Bridge Report:（4493）Cyber Security Cloud First Half of Fiscal Year December 2020

President & CEO Hikaru Ohno	Cyber Security Cloud, Inc. (4493)

Company Information

Stock Information

*The share price is the closing price on September 11. The number of shares issued was calculated by subtracting the treasury shares from the number of outstanding shares at the end of the latest quarter. ROE and BPS were taken from the results in the last year-end.

Change of Non-Consolidated Business Results

* The estimates were provided by the company. Units: million yen and yen. The term ended Dec. 2016 was a 6-month term, due to the change of their accounting periods.
* The company carried out a 10-for-1 stock split in March 2018, a 100-for-1 stock split in September 2019, and a 4-for-1 stock split in July 2020. (EPS was revised retroactively.)

We will introduce Cyber Security Cloud, Inc., which was listed in Mothers of Tokyo Stock Exchange on March 26, 2020.

Table of Contents

Key Points
1. Company Overview
2. First Half of Fiscal Year December 2020 Earning Results
3. Fiscal Year December 2020 Earnings Forecasts
4. Interview with President Ohno
5. Conclusions
<Reference: Regarding Corporate Governance>

Key Points

• Cyber Security Cloud offers security services, including “Shadankun,” a cloud web application firewall (WAF) for protecting websites and servers from cyber attacks, and “WafCharm,” a service of automatic management of rules of “AWS WAF” with AI. “Shadankun” swiftly detects general attacks, discovers unknown attacks and wrong detection, and responds to the latest threats by utilizing an AI engine for detecting attacks based on deep learning. The number of companies or websites that have adopted the services of Cyber Security Cloud is the largest in Japan, and these services are used regardless of corporate scale.

   

• For the first half of the term ending December 2020, sales were 540 million yen, up 50.2% year on year, and operating profit was 100 million yen, up 43.8% year on year. The sales of Shadankun, for which the company received new orders and kept its cancellation rate as low as around 1%, increased 31.0% year on year. The sales of WafCharm and Managed Rules grew 261.8% and 600.8%, respectively, year on year. This sales growth offset the augmentation of operating costs due to business expansion and upfront investment, including the increases in server costs, personnel expenses mainly for engineers and sales staff, R&D costs, and advertisement expenses. There is no revision to the full-year forecast, and it is estimated that sales will be 1.12 billion yen, up 38.0% year on year, and operating profit will be 170 million yen, up 24.4% year on year. The progress rate toward the full-year forecast is as healthy as 48.3% for sales, and 58.3% for operating profit.

   

• While web applications are increasingly used, cyber attacks pinpointing their vulnerable parts are increasing, and the vulnerability of each system is being unveiled one after another as they are attacked. As a countermeasure, the WAF of each appliance has been used, but it has some problems, including the complexity of installation, the limitation of scalability and visibility, and wrong detection. Accordingly, the cloud WAF, at which Cyber Security Cloud excels, is becoming mainstream. Shadankun has been installed the most among cloud WAF services, and its strength is high-quality security based on overwhelming data volume and deep learning. In addition, there are no products competing with WafCharm around the world, and the company plans to make it compatible with cloud platforms, by releasing the Microsoft azure version and then the Google GCP version by the end of this year. The number of users of Managed Rules, which was released in February 2019, is increasing steadily. The company hopes to achieve sales of 10 billion yen as soon as possible by selling mainly these products.

   

1. Company Overview

With a management ethos to create a secure cyberspace that people around the world can use safely, Cyber Security Cloud provides web security services, including “Shadankun,” a cloud-based web application firewall (WAF) that visualizes and blocks cyber attacks on websites, “WafCharm,” a service for the automatic management of AWS WAF rules (signatures), and “AWS WAF Managed Rules,” a set of rules for AWS WAF. These services utilize world-leading cyber threat intelligence and AI (Artificial Intelligence) technology, and are offered on a subscription basis.

In September 2018, the company formed a group with the subsidiary Cyber Security Cloud, Inc. in Seattle, Washington, the U.S., which was established with the aim of selling Managed Rules, which are a set of rules for AWS WAF, and is expanding its business overseas. However, the subsidiary is excluded from the scope of consolidation as it does not currently have a material impact on the corporate group’s financial position, earnings results, or cash flow.

1-1 Security measures and CSC’s business operations

Increased use of the Internet has facilitated the spread of a wide range of online services, which make daily life and running businesses much more convenient. Against this backdrop, cyber attacks are increasing. There are two main security measures companies put in place. One is corporate security, which is designed to protect PCs and in-company networks from malware (malicious software/programs). The other is web security, which protects public servers from attacks on software vulnerabilities and the web application layer. For an e-commerce site like Amazon, where many users register their credit card information, it is web security that protects such sensitive data.

When it comes to web security, there are several layers of protection, including that for web applications (applications and services that can be used via a web browser), software/operating systems (OS), and infrastructure/networks. The level of security required differs depending on the layer. It is the job of the web application firewall (WAF) to protect the web application layer, which constitutes websites, from cyber attacks. WAFs are predominantly appliance based, software based, or cloud based. Cyber Security Cloud offers “Shadankun,” cloud-based WAF services for corporations and other entities that provide web services.

