Bridge Report:（4493）Cyber Security Cloud Second quarter of Fiscal Year ending December 2021

President & CEO Toshihiro Koike	Cyber Security Cloud, Inc. (4493)

Company Information

Stock Information

*The share price is the closing price on August 24. Numbers of shares issued, DPS and EPS are from the financial results for the second quarter of Fiscal Year ending December 2021. ROE and BPS are from the financial results for the previous term.

Change of Business Results

*The estimates were provided by the company. Units: million yen and yen. Consolidated financial results from the Fiscal Year ended December 2020.
*The company carried out a 10-for-1 stock split in March 2018, a 100-for-1 stock split in September 2019, and a 4-for-1 stock split in July 2020. (EPS was revised retroactively.)

This Bridge Report presents Cyber Security Cloud, Inc.'s earnings results for the second quarter of Fiscal Year ending December 2021, etc.

Table of Contents

Key Points
1. Company Overview
2. Second Quarter of Fiscal Year December 2021 Earning Results
3. Fiscal Year December 2021 Earnings Forecasts
4. Future Growth Strategies
5. Conclusions
<Reference: Regarding Corporate Governance>

Key Points

• Cyber Security Cloud offers security services, including “Shadankun,” a cloud web application firewall (WAF) for protecting websites and servers from cyber-attacks, and “WafCharm,” a service of automatic management of rules of “AWS WAF” with AI. “Shadankun” swiftly detects general attacks, discovers unknown attacks and wrong detection, and responds to the latest threats by utilizing an AI engine for detecting attacks based on deep learning. The number of companies or websites that have adopted the service is the largest in Japan and is used regardless of corporate scale.

   

• In the second quarter of the term ending December 2021, sales were 853 million yen, up 56.9% year on year, and operating profit was 192 million yen, up 84.7% year on year. In addition to Shadankun, which is their mainstay, the sales of WafCharm, which would become the second pillar of them, grew considerably. The acquisition of SofTek Systems, Inc. as a subsidiary, too, contributed. Due to the sales growth, gross profit rose 66.0% year on year and gross profit margin increased 3.8 points. Personnel expenses and recruitment & education costs augmented due to the increase of employees, mainly marketing staff and other SG&A expenses, including R&D costs and advertisement expenses increased, but the augmentation of SG&A expenses were offset and profit grew considerably.

   

• There is no revision to the earnings forecasts. Sales are projected to increase 50.0% and operating profit is forecast to rise 32.8% from the previous term. The acquisition of SofTek Systems, Inc. as a subsidiary, will also contribute and sales and profit are expected to grow considerably this term, too. For achieving growth from 2022, the entire corporate group will take various measures. Particularly, they will concentrate on the operation of WafCharm in three major cloud services (AWS, Azure, and GCP). As the company will actively conduct promotional and educational activities for improving the popularity of WAF, the costs for upfront investment will increase and operating profit margin is projected to decrease 1.7 points from the previous term.

   

• The progress rate of results in the cumulative second quarter toward the full-year forecasts are 47.6% for sales and 77.0% for operating profit. Major KPIs are increasing steadily every quarter. Especially, the number of users of three products/services is increasing rapidly, so profitability is expected to improve further. We can also expect that the earnings forecasts will be revised. The favorable trend for cyber security is unlikely to weaken for the foreseeable future. We would like to pay attention to the progress of the strategies of the company, which is their starting of cultivating the huge U.S. market based on its competitive advantage, that is, the experience in AWS.

   

1. Company Overview

With a management ethos to create a secure cyberspace that people around the world can use safely, Cyber Security Cloud provides web security services, including “Shadankun,” a cloud-based web application firewall (WAF) that visualizes and blocks cyber-attacks on websites, “WafCharm,” a service for the automatic management of rules (signatures) of platforms like AWS WAF etc., and “AWS WAF Managed Rules,” a set of rules for AWS WAF. These services utilize world-leading cyber threat intelligence and AI (Artificial Intelligence) technology and are offered on a subscription basis.

