounts and onboarding of domain accounts, and automatically then embedding them with password rotation if customers are not yet ready to move to ephemeral, short-lived token-based access control. We made enhancements to Secrets Vault for secrets management and password rotation, once again, just to help customers take first step in getting under control and then move to the modern architecture of immutable computing and ephemeral access.
In that area, for the ephemeral access, we made significant gains in the performance of the system for that, and zero downtime updates. So there's no gap when the solution is updated, and as you can see, we're already in version 35, so it will be updated a couple of times a year, but there's no downtime. Now, we have a customer in the manufacturing area, semiconductor area, and there's about 500,000 connections per day going through PrivX between systems. Now, first of all, we need to have the performance so that there's no lag in those. And because of the architecture of PrivX, it can actually handle; we have tested up to 1,000,000 concurrent sessions per day, which is, I think, unique.
I don't think any of the legacy PAMs that we compete against would work. They would choke, simply, or will be too expensive to facilitate them to work with that amount of traffic. But then when you have 1 million connections per day between systems, then there can't be any downtime. It has to be up and running all the time, and those are the improvements in that solution area. We finished the organizational model in March. We moved to a more simplified leadership model with three regions: Americas, APAC, and EMEA, and three business units: Secure Collaboration, Network Security, and Zero Trust. Those changes were now taken further in the whole company, and necessary changes in personnel and organizational structure were implemented, and now we are starting off with a new base. It's actually quite significant change.
There are 12, well, 13, me included, managers in new positions, new or enhanced positions, which I trust will give us a much more effort in instigating even higher performance culture than maybe before. On the organizational front, we are continuing to invest in resourcing in, especially in the United States market. That is the biggest market. We haven't been able to show that significant growth there. We renewed the team a couple of years ago, and now we're making further enhancements to have more capabilities to win more business in the U.S. market as well. Yeah, so those were the advances in quite a few areas. So we're trying to improve in many, many fronts. It's not just on the products, it's not just on the sales and marketing side, it's also on the operational and organizational model.
So I wanted to finish here talking a little bit about the kind of tailwind or opportunities that we may have moving forward, and I'll show you a few slides on those. Okay, so we've been talking about Zero Trust, OT, and Quantum Safe. That future investment for us, for future growth markets remains, no change in that. But on the post-quantum or quantum safe market, there is a couple of advancements coming out. On this, the standardization organization in the U.S. is releasing now, as we speak, the post-quantum crypto, so-called ML-KEM protocol choice, which then companies like us need to implement, and also in Europe, the FrodoKEM, which is another algorithm, is also being standardized upon. And we are bringing those two up for us as we speak. So we are one of the first ones.
We were one of the first ones with preset key sharing for Quantum Safe, and now with the key exchange and encryption algorithms as well. So we've been the forefront on that, and we will continue to be so. But there's also government focus now in Europe as a whole, U.S., Singapore and elsewhere. This is the latest news from the Finnish NCSA, just about a month ago, saying that, and I'll turn on the English text there, is the "National Cybersecurity Agency recommends that organizations start making preparations for the adoption of Quantum Safe algorithms." So there's more and more mandate for organizations to actually do something about it, not just wait or not just ponder whether this will be important or not. In the U.S., it's a law. The legislation mandates this. It's a national or nation topic.
It's important enough to protect the whole national secrets. We've been having success with the SSH key management, no surprise. I mean, we are the founder of SSH and the SSH keys, and also the first one on the market with management of those keys, because they spread like wildfire or cancer, if not controlled. But we have been struggling maybe a little bit in customers not seeing the real importance of that. I mean, even if you have a password vault or secrets vault, even if you have a privileged access management solution in place, they are fairly easy to bypass by just using SSH keys. We talk about PAM bypass or transitive trust or rogue keys for access. But now there was a significant change on the market with the market consolidation, so the market leader, CyberArk, bought Venafi.
I feel that this is a really strong statement for the recognition that this topic has to be taken now, finally, more seriously. We have a very competitive solution there. It is much more competent and has many more features than the competition there. We are the only ones who can provide automatic transition from managed keys, so not knowing where keys are, into managed keys, and from managed keys to ephemeral access. So fully automated, without having to manage or rotate or renew keys anymore. It will all be done automatically and in a highly secure manner. For that, we started three new proof of concepts with major finance institutions across the globe, actually, in all regions.