*WAF is a firewall that prevents intrusions such as SQL Injection and XSS, which can cause information leakage and the falsification of websites. It can also handle attacks that conventional firewalls or IDS/IPS were unable to prevent (from the reference material of the company).

Cloud-based WAF “Shadankun” was launched in 2013, and boasts the No.1 position in the Japanese cloud-based WAF market in terms of the total number of companies/websites using the service. Shadankun’s success owes to the ease of installation, the reliability of it being developed and operated in-house by Cyber Security Cloud itself, and the firm’s extensive track record of providing services to major corporations. However, with many of the data leak incidents that have occurred in recent years being caused by unauthorized access to website, website security measures remain insufficient. There also appears to be a significant number of website operators that are under the false impression that security measures are already in place, according to an awareness survey on security software by Marketing & Associates.

1-2 Services

In its web security business, Cyber Security Cloud provides Shadankun, a cloud-based WAF, WafCham, a service for the automatic management of rules for AWS WAF provided by Amazon Web Services (AWS) that is based on technologies built up from the operation of Shadankun, and Managed Rules, a set of security rules for AWS WAF.

Cloud-based WAF “Shadankun”
Shadankun is a cloud-based security service that detects, blocks, and visualizes cyber attacks on web applications. From development to operation, sales, and support, Cyber Security Cloud handles all aspects of the service. This enables the company to accumulate a wealth of data on cyber attacks on websites, as well as build up operational know-how (over one trillion rows of data from over 10,000 websites). By reflecting the accumulated data when developing/customizing Shadankun or when updating its signatures (patterns associated with malicious attacks), the service helps keep websites secure. Shadankun also visualizes cyber attacks in real time, identifying the type of attack and the IP address (i.e., countries and attack types) the attack is coming from. Such data can be viewed on the management screen. The visualization of these invisible cyber attacks enables companies to gain a better grasp of their security situation and share information more effectively.

Two types of Shadankun services offered
Cyber Security Cloud offers two versions of Shadankun, one being the server security (agent linked) type, which installs a security agent onto the client’s server. The agent detects and blocks attacks by receiving log entries/block commands from the cloud-based monitoring center. The other is the Web/DDoS security (DNS switching) type, which involves switching “DNS (domain name system) only” and directing traffic to Shadankun’s WAF center, which detects and blocks attacks. Having two services like this means that Shadankun can be deployed regardless of a customer’s web application environment.
For the Web/DDoS security type, the website is accessed through the WAF center, which analyzes and determines whether this access is a cyber attack or not. Only by switching DNS, it can be installed easily and places no burden on a website’s resources. However, as traffic is redirected (i.e., goes through the monitoring center), delays may occur for e-commerce, media, video-streaming, and other high-traffic sites. In contrast, the cyber security type is able to respond to attacks with little transmission delay and is unaffected by the volume of network traffic, as the monitoring center, which is a separate system, analyzes potential attacks and sends blocking commands directly to the security agent installed on the server.

(Source: Reference material of the company)

Utilization of AI
AI is also increasingly utilized for Shadankun. In particular, using AI enables Shadankun to detect attacks that conventional signatures could not detect, and also identify false positives that negatively impact customers’ services. Through Cyber Security Cloud’s neural network (technology/network used for machine learning), the AI engine learns not only normal attacks, but also legitimate user access and requests that have falsely been labeled as malicious. It evaluates daily access data and detection data, improving signature accuracy day by day.

“WafCharm”, a service for the automatic management of AWS WAF rules
WafCharm, launched in December 2017, is equipped with an AI engine that learns attack patterns on web applications accumulated by Shadankun. It enables the automatic management of rules for AWS WAF, provided by Amazon Web Services (AWS), which holds the largest share of the global cloud market. WafCharm has gained high marks for its ease of installation and operation, as well as for the swift development of new features supporting new AWS WAF functionalities, backed by its partnership with AWS.

While AWS WAF increases the security of web applications, the site operator must create and enforce rules to filter web traffic themselves. Making full use of it requires considerable time and knowledge. However, WafCharm is equipped with an AI engine that automatically applies the most appropriate rule among many AWS WAF rules for the target web application, automating all necessary security options. It is automatically updated to deal with new vulnerabilities, keeping the website secure at all times. It is also equipped with a reporting function, which compiles the number of detected attacks, the type of attack, the source country, and the attacker’s IP address for each rule, as well as a notification function, which sends an e-mail containing details of detected attacks in real time.

AWS WAF Managed Rules
AWS selects and provides security rules that have been written by expert security vendors. AWS WAF Managed Rules are a comprehensive set of security rules needed to mitigate specific threats. Security is limited to specific threats, but installation and operation are simple. Managed Rules is a package service that draws on AWS WAF rule-setting expertise built up through the operation of WafCharm. AWS WAF users can easily use Managed Rules from the AWS Marketplace.
Cyber Security Cloud’s U.S. subsidiary, which has been certified as the seventh AWS WAF Managed Rules seller in the world, began selling the group’s own rule set on AWS Marketplace at the end of February 2019.

