Welcome to SSH Communications Security Investor Call for Q3 of 2024. My name is Aino Hyväläinen. I am a member of the SSH finance team and responsible for our investor relations. The results will be presented by our interim CEO, Rami Raulas, and our CFO, Michael Kommonen. After their presentations, we will have time for questions and answers. If you have any questions during the call, you can ask by writing in the chat. The call is hosted with our own solution, SalaX Secure Messaging. The call will be recorded, and the recording, as well as the presentation material, will be available on our website, and now, I think it's time to start the presentations, so I would like to invite our CFO, Michael, to start with the financials, so please go ahead.
Thank you, Aino, and good morning also on my behalf, and welcome to our third quarter 2024 investor call. So in the third quarter of this year, we grew net sales by 1.5%, and EBITDA was 1 million EUR, so on the same level as in the previous year, third quarter. Sales reached 5.2 million EUR. Subscription ARR grew 1.8%, and within the subscription business, PrivX sales, subscription sales grew 15.6% in the third quarter. Year to date, PrivX subscription sales growth is now 25.7%. As mentioned, the quarterly EBITDA was 1 million EUR, same as previous year. So despite the moderate overall sales growth, we were able to maintain a stable profitability in the third quarter. During the quarter, our pipeline growth continued. We secured PrivX deals both in EMEA and APAC.
We also had made progress on achieving NATO approval and solution approval for NQX by the Finnish authorities. Looking at the quarterly trend, as we see here, basically the same sales and profitability numbers as in the previous quarter, but maintaining a positive trend over the year. Subscription sales overall grew 2.4% in the third quarter, and deferred revenues decreased slightly and were EUR 11.5 million at the end of the third quarter. EBIT was also positive in the third quarter and also in line with the EBITDA on a similar level as last year in the third quarter. Cash flow from operations was negative EUR 0.7 million, so depending on seasonal fluctuations in the invoicing and cash collection, negative this year versus a positive number in the third quarter last year.
Finally, on the financial side, we are reiterating our outlook for 2024. So we continue to expect net sales to grow in 2024 compared to last year, and we estimate that EBITDA and cash flow from operating activities will be positive in 2024. With that, I'm happy to hand over to our Interim CEO, Rami. So Rami, welcome.
Thank you, Michael. While Q3 was good, it was the fourteenth consecutive quarter with positive EBITDA, and we made a positive net profit. The growth numbers did not yet really meet our expectations. Though our solutions are really taken up well, and we have satisfied customers, the functionality and value of our solutions with the total cost of ownership and return of investment is superior on the market, and we are not losing opportunities. I need to say that I'm disappointed that in the turmoil of this warfare and digital attacks of, you know, phishing and ransomware and extortion and data thefts situation, customers seem to be pretty slow to make decisions and implement solutions, even if the attacks are on the rise.
But we certainly will continue that, and I see a positive outcome on our growing pipeline there. But I wanted to open up a little bit about what we indeed have been doing in the past months, and highlighting a few areas in there. So first of all, we earlier announced a couple of certifications, ISO 27001, and the certification for facility security by the Finnish Defense Forces. Now, what happened in Q3 is that we got a new approval for our network encryption solution, NQX, for confidential level from the NCSA, National Cybersecurity Authority, and got approved for NATO as a supplier for the NATO procurements.
This, especially the NATO procurement agreement and the continuous steps following that, will definitely give us an opportunity to expand our market opportunity in Europe and worldwide as well. Then we will be taking further steps, getting also approvals for the solution for NATO and Europe on the solution level as well. And this is not just restricted for the network encryption, but our whole portfolio. And, but let's see, also, the other trend we've been talking about, quantum safe and post-quantum cryptography. So what is happening there? This has taken now a step forward to protect the government entities and infrastructure.
There is a legislation law in the U.S. for this, and now the officials in Europe and in the U.S. government, and NIST, National Institute of Standards and Technology in the U.S., announced now the final release of post-quantum and quantum safe algorithms or technology, which we have implemented, and as you saw earlier, indeed, announced it in our product, NQX 3.0, so it is one of the first, if not the first, to implement these new technologies, and it also does it in a very effective way, so because of the architecture of the solution, we can claim that the solution is up to six times faster than traditional solutions even on the highest network level of up to 100 gigabits per second, which is where the networks are growing and going altogether.
And we're also part of the consortium. This consortium, Suvi Lampila, who you see speaking there in the small picture, is our representative. We are one of the very few European companies part of that. This American standardization for post-quantum technologies and algorithms and key exchange protocols. Then we have an interesting other project ongoing and soon finalizing, something called AI-Q-SEC. Now, I need to read this out loud: AI-based quantum-secure cybersecurity, automation, and orchestration in the edge intelligence of future networks, meaning OT, you know, manufacturing and critical networks. How we deploy monitoring, vulnerability analysis, secure connections, using also AI technology, which we have already had. We have AI technology in our solutions, especially in PrivX already a few years. Which gives me a nice segue to move on a little bit to operational technology, OT markets.