We have now three projects that have been committed to, that will start later on for the migration from key management to ephemeral access, so customers are even now asking for this. And additional to that, many customers are coming to us looking for an alternative or future alternative to just vaulting secrets, you know, using products like HashiCorp. Wanting to kind of mitigate the risk of secrets vault and finding a way to migrate to ephemeral automated, immutable access, which is the future, definitely, as all the analysts are saying as well.
And thirdly, there's a really clear need for secure collaboration, you know, Teams, Slack, whatever people are using, on-premise Skype in governmental institutions, 'cause you know, in many of the secure organizations or secret organizations, they won't let their communication to be handled in the cloud by national-international companies. They want to have their own instances, they need to govern the data, they need to have their own data sovereignty to handle it, handle it. And there's a few drivers there. First of all, on-premise Skype, which is used by many governmental organizations across the globe, will come to an end. It has been end of life already some time ago, so there needs to be a replacement for that. Customers are concerned with the data sovereignty.
The recent one was from two days ago from Disney. So Disney's Slack was robbed, and thousands of channels. So for instance, all the information about new upcoming products, like movies, is now out in the open. That's not good. So we used to protect servers and databases, that's where we all come from, from privileged access management. But now we need to protect the same way also the secure communications platforms, so the communication platforms, you know, Teams or Signal or WhatsApp or Slack, as we mentioned. And that is unique, the way that we do it is that, for instance, if you store files in the secure messaging platform, they are all encrypted individually, so nobody can steal them, nobody can do anything with them.
Indeed, we have now trials and negotiations ongoing for SalaX with multiple customers. So this I feel are very positive trends for us that we can bank on, and we don't have to change our offering, we don't have to change our tactic or strategies, we just have to do more. Finally, on OT, the OT market demand itself is accelerating. There are a couple of drivers for that. First of all, demand to fix OT security is becoming more prevalent in all companies. I mean, the attacks and ransomwares are just happening all the time. OT by design, as we have mentioned many times all over, OT by design is not really protected. It's isolated, but not protected, and the access methods are not encrypted. They're open text with the industrial protocols.
So there's a need to change that. There's a need to take more control of that, especially when more and more of the control of critical infrastructure, you know, electricity, water, and manufacturing sites are being controlled from outside, not just on the site, on the plant. There's also a need for converging IT and OT, 'cause both are there. They are separated now. Networks will continue to be separated, but the convergence of IT and OT is a big topic at the moment. And we stand in a very lucky, in a planned manner, in a lucky situation that our solution protects OT together with NQX. Actually works both for OT, with OT-specific functionalities and services, and network structure support, and for IT.
And indeed, we have now two customers recently which are implementing either first IT and then OT with our solution, or first OT and then IT with our solution. So that seems to be working pretty well. Our OT team is making good strides in building the pipeline. We've been in some quite a few events, creating new leads, and with the lead of Massimo Nardone, who joined us for Q2, for the lead of OT team, we are now pushing that forward. And we indeed have had a few, quite a few events. We had two webinars, one on the paper and pulp front, together with Stora Enso. Very happy customers, satisfied customers in that front. And another one for port operators and maritime, together with Port Technology International, Ericsson, and OneLayer. A very successful webinar as well.
And that was really timely, timely topic, these ports, and you see a couple of our use cases there in the picture as well from our customers in that space. Because we had a briefing for a Gartner analyst, Ruchi Patel, the other week, and she brought up also that one of the kind of hot topics or urgent topics, especially in the United States, is maritime and ports and port operators. So we're right on the right topic there. So I remain positive for our opportunity to find avenues for growth and to improve our profitability. And with that, I would like Michael to join me here to say a few words about the outlook as well. Thank you very much.
Okay, so the outlook for 2024, we are, is basically unchanged. We are reiterating the same outlook we've given previously. So we expect net sales to grow during 2024 compared to 2023. We estimate EBITDA and cash flow from operating activities to be positive for 2024, and at the end of last year, ARR was EUR 19.3 million, and in 2023, our net sales grew by 5.4% to EUR 20.3 million, and EBITDA was EUR 1.8 million.
This brings us to the end of our presentation today. Back to you, Aino.
Yes, thank you. We will now move on to the Q&A session, and I will shortly check the chat for any questions. But as has been tradition, the first questions will come from Redeye's equity analyst, Fredrik Wethey. So Fredrik, if you're ready, please go ahead.
Good morning, guys.
Hang on, hang on, hang on. Now we have some audio here as well. Go ahead.
Good, good morning. Can you hear me?
Yeah, we can hear you. Let me just turn it up a bit. Now we hear you perfectly.
Okay, fine. So my first question is regarding the subscription sales and PrivX. Is the performance growth from the new partners you mentioned, or if not, can you talk more about what region and type of customers that is driving, especially the PrivX growth?