1-3 Business model

Shadankun, Cyber Security Cloud’s core service, is offered on a subscription basis (monthly billing) over a period of time, in which customers are charged fees for access under the premise of continuous service. Revenue streams consist of monthly recurring revenue (MRR), initial installation fees, and non-recurring revenue (one-off payments). Over 95% of revenue generated from Shadankun is recurring revenue. It also boasts a high service continuation rate, backed by the successful improvement of customer value through the accumulation of data on web application vulnerabilities, its swift response to these vulnerabilities, signature setting, and rule customization. Over the last 12 months (from July 2019 to June 2020), Shadankun’s churn rate was a mere 1.15%. From development to operation, and support, Cyber Security Cloud provides all aspects of the service in-house, drawing on its expertise and increasing customer satisfaction.

(Source: Reference material of the company)

2. First Half of Fiscal Year December 2020 Earnings Results

2-1 First Half of Non-Consolidated Earnings

*Unit: million yen.

Sales grew 50.2% year on year, offsetting the cost of investment for mid/long-term growth, and operating profit rose 43.8% year on year.
Sales were 540 million yen, up 50.2% year on year. As the company received new orders, monthly recurring revenue (MRR) increased and cancellation rate was kept as low as around 1%, so the sales of Shadankun grew 31.0% year on year to 440 million yen, and the sales of WafCharm and Managed Rules significantly rose 261.8% and 600.8%, respectively, year on year.
Operating profit was 100 million yen, up 43.8% year on year. As the costs for servers augmented for dealing with sales growth and upgrading the security type of DDoS and personnel expenses increased for increasing engineers, cost ratio rose 4.6 points to 33.1%, but gross profit increased 40.5% year on year due to the sales growth. It offset the augmentation of SG&A caused by the increases in personnel expenses (up 26 million yen) and recruitment/education costs (up 12 million yen) through the increase of employees, mainly sales staff, the rise in costs (up 6 million yen) for enhancing R&D activities, and the growth of advertisement expenses (up 7 million yen). Due to the expenses for issuing shares, listing, etc., non-operating costs increased, but net profit grew 27.1% year on year to 78 million yen.

Sales of each service

*Unit: million yen.

(Produced based on the reference material of the company)

2-2 Performances by Services

Shadankun
Major KPIs of Shadankun

* ARR (Annual Recurring Revenue) is calculated by multiplying MRR as of the end of the month concerned by 12. MRR stands for monthly recurring revenue in the subscription model. It is the sum of monthly revenues earned continuously from existing customers.
*ARPU stands for Average Revenue Per User.
*Churn rate is obtained from the latest 12-month average of MRR churn rates. MRR churn rate is actual churn rate obtained by dividing the MRR lost in the month concerned by the MRR as of the end of the previous month.

As new subscriptions increased and churn rate was as low as 1.15%, the number of client enterprises increased 18.0% from the end of the same period of the previous year to 851. As the company received orders for high-priced plans and implemented the upselling strategy, ARPU increased 8.3% year on year (4.0% from the end of the previous term) to 1,027 thousand yen, so ARR grew 27.9% year on year to 870 million yen. This means that, even if there are no new customers, the company has a large number of existing customers enough to earn annual sales of 870 million yen.

Most of the reasons for cancellation are the closure of websites, the integration of servers, and the termination of contracts between partners and end users, and few cancellations are attributable to the company. The company considers that if churn rate is within the range from 0.8% to 1.3%, the business is healthy.

2-3 Financial condition and cash flows

Financial condition

*Unit: million yen.

Cyber Security Cloud was listed in Mothers of Tokyo Stock Exchange on March 26, 2020. For listing, the company issued 70,000 new shares, procuring about 280 million yen, and exercised share acquisition rights, procuring 18 million yen, so cash and net assets increased. Retained earnings stood at negative 51 million yen, but it is expected to turn positive by the end of this term. Capital-to-asset ratio was 73.4% (42.1% at the end of the previous term).

Cash Flow

*Unit: million yen.

The company secured an operating CF of 24 million yen, as pretax profit was 93 million yen, accrued accounts payable decreased 25 million yen, and income taxes amounting to 25 million yen were paid. Financing CF is attributable to the issuance of shares, etc.

3. Fiscal Year December 2020 Earnings Forecasts

3-1 Full Year Non-Consolidated Earnings

*Unit: million yen.