OT, operational technology, manufacturing companies, logistics, ports, maritime, critical infrastructure, electricity, water, and so on and so forth, continue to be the most attacked domain in cybersecurity, according to IBM's X-Force threat intelligence report. Manufacturing is the most attacked cybersecurity target since three years in a row. We kind of feel obliged to do a favor and help companies protect against that. Also, the new legislation or mandate, NIS2, came into force five days ago, in Europe, October seventeenth. The local legislation in the countries is late, but the directive and its consequences are now in play, are in force as we speak. We were very active in third quarter in promoting that. We were also participating in many OT, operational technology events in Hamburg, in Germany, in Rotterdam, in Holland.
You see there plenty of customers joining that, and we had a booth and presentation there. You see our team there. And right after the quarter- end, we also had a successful event in Chicago, ManuSec. You see our team there as well, and this week, we've been now participating in ISC in Atlanta, in the U.S. as well, collecting new opportunities and having face-to-face time with manufacturing companies, logistics companies, and critical infrastructure operators. And indeed, in the past month, have added about a dozen new opportunities for OT, increasing the pipeline by a tremendous amount. And this is a strategic area we chose a few years ago to focus on OT, but looking at it from the IT-OT convergence point of view, 'cause OT used to be a separate domain. And I will cover that in a minute.
Our portfolio has been developed further, so we have made. We came up with a new branding for our secure collaboration, SalaX. PrivX Zero Trust Suite has seen a lot of progress and new versions, and as you saw, we announced new versions for and functionalities for the network encryption as well, all connected together. What is now kind of new, and what we've been working on, is to integrate that these are not three different solution areas of our portfolio, but they're actually integrated. Like, if you think about it from the middle there, so what privileged access management solutions like PrivX Zero Trust Suite typically protect. Typically, it protects access to databases, where the critical data is, or access to files, you know, file server files.
I mean, if you think of the leaks or attacks on, in Finland for Vastaamo and City of Helsinki, it was databases or file servers. But the world has changed and is changing, so more and more of the data nowadays is not only on traditional IT, it's in our communication platforms, you know, WhatsApp, Slack, Teams, you know, places where no longer companies know where their secrets are. There'll be some alerting or alarming incidents there. I mean, the SEC and CFTC, the governance bodies in the US for finance, have slapped up to $5 billion now for over 20 banks for using WhatsApp and Signal without the banks knowing how they communicate with their customers. Disney, over 1,000 Slack channels were robbed.
And so everybody now, it's public knowledge now, what are the upcoming movies and scripts and actors and their payments. You know, I thought that was company secret, but too easy to get hold of. And it's logical that in our portfolio, we have access control to IT system, but also for the human communication part, so PrivX and SalaX. And we have now started to present how we also do just-in-time tunneling using NQX technology for the OT market, combined together with PrivX. 'Cause in the OT space, you just can't leave doors open or connections open, in or out. They have to be governed so that only the right actors and applications get access to the manufacturing operational technology components when needed on the level of needed authority.
So with that in mind, let's have a quick look on how this IT and OT convergence is developing, and how we have found our play, which is pretty unique on the market. So if you think about IT and OT, you know, about in IT, it's about information confidentiality, it's about integrity and availability of the information. On the OT side, it's about safety, reliability and availability, so very different topics altogether. And the convergence of these areas was kind of not needed in the past decades, but now, when everything is controlled digitally, we talk about Industry 4.0, digital twins, things are controlled separate and remotely and with IT systems, these are now converging. So these are typical requirements for IT access controls. You know, integration, identity-based access control, strong authentication, biometric authentication, no passwords.
Let's get rid of passwords 'cause they are the biggest threat factor in every case. Modern architectures, automatic scalability, up to millions of connections per day, and monitoring and recording of what is happening so that there's control over activities. On the OT side, it's more about governance, approving the right actors to access the critical solutions. It's about standardization, it's about support for legacy environments which don't support modern security protocols and components, and connection to Zero Trust access as well. And what we have managed to do is to actually combine these domains together as one solution area with PrivX OT and PrivX IT. And soon, we will be announcing some broadening of our OT offering, but stay put. You'll hear more about it in the coming weeks.