Yeah, I mentioned one new customer in Q2, which is the manufacturing, heavy, heavy-duty manufacturing. That manufacturing was an order, not yet revenue. And then we had some MSP expansions, and most of the business comes through partners. So we have engaged, like, the one that I mentioned, Cancom, and in Central Europe. They're a fairly large partner, EUR 1.5 billion revenue, 5,000 employees. There's a lot of pipeline there, and some initial wins now from there. So not particularly any specific domain or any specific partners, but kind of across the board.
Mika, can you remind me the PrivX growth were in Q1?
A bit, yeah, a bit higher, about 44%, if I remember correctly.
Okay, yeah. And then, you talked about the new certification of the NQX, and you just released an updated version there. And you announced some orders coming in. Is this due to a positive NATO boost, or is an overall demand from, I mean, defense and infrastructure industry?
Yeah, this is a continuing on the major deal that we announced a couple of years ago already.
Mm.
So it's an expansion of that. And of course, all the new versions need to be certified for that. So you know, of course, you know, there's more NATO members nowadays, so it's related in a way, but not driven by that per se. But we also one of the new customer wins for NQX was from the communications and defense space area. We cannot mention the name of the company, but the area they operate is in communications and defense-supported related activities.
Okay, good. And then you wrote in the report that you reduced the number of employees by seven, and you also write that the restructuring are all done there. And I guess there's no more cuts to come now in the year.
No, I think we're now done with the organizational change-
Yeah
... and some reductions there. And, of course, organizations live, right? And people come and go, but now the organizational structural change and the changes to personnel related to that are now finished. They were announced just before mid-summer, so at the end of June.
Okay, and will you have the salaries still on your cost on the balance sheet, or, I mean, on the-
Yeah, so, we will see some of the effect in the third quarter. There was no effect from this, these organizational, latest organizational changes in the second quarter. So we will see some of the impact in the third quarter and mostly the full impact in the fourth quarter.
Oh, let me move this a bit.
My, my last question is regarding the R&D. It was slightly up in the quarter. It's slightly higher than 41% of sales. Are you increasing the R&D going forward now, or should we look around 40% of sales going forward?
Yeah, not really. I mean, if there are gaps... Hope the audio is better now.
Yeah.
If there are gaps, we will refill, but there's no plan to significantly increase the R&D now. There have been—I mean, we made some structural changes now in the organization. We also combined teams. We combined two teams together. We merged the testing, Q&A testing together. So we are getting some synergies and more efficiencies as well as we go, but no major intent to increase significantly R&D resources in the foreseeable future.
Okay. Thank you very much. That was all for me.
... Thank you, Fredrik.
Thank you very much. Now we'll move on to questions from the chat, and we do have one question there. You're reporting growth in recurring revenue ARR and subscription revenue ARR. This seems to be the case year-over-year, but in Q1 of 2024, you reported recurring ARR of EUR 19.7, now EUR 19.0, and subscription ARR EUR 12.0, now EUR 11.7. This means decline during Q2 of 2024. Can you elaborate on this? What customers are you losing, in which solution areas, and why?
Yeah, I think I can take that, or at least start. So there's a couple of reasons behind this sequential decline in the ARR from the first quarter to the second quarter. So, first of all, there's a slight seasonality in the ARR due to the fact that there's one less sales day or one less calendar day, actually, in June than in April, so 30 compared to 31. So that for the products that are invoiced on a daily basis, that reduces revenue slightly. Then we had in the zero trust product line, we had two customers where the renewals were somewhat delayed. So they were supposed to take place in the second quarter, but for different reasons, these renewals took slightly longer than anticipated.
One of them is already now closed the renewal in the beginning of the third quarter, and we expect the other one to close very shortly. The renewal, it has basically very little to do with the product, more with the bureaucracies of certain of our customers. Then finally, we saw a slight, we had one slightly larger customer loss in the secure collaboration suite, which reduced sales somewhat in June. So that would be, that would explain part of the ARR decline in the second quarter compared to the first.
Thank you. I do not see that we have any more questions... in the chat.
Unless there are any online questions, anybody raising a hand? Then I think we can say thank you very much for your interest and attention today, and we will be pushing on, and we'll be meeting and seeing you then again for Q3. I know we'll now say a few words about that.
Yes. Thank you. Investor call recordings and presentations can be found on our website's investor section. Our next investor call will be on the twenty-fourth of October when we release our report for Q3. So thank you again, and we hope to see you then.
Thank you. Bye-bye.