It is estimated that sales will grow 38.0% year on year and operating profit will rise 24.4% year on year.
Sales are projected to increase 38.0% year on year to 1.12 billion yen. It is forecasted that the sales of Shadankun will grow 31% year on year, the sales of WafCharm will increase over two times, and the sales of Managed Rules will rise around 90%. The sales growth will offset the augmentation of operating costs due to the increase of servers and employees, mainly engineers and sales staff, and the rise in advertisement costs (for distributing video ads for gathering information on prospective customers and enhancing brand development), and operating profit is estimated to rise 24.4% year on year to 170 million yen. Net profit is forecasted to decline, due to the augmentation of non-operating expenses for listing, etc. and the increase of tax burdens for eliminating the loss carried forward in tax affairs.
The progress rate toward the full-year forecast is 48.3% for sales, 58.3% for operating profit, 56% for ordinary profit, and 55.5% for net profit.

Sales of each service

*Unit: million yen.

3-2 Regarding the spread of COVID-19

The coronavirus pandemic has produced favorable effects on the results for this term, and also on the mid/long-term business performance.

It had been forecasted that existing customers would cancel the service due to the worsening of business performance amid the coronavirus crisis, but the number of cancellations attributable to the pandemic was only 4 in the first half. On the other hand, ARPU increased for some customers through upselling in response to the increase of web services, promotion of telework, and the increase of traffic due to the consumption by people staying home, etc. As for the activities for increasing new customers, the leadtime for business talks was lengthened for some customers due to the popularization of telework, but the monthly amount of orders received a record high in June 2020 (sales will be posted in July 2020 or later), thanks to the rise in awareness about security caused by the increase of cyber attacks around the declaration of a state of emergency.

Cyber-attacks are increasing due to the increase of web services and the promotion of telework, and in the medium/long term, it is estimated that cyber attacks will increase further, expanding damage. According to a survey of the company, the number of cyber-attacks increased 19% before the declaration of a state of emergency, as companies adopted telework and the use of EC sites increased due to the consumption by customers staying home, and even after the lifting of the state of emergency, the number of cyber attacks increased 6% compared with the period before the declaration of a state of emergency. There are time lags between an attack and detection and between detection and announcement, and the total time lag is about 452 days on average. Accordingly, damaged cases are still to be announced. Through the enforcement of the amended Act on the Protection of Personal Information, demand is expected to grow further.

The company proceeded with the development of a business operation system under the telework environment. These efforts bore fruit, and recently, business operation has been improved, and customer support by telephone, which temporarily decreased, returned to normal.

4. Interview with President Ohno

Cyber Security Cloud was listed in the Tokyo Stock Exchange Mothers section on March 26th, 2020. We often hear firewalls, but their specialization in web application firewall (WAF) technology to protect websites and servers is quite unheard of. According to research undertaken by Cyber Security Cloud, 85.7% of companies are investing heavily in security measures, while only 8% have adopted WAFs. The company can already stake its claim as the national leader in the WAF market, which still has considerable room to grow going forwards. We stopped by Cyber Security Cloud's head office in Ebisu (Shibuya-ku, Tokyo) for a visit with the president Ohno and the director Kurata.

Hikaru Ohno – President & CEO Born in 1990. Waseda University alumnus. While still in high school, Mr. Ohno started up his own marketing-related business to pay for his tuition and got it on track. After being admitted to university, he did the same thing again as he started up a business offering cloud-based solutions for waste disposal operations to companies to help increase their efficiency. From 2013, he worked for a boxed meal delivery start-up as new operations manager and then head of the company president's office. In 2016, finally pursuing his long-time interest and moving into the field of big data, AI and cyber security, Mr. Ohno was appointed as president & CEO of Cyber Security Cloud Inc.

4-1 The WAF market entering the expansion phase

During the briefing session beforehand, we were told that while 75% of business owners felt cyber security is a necessity, the ratio of WAF implementation remains at 8%. Would you say that although a large number of businesses have brought in firewalls and IPS/IDS, there are not many that have opted for WAF?

President Ohn Yes, I'd say that's the case. Firewalls in particular have a high penetration rate. Conversely the penetration rate for WAF is extremely low. Putting them in order, firewalls and IPS/IDS would have the highest penetration rates, and then there's a huge drop off for WAF.

Director Kurat One of the features of a firewall is controlling over the network layer, so you can decide whether communicating partners are granted permission or check whether those processes required as part of communications have been properly performed. If we were to use snail mail as an analogy, it looks at things like whether the sender and recipient are correct, or whether the right stamp has been affixed. It cannot block mail from going through, even if the contents of the mail are dangerous. The contents are checked at the application layer.

That's useful to know. An attack on a web application would occur at the web application layer, so while a firewall is capable of providing protection at the infrastructure or network layer, it wouldn't necessarily be able to identify and defend against attacks at the web application layer. So, to use an analogy again, a firewall could block an attack at the state level, but if you wanted to block an attack targeting a specific city within that state, you'd need a WAF.
Even though I understand the necessity of WAF, I do have to question why it hasn't penetrated the market further to date.

President Ohn Well, that would be because installation is costly and operating a WAF is quite difficult. On top of that, and to be frank, there've been a lot of WAF products that are horrible to use: Traditionally there were a lot of cases where things that shouldn't be detected were detected or users could not access the sites they were trying to visit, which is why WAF has got a bad rap in this sense.