In September 2018, the company formed a group with the subsidiary Cyber Security Cloud, Inc. in Seattle, Washington, the U.S., which was established with the aim of selling Managed Rules, which are a set of rules for AWS WAF, and is expanding its business overseas. However, the subsidiary is excluded from the scope of consolidation as it does not currently have a material impact on the corporate group’s financial position, earnings results, or cash flow.

1-1 Environment Surrounding the Company

◎ Increasing cyber attacks
As the Internet is increasingly used, the number of cyber-attacks is growing. According to the reference material of the company, the communication volume of cyber-attacks in 2020 was 500.1 billion packets, up 64.4% from the previous year.
In parallel with the acceleration of DX, cyber-attacks are estimated to increase further.

◎ WAF adoption rate is low among SMEs and second-tier companies
The adoption rate of WAF (Web Application Firewall; The details will be described later), which protects web applications from cyber-attacks, is over 70% among top-tier companies that have over 5,000 employees and can be said that it is standardized, but it is 33.3% among second-tier companies that have 1,000-4,999 employees, 12.7% among medium-sized companies that have 100-999 employees, and 3.2% among small-sized companies that have less than 100 employees, so there remains room for increasing WAF adoption rate significantly.

◎ Cyber security measures demanded in parallel with DX
“The (provisional) Cyber Security Strategy for the Next Term,” which was determined by the Cabinet Office in July 2021, is to take measures for securing cyber security while carrying out DX.
The concrete activities in this strategy include “the change in the way of thinking of the management,” “promotion of DX and cyber security in local SMEs,” “development of a foundation for securing reliability, such as the supply chain,” and “improvement and popularization of digital/security literacy leaving nobody behind.”

◎ Trend of the Japanese government
The government actively implements measures for cyber security, such as the establishment of Digital Agency in September 2021 and the full enforcement of the amended Act on the Protection of Personal Information in April 2022.
All Japanese enterprises will be required to take stronger security measures.

◎ Shortage of security personnel and a low rate of automation of security operations
While the average sufficiency level of security personnel in four countries: the U.S., the U.K., Singapore, and Australia is 85.0%, the sufficiency level of security personnel in Japan is only 11.2%, indicating that Japan lacks security personnel seriously.
The automation rate of security operations in Japan is 20.2%, much lower than the average of the four countries: 47.3%.
It is imperative for Japanese enterprises to improve these two aspects.

1-2 Security measures and CSC’s business operations

Increased use of the Internet has facilitated the spread of a wide range of online services, which make daily life and running businesses much more convenient. Against this backdrop, cyber-attacks are increasing. There are two main security measures companies put in place. One is corporate security, which is designed to protect PCs and in-company networks from malware (malicious software/programs). The other is web security, which protects public servers from attacks on software vulnerabilities and the web application layer. For an e-commerce site like Amazon, where many users register their credit card information, it is web security that protects such sensitive data.

When it comes to web security, there are several layers of protection, including that for web applications (applications and services that can be used via a web browser), software/operating systems (OS), and infrastructure/networks. The level of security required differs depending on the layer. It is the job of the web application firewall (WAF) to protect the web application layer, which constitutes websites, from cyber-attacks. WAFs are predominantly appliance based, software based, or cloud based. Cyber Security Cloud offers “Shadankun,” cloud-based WAF services for corporations and other entities that provide web services.

(from the reference material of the company)

WAF is a firewall that prevents intrusions such as SQL Injection and XSS, which can cause information leakage and the falsification of websites. It can also handle attacks that conventional firewalls or IDS/IPS were unable to prevent.
Cloud-based WAF “Shadankun” was launched in 2013, and boasts the No.1 position in the Japanese cloud-based WAF market in terms of the total number of companies/websites using the service. Shadankun’s success owes to the ease of installation, the reliability of it being developed and operated in-house by Cyber Security Cloud itself, and the firm’s extensive track record of providing services to major corporations. However, with many of the data leak incidents that have occurred in recent years being caused by unauthorized access to website, website security measures remain insufficient. There also appears to be a significant number of website operators that are under the false impression that security measures are already in place, according to an awareness survey on security software by Marketing & Associates.