But I mentioned about the human communication and the sensitivity of data, and so I wanted to say a few words about how we are repositioning our SalaX secure messaging offering on the market. So when we look at the secure collaboration platform, we have an existing platform with secure mail, secure rooms, secure forms, you know, inputting data securely, and secure sign. They continue to be represented strongly, and we are actually selling more of them as well. But we introduced a new portfolio now alongside that, and as a transition moving forward with new secure mail based on Matrix technology and new secure messaging, which I wanted to share a few more words about. Doing these kind of things, like we do today, secure video conferencing, secure rooms, secure sharing, and so on and so forth, secure chatting, secure file sharing.
What we now are making a bit more public is that our technology, our solution, SalaX Secure Messaging, is based on a partnership with Element, which is the founder of something called Matrix, an open standard for secure, open protocol for secure, interoperable communications. Let me, in a minute, show you, after this, a few examples of where that technology is very widely and successfully being used already. Just to demonstrate how, I would say, clever of a platform choice we made to develop our own solution, SalaX Secure Messaging, on top of that. If you look at some of the customer cases for secure collaboration, typical area is healthcare, governmental use, and HR. You know, get employment contracts, keep all employee-related information secure, send sensitive information, collect sensitive information.
There was actually a rude hack into HR systems some while back. Somebody got access as an administrator to a HR system and moved all the payment accounts of salaries monthly salaries to Bahamas. Wow! I would not have wanted to work in that company, not being with salary for a month. So protect that. Don't let that happen. There are tools to do that. But let's have a look at some other cases now for messaging, you know, customer cases or use cases that are using this platform technology, Element Matrix technology, that we are building our SalaX secure messaging on. So one use case is the German Army, Bundeswehr, which is about simple, real-time communication via messaging services. I mean, they made the conclusion, like I mentioned, the banks already earlier, is that you can't just really use public commercial solutions like WhatsApp, Signal, Telegram.
There's challenge for the public sector, especially when it comes to national security. So it's of the highest, highest standards of security and confidentiality and data security, and digital sovereignty. You know, Bundeswehr, in this case, owning the platform, owning the data, owning the communications, but then allowing external players to co-work there. Another defense-related example is NATO, which is experimenting this. And in that case, the use case is more to allow external parties related to NATO to connect with their own devices, you know, bring your own device, without having to get people's phone numbers, but of course, strong identity verification on people who can then, and systems who can then connect to the environment.
Once again, it's end-to-end encrypted with strong encryption keys, and then that this, the use of that will very likely be enhanced within the NATO organization. French government has chosen this technology to. Actually, the French government, the French market is very advanced in digitalization. I mean, this is kind of a very modern way of communicating with 230,000 citizens per day in a very safe and modern, efficient ways. I mean, Jérôme Ploquin, who is the responsible for this project in France, said that the data has to be on their own servers, you know, probably in the country. They can't allow the data to be out of the country, you know.
There is the Patriot Act in the US, you know, that creates ambiguity, and the commercial providers' business models did not suit the security requirements or sensitivity requirements of the French government. A huge upcoming solution area is German healthcare, Nationale Agentur für Digitale Medizin, the German agency for medication and patient care. 150,000 organizations will join that to serve 74 million people in Germany to make sure that the communication is interoperable and all participants, you know, whether they're doctors, pharmacists, hospitals, or us as the consumers, patients, are all interconnected, and those contact data can be found, but the messaging is done in a very quick and snappy way, in a very secure way.
And then the last example of users of this technology is Swiss Post, who's been building a messaging service for easy digital communication with customers. I think this is really cool. I mean, normally, disruption doesn't happen from the industry in itself. In this case, the Swiss Post, you know, delivering post, as we see in the picture here, is revolutionizing the digital communication using modern, communication or messaging platform like this. So these are some end user customer cases using technology we have chosen and using our solutions. But let's have a look at, our implementation to, for growth is to work through partners and with partners. So there's been a bit, quite a bit of positive progress with our partner network and partners in the past couple of months as well, and I wanted to share those with you as well.
We have plenty of partners. Here are some examples of global players and some local players. Oivan is in the Middle East, ISSP is in Ukraine, and we have pretty much partners in every country of the world. In the past, we have more and more couple customer cases coming up, and indeed, we have now signed quite a few new partners in the past couple of months. A few of them were at the end of June, but the rest in Q3, in Central Europe, in the Nordics, in Ireland, in South Korea, in Taiwan, in Thailand, and so on and so forth. At the same time, we have also trained or certified around 50 new, on top of the existing ones, technical engineers on our solutions within the partner network.
I see a lot of traction, and the pipeline, I mean, meaning new customer cases arising from our partner network, is on the increase quite nicely. With the streamlined and more effective organization, the change we made in the second quarter, a more active and proactive partner network with its growing pipeline for new opportunities, we aim to be more successful in our growth ambitions and continue to improve our profitability. With that, I would like to invite Michael back for potential Q&A session.