(Material provided by Cyber Security Cloud)

Do you mean that the operation of WAFs is becoming more effective and efficient, because it became easier to install it and it became possible to utilize AI through the provision via the cloud? WAFs are now becoming available, do you think that the WAF market is entering a period of growth?

President Ohn The cloud making installation and operation of WAFs became easier is one key point to bear in mind. Costs going down is another key point. Then there's the fact that e-commerce conversion rate has gone up, along with the number of websites storing personal data. It is obvious that e-commerce has increased, but there are now a large number of subscription-based sites. Before, you used to be able to browse content without registering as a site member, but now there are a lot of sites out there that are basically customised for registered members or that show them targeted information, so if the site owner doesn't have a WAF installed, they can't protect their users. These three points form a set. The reason why we've managed to do so well during the expansion period is because we installed AI early and had a unique architecture. The market did not grow due to the utilization of AI. The research into AI has not progressed in our sector yet.

WafCharm and Managed Rules, which have no competing products, have room for application to APIs and IoT
Cyber Security Cloud uses two forms of AI: WRAO, which is used for WafCharm, and Cyneural, which uses information from previous attacks to forecast future attacks. Will Cyneural remain exclusive to Shadankun?

President Ohn It's not just for Shadankun, it's deployed across our security services as a whole. Shadankun and WafCharm each have their own sets of rules, but cyber attacks on websites are the same. Cyneural is there to help increase the precision of detecting attacks.

I see… Cyneural is the technology that is the source of your competitiveness. As for WafCharm, AWS must have been grateful for this service becoming available.

President Ohn Yes, I believe they're happy it's out there now – we’ve received full support from AWS. When some clients send inquiries to AWS Japan about security operations, they often introduce our company to them.

During the briefing session, it was mentioned that, in the future, platformers themselves may become threats. Do you mean that a positive relationship with AWS has been developed via WafCharm and similar services?

President Ohn Yes, the current situation is like that. AWS are sharing relevant information concerning their development policies with us, so there's no reason not to believe we won't have a positive relationship going forward.

I've heard you've been making plans in terms of developing products compatible with Microsoft Azure and Google GCP. Do you mean that these products not only contribute to an increase of revenues, but also foster good relationships with platformers?

President Ohn Yes, I'd say so. If we can show them what we're capable of, they'll realize they won't have to do it themselves. Our line of thinking is geared towards taking the initiative.

Are there any products similar to WafCharm available overseas?

President Ohn No. There are no competing products.

It seems that WafCharm has more potential than Shadankun.

President Ohn Yes, at the global level. However, in Japan, I think that Shadankun has more potential. Amazon sometimes makes a sudden change, so there are uncertainties. For example, they make cloud servers available free of charge at a certain level, like Yahoo! BB. If WafCharm were widely made available, it would get a sudden boost in momentum, enabling us to grow our user base greatly.

Those are good "uncertainties" to have. Managed Rules, which was released in February 2019, is a slightly different proposal, being sold as a package collecting a number of AWS rules.

Director Kurata: Yes, it's a rule pack. Right now there's a set of rules offering generalized protection... Or rather, one rule set capable of protecting against the 10 most frequent cyber-attacks and another rule set aimed at API and server-less environment users, which we've released as individual rule packs.

Are Managed Rules available through one-off payment? Are you planning on constantly expanding your product line-up?

Ohn It is not offered through one-off payment, but there are recurring charges. We're planning to add products for IoT and API to our line-up. The API one has already been released, but I'd like to release products considering current trends or users' needs.

AWS currently have their own rule set, although there is still plenty of room for expansion in other fields. During the briefing session, I was told that your ARPU had gone up due to up-selling. What does up-selling mean?

Director Kurat Basically, we charge customers based on the traffic flow for each individual site, or the number of servers. Accordingly, if traffic or the number of servers goes up, the amount billed for goes up as well: the principle here is that our revenues increase in parallel with our customers’ growth. Our product is often adopted by companies that are increasing their servers and websites, so ARPU tends to increase with time.

4-2 Market trends and advantages

During the briefing session, we were told that most international companies are similar in size to Cyber Security Cloud. Are there any companies you view as competitors? Out of the major companies Imperva comes to mind.

Director Kurat I can't really think of any, out of the companies listed on the Japanese stock exchange. As for Imperva, I know they were taken over by an investment fund, so now they're under their ownership, so I don’t know the details. It's not like I know what the revenue figures are for each company out there at the global level. There are a number of companies out there that handle WAF appliances, cloud-based WAFs and integration, but there aren't really any who are cloud-based WAF specialists. Not even Imperva are dedicated specialists in this sense. They may have a branch office here incorporated under Japanese law, but their cloud-based WAF sales are smaller than ours.

Would you say cloud-based WAF services are going to be bigger than WAF appliances as a trend?

Director Kurat Yes. Our data points to more growth for cloud services compared to appliances.