1-3 Services

In its web security business, Cyber Security Cloud provides Shadankun, a cloud-based WAF, WafCharm, a service for the automatic management of rules for AWS WAF provided by Amazon Web Services (AWS) that is based on technologies built up from the operation of Shadankun, and Managed Rules, a set of security rules for AWS WAF.

◎Cloud-based WAF “Shadankun”
Shadankun is a cloud-based security service that detects, blocks, and visualizes cyber-attacks on web applications. From development to operation, sales, and support, Cyber Security Cloud handles all aspects of the service. This enables the company to accumulate a wealth of data on cyber-attacks on websites, as well as build up operational know-how (over 2.3 trillion rows of data from over 10,000 websites). By reflecting the accumulated data when developing/customizing Shadankun or when updating its signatures (patterns associated with malicious attacks), the service helps keep websites secure. Shadankun also visualizes cyber-attacks in real time, identifying the type of attack and the IP address (i.e., countries and attack types) the attack is coming from. Such data can be viewed on the management screen. The visualization of these invisible cyber-attacks enables companies to gain a better grasp of their security situation and share information more effectively.

Two types of Shadankun services offered
Cyber Security Cloud offers two versions of Shadankun, one being the server security (agent linked) type, which installs a security agent onto the client’s server. The agent detects and blocks attacks by receiving log entries/block commands from the cloud-based monitoring center. The other is the Web/DDoS security (DNS switching) type, which involves switching “DNS (domain name system) only” and directing traffic to Shadankun’s WAF center, which detects and blocks attacks. Having two services like this means that Shadankun can be deployed regardless of a customer’s web application environment.

For the Web/DDoS security type, the website is accessed through the WAF center, which analyzes and determines whether this access is a cyber-attack or not. Only by switching DNS, it can be installed easily and places no burden on a website’s resources. However, as traffic is redirected (i.e., goes through the monitoring center), delays may occur for e-commerce, media, video-streaming, and other high-traffic sites. In contrast, the cyber security type is able to respond to attacks with little transmission delay and is unaffected by the volume of network traffic, as the monitoring center, which is a separate system, analyzes potential attacks and sends blocking commands directly to the security agent installed on the server.

(Source: Reference material of the company)

Utilization of AI
AI is also increasingly utilized for Shadankun. In particular, using AI enables Shadankun to detect attacks that conventional signatures could not detect, and also identify false positives that negatively impact customers’ services. Through Cyber Security Cloud’s neural network (technology/network used for machine learning), the AI engine learns not only normal attacks, but also legitimate user access and requests that have falsely been labeled as malicious. It evaluates daily access data and detection data, improving signature accuracy day by day.

◎“WafCharm”, a service for the automatic management of rules of platforms like AWS WAF etc.
WafCharm, launched in December 2017, is equipped with an AI engine that learns attack patterns on web applications accumulated by Shadankun. It enables the automatic management of rules for AWS WAF, provided by Amazon Web Services (AWS), which holds the largest share of the global cloud market. WafCharm has gained high marks for its ease of installation and operation, as well as for the swift development of new features supporting new AWS WAF functionalities, backed by its partnership with AWS.

While AWS WAF increases the security of web applications, the site operator must create and enforce rules to filter web traffic themselves. Making full use of it requires considerable time and knowledge. However, WafCharm is equipped with an AI engine that automatically applies the most appropriate rule among many AWS WAF rules for the target web application, automating all necessary security options. It is automatically updated to deal with new vulnerabilities, keeping the website secure at all times. It is also equipped with a reporting function, which compiles the number of detected attacks, the type of attack, the source country, and the attacker’s IP address for each rule, as well as a notification function, which sends an e-mail containing details of detected attacks in real time.
It has also been available on Microsoft's platform, "Azure" since November 2020. A version compatible with Google's platform, "Google Cloud Platform," is scheduled to be launched as well.