Yes. I will check the chat for any possible questions shortly, but as has been tradition, the first questions will come from Redeye's equity analyst, Fredrik Reuterhäll. So Fredrik, if you're ready, please go ahead.
Good morning.
Morning.
Morning. My first question is regarding the customer's delay that Rami is talking about in your report there. Can you give, I mean, more details on how the delay is distributed across the different regions and customers? Was there any larger orders or deals that was pushed forward that you can tell us into Q4?
Yeah, I think this is a fairly generic. I mean, maybe earlier in the year, there was some uncertainty for investments, but now that interest rates, maybe overall investment willingness may be developing more favorably, that may have changed. But we just see that kind of the final decision-making kind of, if you wish, pushing the button. So, you know, sign an agreement, issue a purchase order, and get the project delivered. There are too many cases that for various reasons, some are organizational reasons, some are financial hesitant reasons, some are resource allocation reasons, have just kind of postponed. We, like I said, they're not gone. We feel confident that many of them will actually happen. And then we also have a few cases over the summer that we did win.
We got the win, but the customers, some of those customers do want to do more of a restricted pilot or initial installation, and then expand it after four to six months into the final production, which means that the revenue will also follow a bit later.
Okay, so it's not one thing, it's different reasons-
Yeah.
Depending on the customers.
That's what makes it a bit of a challenge to kind of say, how can we, how can we speed it up? How can we influence? Of course, we have doing all the tricks in the book of sales-
Mm.
To encourage customers to buy faster and more quickly.
Okay. And you said that some was pushed forward, but you can't really say if it's gonna be in next quarter or in Q4, or next year, or it's-
No, not really. But there's, I mean, the one that we mentioned in early of the year is about that 1.8 million cryptographic solution, and half of that will be recognized this year. That didn't recognize yet, but our plan is still to recognize it this year.
Yeah, okay. My next question is regarding the partner agreement. I mean, you signed a lot of agreements now, but I'm still waiting for this sales boost, as you are, I'm sure. But when... I mean, you have experience and seen before, how long would it take before these new partners agreements start to kick in, so to speak? I mean, are we talking a few months or half a year, or?
Yeah. Yeah, I think that's a great, great question. And, you know, it's not like we're just signing new partners. I mean, we've been working with these partners. You know, the partnership starts from having initial customer cases at hand, then you formalize the relationship for an agreement and train technical people and salespeople. So it's not just a technical agreement. So there are cases behind all of these partners. And, for instance, with one of the partners, we just, that was on the slide there, we just made a quote, an offer for a large major energy company. And that, doing that to going through the RFI, RFP process and presenting the solution, took about three months from the customer side as a process.
Now, they will evaluate and select, and then the proof of concept and pilot will start. So some of these projects take about six months, some much longer. So I would say six to twelve, even unfortunately, up to eighteen months before they kind of from where we are already working on it, before they materialize into monetary terms.
Okay, and then on cash flow and liquidity, Michael, you talked about it, and it's nothing to be worried about, I guess, or it just
Yeah, well, I mean, as you can see from the report, the cash position was quite low at the end of the third quarter, and of course, we are well aware of that, and have been well aware of that, and follow it closely, and taken measures to secure liquidity through operational cash flow measures, and as also mentioned in the release today, the cash position has improved since the end of the third quarter, and we expect it to improve towards the end of the year as well.
Okay, that's good. I think that was all for me. Thank you very much.
Thank you.
Yes, thank you very much. I have checked the chat, and there don't seem to be any more questions. We did just get one.
Can you read it out loud? It's a bit smaller.
Yes, of course. Hi, Rami Raulas has been interim CEO since early this year. Is SSH really actively looking for a new CEO, some progress in that? If not, why not end this interim status and make Rami permanent CEO? Particularly, to bring someone from outside SSH as a CEO at the SSH current situations looks risky. As owner and shareholder, I'm pleased with Rami's performance as interim CEO, and I suggest to end his interim CEO period soon and make him CEO, unless the new CEO search really is ongoing and active. Can some SSH board member comment this issue, too?
Yeah, well, your confidence, you know, this is a question I cannot address. I'm fully committed, and I'm trying to do my best. I think we have good results and good progress and development ongoing, so I think you'll have yet to address the question elsewhere.
Yeah.
Go after that.
Thank you. And I still don't see any more questions, so I think we can start closing the call. Thank you very much, Rami and Michael, and thank you to everyone who has been following us online. The material for this call and our previous calls can be found from our website's investor section. Our next investor call will be for Q4, and it will be on the fourteenth of February, 2025. So thank you again for participating, and we hope to see you in February.