President Ohn The WAF sector is growing as a whole and WAF appliances are doing well, but cloud-based WAF services are doing even better. We've also seen a forecast that the cloud-based WAF market will surpass the appliance market by 2023 or so. Easy installation is going to be the key point where the cloud wins.

President Ohn It is said that interference and system failure often occur in appliance WAF. I heard that when it was installed, the system stopped. On top of that, operations are based on manpower, creating a lot of strain for operations. We use the cloud, so whenever we have an update, it can be reflected in the whole of our user base. Conversely WAF appliances are assembled from scratch and operated, so real-time updates are more difficult to implement and less frequent. This will depend on the systems integration agreement, but another downside to WAF appliances is the fact there's less of a chance they'll be capable of dealing with the latest forms of cyber-attacks.

Many companies handle WAF appliances, cloud-based WAF, and integration. Still, it may be difficult for a major company that handles all of them to concentrate management resources on the cloud-based WAF. I feel that the strength of cloud-based WAF is your company's strength as it is its specialty. How about AI, as another strength? If a company has financial power, it can adopt AI. So, do you think it is easy for a large company with the financial capability to catch up?

President Ohn AI is about how much data there is and how many engineers can analyze it. We have the advantage of having raw data. The data we have is more than 1.5 trillion, and it is the source to improve the AI ​​engine. Some companies sell unique information such as information related to new attacks, and we also use it. However, raw data and log data are necessary to improve the level of AI. Fundamental data and its amount. We need to improve the basics. That is why, first, we need fundamental data. About 80% is determined by the amount of fundamental data. Also, we need to deal with high-quality attacks, so basically, we buy data from Israeli companies and incorporate them.

Director Kurat The data we purchase is information related to vulnerabilities. There are various types of web applications among the web applications that we protect. Information on vulnerabilities and updates related to them is circulated worldwide every day. Suppose the data is collected and we are notified of it daily or once every few days, our security engineers will check it and assess these vulnerabilities' impact on the users. If the impact was significant, we would create rules to protect against them and rules to deal with the attacks. We do not only assess the impact of the attack, but also verify whether there is a similar attack or access using the data we received in the past and the access log data. After we devise the needed rules, we evaluate whether it can fully protect from the attacks or not, and then update our product.

So, even if a well-funded company enters the market, it would still be challenging to close the existing gap.

President Ohn That's right. Since our company develops and operates our products in-house, we have accumulated knowledge and know-how, such as rule construction and characteristics of web applications. If you enter the market suddenly, you will make false detections if you do not have the knowledge or know-how.

Director Kurat Normal access and general user access are allowed, but attacks are blocked. False detection is the accidental blocking of access by general users. The rules determine what the WAF blocks. However, if it makes an incorrect detection, general users will not be able to visit the website. It is said that the operation of this area is difficult in the WAF domain, so, knowledge and know-how on this matter are required.

I see. If you search for a cloud-based WAF provider on the Internet, you will find a good number of companies, but they do not necessarily self-develop or self-operate products, right?

President Ohn That's correct. I think more companies rely on OEMs. There are several OEM companies in Japan, South Korea, the United States, etc. There are only a few remarkable companies that develop and operate products in house as far as we know.

Is the difference between your company and other companies the number of client companies and the amount of data that comes from them?

President Ohn I think the amount of data is the most substantial difference. It depends on the number of installations. Our number of installations is over 12,000 websites. The amount of data is overwhelmingly different, as the other companies do not have half of this amount.

The coronavirus crisis and the WAF market
Is there statistical data showing the trends of the WAF market?

Director Kurat It is not the statistical data for the WAF market, but according to a research company, the 2023 forecast for the information security managed services and cloud service market is 246.2 billion yen.

President Ohn The growth rate is likely to be a little faster, so I think it's becoming a bigger market.

Director Kurata: That's true. It is data on the 5 years from 2018 to 2023 years. So, there is a possibility that the market would grow because of the influence of the recent coronavirus spread.

Do you mean that the coronavirus's influence is the expansion of EC due to the consumption by people staying home?

Director Kurat In addition to the expansion of existing EC, restaurants have increased to-go dishes, and online services have replaced various services. That is why Internet traffic is increasing worldwide. For our customers, content services are among the things that have actually increased traffic. In the education domain, since schools are closed, some customers release educational content for free, and some release manga content for free for a limited time. For these customers, communication traffic volume increased extremely and the conventional contract plans could not cover them and so we received additional orders.

What industries do you have many clients in, and what are their characteristics?

Director Kurat We deal with a wide range of industries, but a relatively large number of our clients are web service companies in the field of information and communications. Also, there are many listed companies that need to protect the entire companies.

4-3 Future Growth Strategy

You explained the company's three growth strategies: technology, product, and market. In the technology strategy, you are planning to pursue the possibility of utilizing AI and big data in areas other than server security. In the non-life insurance area, joint research for developing new insurance products and related solutions has begun. You have also partnered with Macbee Planet (7095), which supports corporate marketing. What kind of research will you do with Macbee Planet?