◎AWS WAF Managed Rules
AWS WAF selects and provides security rules called “Managed Rules” that have been written by expert security vendors. AWS WAF Managed Rules are a comprehensive package of security rules needed to mitigate specific threats. Security is limited to specific threats, but installation and operation are simple. Managed Rules is a package service that draws on AWS WAF rule-setting expertise built up through the operation of WafCharm. AWS WAF users can easily use Managed Rules from the AWS Marketplace.
Cyber Security Cloud’s U.S. subsidiary, which has been certified as the seventh AWS WAF Managed Rules seller in the world, began selling the group’s own rule set on AWS Marketplace at the end of February 2019.

◎ SIDfm™, a service of providing vulnerability information, and web security diagnosis
It is a service offered by SofTek Systems, Inc., which became a 100% subsidiary of the company in December 2020.
Since SIDfm™ was launched, it has been utilized by many customers as the information base for vulnerability management for over 20 years. SofTek’s analysts specializing in vulnerability research the details of vulnerability, which appear on a daily basis, produce content, and deliver information to customers by various means.
It is difficult for customers to make a judgment in the survey on the effects of vulnerability, but by seeing the content of SIDfm™, it is possible to make an appropriate judgment, and the information on vulnerability is also used for matching for managing the vulnerability status of individual IT assets.
SofTek offers comprehensive solutions, from the production of vulnerability-related content to the provision of vulnerability management tools.

The web security business, which has been operated by Cyber Security Cloud, visualizes and blocks cyber-attacks to websites and servers while utilizing vulnerability information.
When SofTek, which excels at vulnerability management with SIDfm™, joins the web security business of Cyber Security Cloud, the technological capabilities of the two companies will be strengthened through the sharing of knowledge, and it will be possible to utilize the big data of Cyber Security Cloud and expand sales channels.

(Source: Reference material of the company)

1-4 Business model

Shadankun, Cyber Security Cloud’s core service, is offered on a subscription basis (monthly billing) over a period of time, in which customers are charged fees for access under the premise of continuous service. Revenue streams consist of monthly recurring revenue (MRR), initial installation fees, and non-recurring revenue (one-off payments). Over 95% of revenue generated from Shadankun is recurring revenue. It also boasts a high service continuation rate, backed by the successful improvement of customer value through the accumulation of data on web application vulnerabilities, its swift response to these vulnerabilities, signature setting, and rule customization.
The churn rate for the term ended December 2020 remained low, ranging between 1.07% -1.24%.
The company uses its strengths to provide comprehensive services from development to operation and support and increase customer satisfaction.

(Source: Reference material of the company)

1-5 The Enterprises that Adopted the Company’s Product and Sales Routes

In each field, renowned companies representing Japan have adopted the products of Cyber Security Cloud. The products have been adopted in the financial and public sectors, where security requirements are tight, earning high trust.

(Source: Reference material of the company)

In addition, the number of major sales partners, which possess a strong customer base, has increased steadily, leading to the increase of enterprises that have adopted the products of the company.
To promote WafCharm, the company has cemented the cooperation with partners that have many AWS users.

(Source: Reference material of the company)

2. Second Quarter of Fiscal Year December 2021 Earnings Results

2-1 Financial Summary

*Unit: million yen. Non-consolidated for 2Q FY 12/20.

Significant increase in sales and profit due to growth in mainstay products and the acquisition of SofTek Systems, Inc. as a subsidiary
Sales were 853 million yen, up 56.9% year on year, and operating profit was 192 million yen, up 84.7% year on year. In addition to Shadankun, which is their mainstay, the sales of WafCharm, which would become the second pillar of them, grew considerably. The acquisition of SofTek Systems, Inc. as a subsidiary, contributed too. Due to the sales growth, gross profit rose 66.0% year on year, and gross profit margin increased 3.8 points. Personnel expenses and recruitment & education costs augmented due to the increase of employees, mainly marketing staff, and other SG&A expenses, including R&D costs and advertisement expenses, increased, but the augmentation of SG&A expenses were offset, and profit grew considerably.