President Ohn One of the issues with marketing companies was that unauthorized clicks could raise the amount of advertisements. Under the hypothesis that our access data might solve this, we let the companies check the data. If they can use it, they will purchase it.

Are the cases where joint research can be offered increasing?

President Ohn We would like to narrow down the industries and proceed with one or two joint research projects, and if the hypothesis can be verified, we would like to enter the sales phase. We will ask each industry to verify our data, and if it can be used, they will teach us how to process the data and sell it in each industry. The collaboration is for research and development. We will provide the data and verify whether it can be used through our partners.

I see. Under the technology strategy, the business model is to process and sell an abundance of data that complies with the clients' needs. This strategy is interesting. In the second strategy, which is the product strategy, you plan to release a product that can be viewed as the Azure version of "WafCharm" during this term. Is the development of the GCP version underway?

President Ohn Yes. The timing has not been disclosed, but the order is as you mentioned.

However, even with "WafCharm," many people may not know its existence. So, isn't some awareness activities necessary at first?

President Ohn I think many people don't know about it. Our efforts are insufficient. Rather than not knowing "WafCharm," many people do not even know AWS WAF in the first place. AWS has AWS WAF as a security feature, and it is not well understood that you have to use it. In the current market environment, some users are starting to use AWS, but many have not yet used AWS WAF. We feel the necessity of conducting awareness activities regarding the importance of security using AWS WAF.
However, we are always conducting activities. Yesterday, we held a seminar on security using AWS and security using AI jointly with other companies. At that time, our users took the stage. Also, strengthening advertising is part of our activities.

Sales of "WafCharm" for this term are expected to be 140 million yen. Is it coming along as planned?

President Ohn It is ahead of the plan. At the end of the second quarter, it has achieved 59% of the target. All three of our products are growing steadily, so if we reach a little less than 60% after half a year, it will exceed 100%, unless we encounter a great deal of trouble. The growth of "WafCharm" earnings and the upside are still unimaginable. I'm sure it will grow at the same level as this term in the next term, but I can't imagine exactly how far it will grow. People who started using AWS about five years ago are finally starting to use AWS WAF. As a result of running AWS for five years, they have moved from the phase of using AWS to the phase of mastering it, and we are researching different areas such as security. To be honest, we can't predict the growth pace sufficiently as of yet. More people started using AWS four years ago than those who started five years ago. So, if you think that this rate will continue as it is, it will increase more next year, but we cannot predict the growth rate. "Shadankun" is easier to forecast because it has a long history.

In the third strategy, the market strategy, you are thinking of promoting global expansion. The company has already expanded to do business in a total of 70 countries and regions through AWS. So, this means that "WafCharm" and "Managed Rules" are steadily increasing the number of users.

President Ohn As AWS paved the way for global expansion, we will be able to earn sales if we can find partners. There is a platform called AWS Partner Network, through which the understanding of the partner side is deepening. We know the company names of the other parties and their contact information. What's more, now that you can solve everything remotely online, you don't have to fly directly to any of their locations. Due to the influence of the coronavirus, it has become easier to expand globally.

The key point in the market strategy is to develop overseas distributors. You already have the groundwork for market development. Do you have a vision of the growth that would result from these efforts?

President Ohn Yes. Our products are ready, so all we have to do is sell them. In the short term, in the web application firewall area, the first thing to do is prepare the AWS, Google, and Microsoft versions of "Shadankun" and "WafCharm," to protect any server environment. We want to increase the sales scale to roughly 10 billion yen. If we don't invest, we can aim for an operating margin of 30-40%. After establishing that, CAGR will increase naturally as the trend rises, which is the completed form of the WAF business. It is based on completing this early. The step after that will be fundraising. We will use our capital to enter the next AI field. We are working hard on R&D for security in the three areas of IoT, automobiles, and medical care, as we are aiming to research and determine areas in 2021 in which we aspire to launch products in 2022.

Will the enforcement of the amended Personal Information Protection Law (promulgated on June 12, 2020, which will be enforced within two years after its promulgation with some exceptions) be a tailwind for you?

Director Kurat Yes. The amended Personal Information Protection Law has stricter regulations regarding the handling of personal information. Until now, there have been various obligations to report information leaks, but these have been clarified, and detailed measures have become stricter. Another central point of the amendment is that the maximum fine for companies that neglected to take appropriate measures is 100 million yen (previously, the fine was 500,000 yen or 300,000 yen or less, which is the same for individuals).

If you had adopted a WAF, you would have taken appropriate measures, am I correct?

Director Kurat Personal information may be leaked if WAF is not included in the website's operation, so it may be pointed out that "the website was not able to respond properly to the threats." In that sense, I think the enforcement of the amended Personal Information Protection Law will trigger a review of security from scratch. Until now, I believe that many companies had the naïve idea that they should think of how to handle the problem after a leaking occurs.

(Taken from the material of the company)

Although this is a different topic from the three strategies, you are also focusing on developing and training distributors in Japan. At the briefing session on the financial results for the second quarter, it was mentioned that we could expect the effect of developing distributors in the next fiscal year.