2-2 Trends in Key Indicators

*ARR (Annual Recurring Revenue) was obtained by multiplying the MRR as of the end of the month in question by 12. MRR stands for Monthly Recurring Revenue in the subscription model. It is the sum of monthly recurring revenues from existing customers.
*The churn rate of Shadankun was obtained from the average of MRR churn rates in the past 12 months. MRR churn rate means the actual churn rate obtained by dividing the MRR lost in the month in question by the MRR as of the end of the previous month.
*The NRR of WafCharm was obtained from the average of NRR values in the past 12 months. NRR was calculated with the equation: (ARR from users from the n-1 term in the n term) ÷ (ARR in the n-1 term).
If sales retention rate exceeds 100%, this means that the increase in ARR due to the rise in average spending by loyal users exceeds the decrease in ARR due to cancellation and down-selling.

(1) ARR
As the performance of WafCharm grew healthily like in the first quarter, overall ARR increased to 1.66 billion yen. The increase of cancellations of Shadankun at the end of March was covered by the increase of new orders, and ARR is increasing continuously.

(2) Number of users
The number of users of every product increased. Especially, the number of users of WafCharm, which is the second pillar, is growing steadily.

(3) Churn rate
As the impact of the novel coronavirus subsided, the churn rate of Shadankun improved considerably from the first quarter. The major reasons for cancellation are the closure of websites and the termination of contracts between business partners and end users, and most reasons are not attributable to the products of the company. The company aims to keep churn rate low.

(4) Recurring revenues
As the sales of Shadankun and WafCharm, which are core products, have increased, recurring revenues have been growing steadily. By cementing the cooperation with sales partners, the company will expand recurring revenues further.
The recurring revenues of the company are composed of the MRRs of Shadankun, WafCharm, Managed Rules, and SIDfm.

(5) Operating expenses and the number of employees
They did not change significantly from the first quarter. Considering mid/long-term growth, the company plans to enhance recruitment of mainly engineers in the second half, so the costs for personnel, recruitment, and education are forecast to augment.

2-3 Topics

(1) "WafCharm AWS Version" beta version was launched in the U.S.
The company has started making inroads into the U.S. cyber security market, whose size is as huge as about six times that in Japan and keeps growing.
In the U.S., there are many AWS users, so the U.S. market is considered to be favorable for the products of the company.

While major global enterprises are competitors of the company, Managed Rules of the company, which is still unknown in the global market, has sold well. This record backs up the technological capability of the company, which is highly evaluated. The number of users increased steeply from 76 in the second quarter of the term ended December 2019 to 1,055 in the second quarter of the term ending December 2021.
It is expected that there will be strong demand for WafCharm AWS Edition, which is based on their original technology, in the U.S.

(2) Holding of seminars for expanding the customer base
In preparation for the full enforcement of the amended Act on the Protection of Personal Information in April 2022, the company aims to increase customers through seminars.
Customers are keenly interested in the amended Act on the Protection of Personal Information, and the number of attendees at the seminar on this act is 2.3 times the average number of attendees of all seminars in the first half.

The amended Act on the Protection of Personal Information stipulates that if information leakage occurs or there is a risk thereof, the corporation in question shall report said matter to the Personal Information Protection Commission and notify individuals of said matter, and that if a corporation goes against an order from the Personal Information Protection Commission, a fine of up to 100 million yen may be levied on the corporation.
If any of the following four items occurs as set forth in the regulations of the Personal Information Commission as the items that could greatly damage personal rights or interests, the corporation in question will need to report said matter to the Commission and notify the individuals in question.

① Leakage of information including the personal information that needs to be carefully handled, such as health checkup records and disease histories, etc.
② Leakage of information that would cause damage to property if used improperly, such as credit card information, etc.
③ Leakage of information that may have been caused for a nefarious purpose, such as unauthorized access and hacking, etc.
④ Leakage of information on over 1,000 individuals, etc.

3. Fiscal Year December 2021 Earnings Forecasts

3-1 Consolidated Earnings

*Unit: million yen.

Sales and operating profit are estimated to rise 50.0% and 32.8% year on year, respectively
One of the factors contributing to this growth is the acquisition of SofTek as a subsidiary. The entire group will work on various measures to achieve growth after 2022. Specifically, the company will focus on introducing WafCharm to the three major clouds (AWS, Azure, and GCP). It has been on AWS (Amazon Web Service) since December 2017, serving 392 users with a No. 1 track record in Japan. It has been available on Microsoft's Azure since November 2020 and will continue to expand its partners and increase its recognition among Azure users. The company also plans to launch on GCP (Google Cloud Platform) in 2021. Upfront investment costs are expected to increase due to aggressive promotions and awareness activities to raise awareness of WAF, and the operating margin is forecasted to decline 1.7% year on year.

4. Future Growth Strategies

[Market environment and the company vision]

It is expected that the cybersecurity field will grow rapidly as the expansion and deployment of cloud computing, DX, 5G, and IoT accelerate due to the novel coronavirus crisis. Therefore, the business environment is forecasted to be highly advantageous for the company.
In light of these circumstances, the company aims to achieve a dominant position and become the No. 1 company in the ever-growing domestic WAF market and offer trustworthy services worldwide as a global security service provider.

[The three strategies]

The company will promote the following three strategies to achieve growth.

Market strategy
Cyber Security Cloud will enhance its awareness activities to increase the deployment rate of WAF, which remains at a low level of 6.7% due to the large gap between its needs and the deployment conditions. The company aims to raise product awareness and acquire a large number of prospective customers by expanding its market reach all over Japan through various promotions.
The company will acquire new customers through its awareness campaigns on the correct security measures. Furthermore, following the trend of adopting cloud computing, it will promote WafCharm in the global market.

Product strategy
The company seeks to increase sales by increasing product value and using cross-selling strategies through linking all products organically. The company intends to accomplish that by sharing know-how and mutual client referrals with SofTek Systems, Inc., which is a subsidiary.
Furthermore, the company will enhance the development of existing Shadankun and WafCharm products to sell them on various platforms. Cyber Security Cloud aspires to develop WAF further to be used anytime and anywhere around the world more easily.

Technology strategy
Based on a total of 1.9 trillion users' website access data and malicious attack data, the company will develop core technologies by utilizing AI and its know-how. The company aims to apply the developed core technology to various fields such as WAF operation, finance and marketing, IoT and 5G, and medical care.

5. Conclusions

The progress rate of results in the cumulative second quarter toward the full-year forecasts are 47.6% for sales and 77.0% for operating profit. Major KPIs are increasing steadily every quarter. Especially, the number of users of three products/services is increasing rapidly, so profitability is expected to improve further. We can also expect that the earnings forecasts will be revised. The favorable trend for cyber security is unlikely to weaken for the foreseeable future. We would like to pay attention to the progress of the strategies of the company, which is their starting of cultivating the huge U.S. market based on its competitive advantage, that is, the experience in AWS.

<Reference: Regarding Corporate Governance>

◎ Organization type and the composition of directors and auditors

◎ Corporate Governance Report (Update date: March 31, 2021)
Basic policy
Under the management ethos: “to create a secure cyberspace that people around the world can use safely,” our corporate group aims to achieve the sustainable growth of the group and improve mid/long-term corporate value, and establish a governance system for actualizing them effectively and efficiently. In addition, we strive to enhance corporate governance while considering that it is important to put importance on shareholders’ rights, live up to the expectations of society, and achieve sustainable growth and development as the basic policy for corporate governance emphasizing compliance.

<Reasons for Non-compliance with the Principles of the Corporate Governance Code (Excerpts)>
Our company implements all the basic principles stipulated in the Corporate Governance Code.

You can see back numbers of Bridge Reports on Cyber Security Cloud, Inc. (4493）and IR related seminars of Bridge Salon, etc. at www.bridge-salon.jp/.