President Ohn I am looking forward to it. Currently, there are 70 to 80 distributors. Among them, 15 distributors are active and positioned as a first team.

Director Kurat Currently, about 40% of total sales go through distributors, which will not change much this year, but I think it will change from next year.

President Ohn Direct sales depend on the number of our sales staff members. It is a sales mix, so I can't say for sure, but if the distributors' ratio goes up, gross profit margin will go down a little, but we accept that and find users. The more users we get, the more data we will have. So, I think it will create a virtuous cycle that will lead to improved security quality.
We also want to go back to being a manufacturer. We were able to grow a little because we had abilities other than manufacturing, including sales, such as "design ability" and "marketing ability" that make complicated things easy to understand. However, the image we have of what we should do originally as a manufacturer "is making things, having customers, and providing reliable support." Therefore, we would like to have a system where we leave selling to other people and concentrate on manufacturing. Although they are on the cloud, we are still manufacturing products.

Listening to your talk, it seems impeccable, but are there any risks or concerns?

President Ohn There are two points, one is being attacked, which would cause damage such as information leakage, and the other is the evolution of AI. As AI evolves, platformers will no longer need WAF vendors. This is because when the perfect AI is completed, we can predict new domains. When the era of AI protection comes, having our know-how and data will no longer be a strength. For now, I don't think this will happen.
However, to be more specific, there are many problems. For example, the organization is not yet established, and the R&D personnel are insufficient. However, the macro environment is good. From now on, we would like to build the internal structure properly.

4-4 Message to investors

I understand. I think we talked enough about the growth strategies. Now, I would like to ask about shareholder returns. It seems that you have no plans for dividends at the moment, but could you explain your thoughts on shareholder returns?

President Ohn There are no plans for this matter in the time being, but I imagine that it will be appropriate in the future. It could be appropriate when investments settle down, or when we use up the planned budget, and internal reserves are available. First of all, developing the top line and investing in this purpose are the top priorities.

Director Kurat For the time being, we believe that raising the market capitalization through corporate growth will be a return to our shareholders. As for how to use the funds for that purpose, we will first focus on using them to develop our company, rather than returning them directly to our shareholders.

Your idea is to prioritize investment until the stage of the monetization of new products. For the time being, I feel that capital gains alone will be rewarding enough. Finally, do you have a message for investors?

President Ohn We are facing two big waves, the coronavirus and the amended Personal Information Protection Act. We are confident that needs will emerge in the first quarter of 2021. So, we will finish the preparation for it this year. This year, we will prioritize preparing rather than sales growth. Our current fiscal year’s policy is to concentrate on recruitment, invest in infrastructure, create materials for advertising, and prepare for the next year. So, please look forward to our performance from next year onward, and we would be grateful if you could hold the shares from a medium-term perspective.

Thank you for taking the time today to give such a detailed explanation to us. We were able to deepen our understanding of your company, such as the use of AI from an early stage, the strength of your unique architecture, "WafCharm," which has no competition in the entire world, and your management stance that emphasizes manufacturing and organizational development. Also, thank you for explaining cybersecurity and WAF starting with the basics.
Lastly, I wish President Ohno and Cyber Security Cloud Inc. continuous success and advance in the future.

5. Conclusions

While web applications are increasingly used, cyber attacks pinpointing their vulnerable parts are increasing, and there are growing threats to security, including the falsification of websites, the leakage of confidential information through hacking, the hacking of accounts through the theft of passwords, and DoS/DDoS attacks. According to a survey of the company, there are time lags between an attack and detection (about 383 days on average) and between detection and announcement (about 69 days on average), and the total time lag is about 452 days on average. It seems that cyber attacks increased as traffic volume grew amid the coronavirus crisis, but considering the results of the above survey, it will be 2021 when such attacks will be detected and announced. Through the enforcement of the amended Act on the Protection of Personal Information, the demand for cyber security is estimated to grow further in 2021. We would like to pay attention to when the company will reflect the potential of WafCharm, etc. in business results.

<Reference: Regarding Corporate Governance>

◎ Organization type and the composition of directors and auditors

◎ Corporate Governance Report (Update date: March 27, 2020)
Basic policy
Under the management ethos: “to create a secure cyberspace that people around the world can use safely,” our corporate group aims to achieve the sustainable growth of the group and improve mid/long-term corporate value, and establish a governance system for actualizing them effectively and efficiently. In addition, we strive to enhance corporate governance while considering that it is important to put importance on shareholders’ rights, live up to the expectations of society, and achieve sustainable growth and development as the basic policy for corporate governance emphasizing compliance.

<Reasons for Non-compliance with the Principles of the Corporate Governance Code (Excerpts)>
Our company implements all the basic principles stipulated in the Corporate Governance Code.

You can see back numbers of Bridge Reports on Cyber Security Cloud, Inc. (4493）and IR related seminars of Bridge Salon, etc. at www.bridge-salon.jp/.