Cover photo for Will Yoo
Explaining the Valuation Gap in Public Markets Cyber Note: I wrote this piece as a function of my role as an analyst for Osney Capital. My opinions are my own. For more information, reach out to us at  As early-stage Cyber investors, we are often asked by founders and stakeholders about our view on trends in the space, like recent innovation, potential headwinds, and exit opportunities. With respect to the latter, one trend that we believe is under-appreciated by many is the public market activity in the space, and what it means for early-stage founders and investors. More specifically, the idea that public cybersecurity companies, despite being some of the fastest-growing names in technology, seem to have faced (in recent history at least) a significant valuation gap between themselves and other SaaS companies. This phenomenon has significant ramifications for even early-stage cybersecurity founders, especially given the impact this has on public market exits, later-stage valuations, and the longer-term prospects of the space. Yet, we believe there has been relatively limited analysis published to understand its scale- and why it exists. In this article, we will discuss our research to understand the comparative performance of Cyber after their IPO, with an eye towards exploring gaps in valuation, and analyzing whether those gaps are justifiable through the lens of growth or profitability. Our take: Cyber’s valuation gap demonstrably exists, despite a strong similarity to SaaS in relevant metrics- highlighting both the market dynamic and relative perception of Cyber- and potentially demonstrating overlooked opportunities in the sector. On the other hand, it may well be that the hype around many SaaS companies has yet to permeate Cyber specifically, which may well mean public Cyber companies will fare better in the stormy seas ahead. Our FindingsWe began by analyzing ~40 technology companies in cybersecurity, SaaS, and Big Tech, ranging from the fastest-growing public companies to the largest and most established incumbent players in their space. (See Postscript) What we ultimately discovered was somewhat surprising. While recent macroeconomic headwinds have not spared Cyber, on the face of it, our set of Cyber companies seemed to be performing substantially better than other SaaS companies. Last year (as of November), the median YTD performance of our set was -34.5%, compared to -33.1% for the 11 largest technology companies, and a whopping -52.9% in our comparative cohort of fast-growing SaaS companies.[Cyber stocks have performed much better than many SaaS names, with relatively similar sales growth. A cohort of Big Tech companies listed on the right for comparison.] Median sales growth in our 3 cohorts was also the highest in our list of Cyber names, with YoY sales in the most recent quarter at 31.9%. This was significantly higher than the largest technology names (at 14.8%) and comparable to our SaaS cohort (at 30.0%). However, despite the fact that Cyber had fallen less than other SaaS names, this seemed not to be a result of lower growth over this time period, but instead to a fall in trading multiples. Valuation multiples for our Cyber cohort seemed relatively low: the median enterprise value was trading at just 6.0x annual sales. While this was roughly equivalent to that of the largest technology companies, it was substantially lower than our SaaS cohort, where the median company traded at a hefty 9.4x enterprise value to sales. So, despite the fact that SaaS and Cyber companies were both growing rapidly (Cyber slightly edging out SaaS), Cyber companies faced a significant valuation discount for similar growth. In other words, the recent outperformance in fast-growing Cyber companies was only so because they were already trading at lower multiples. SaaS companies fell more because their stratospheric multiples had merely come closer to earth. [Simply less to fall: Cyber multiples have been discounted less heavily compared to SaaS, but only because SaaS multiples were already stratospheric.] A Search for AnswersGiven comparable sales growth across our cohorts, we also looked to control for profitability as a potential cause for the valuation difference. This was somewhat difficult, primarily because ~half of the SaaS and Cyber cohorts were not profitable on even an EBITDA basis. For the remaining companies however, the valuation multiple between Cyber and SaaS shrunk to nearly nothing- with a median enterprise value to EBITDA multiple of 50.9x for Cyber vs 51.4x for SaaS. For comparison, the median multiple for our big tech cohort was a relatively low 15.8x, so on a profitability basis, both Cyber and SaaS companies seem to be treated similarly by the market. Yet, at this point we would only be comparing a handful of SaaS and Cyber companies with each other, and the range of multiples in this smaller set varied widely, limiting the usefulness of this result. Further, it does not explain why the gap between the rest of the SaaS and Cyber companies continues to persist. Thus overall, the valuation gap in Cyber does not seem to be well-explained purely by financial metrics. After all, Cyber and SaaS are both growing their sales very quickly, but Cyber converges in value only when it achieves profitability. I suspect there may be other, structural reasons why public market investors have not yet warmed up to Cyber in the same way they have to SaaS despite the many similarities. One potential reason to consider is scale: note that the average market cap of the Cyber company in our cohort was a relatively small $13.1Bn, compared to the average $47.4Bn market cap of the SaaS set. No Cyber company in our cohort had a market cap of larger than $50Bn, but more than ~40% of the SaaS cohort did. Public market investors may be wary about the smaller size and absolute profitability of Cyber relative to SaaS, given that there have not been as many large-scale Cyber companies as SaaS ones. We’ve noticed that scalability and a cap to growth appear to be common concerns for some Cyber investors. Yet, just as not all SaaS companies are going to be decacorn behemoths, not all Cyber businesses will be relatively meager unicorns- it seems unfair to judge the sector (and its companies) so early. The final reason might simply be that the market has had longer to get comfortable with and understand the SaaS business model and growth profile — but maybe also to get slightly carried away with the opportunity. Infinitely scalable software is an incredible growth hack, and it’s been a core theme that has pushed the ecosystem forward for the last two decades. Yet, the recent market correction may reflect a dampening of that enthusiastic hype. Cyber is always going to be a bit more of a specialist domain, which is going to be a barrier to hype and a moderating force on valuation. Yet, this may also explain the better performance of Cyber recently; less hype brings less volatility on the way up and the way down. For the record: at Osney, we don’t share many of those concerns. In fact, we believe our findings underscore the opportunity at the end of this bull run in SaaS. Cyber founders need to keep building and communicating their ideas well- investors will come around when they develop familiarity and skill in this space. Unlike domains in SaaS, a single Cyber firm monopolizing the market is unlikely, but this is going to be an advantage: for innovation, competition, and a superior product or service. Furthermore, even subdomains in Cyber are rapidly growing to be multi-billion-dollar markets in their own right. A recent McKinsey report argues that global Cyber may be worth a staggering $1.5–2 trillion in the near future. The need for Cyber will only continue to grow. As the space matures, the players, who we believe in, will have to refute these present and future doubts with their own resounding successes. ConclusionsRight now, I’m not sure if there are good, definitive answers for why the valuation gap persists between large Cyber and SaaS companies today. As I discussed, there are issues like comparative profitability overall and long-term worries about scale. Still, the most intuitive explanation for me seems to be the lack of familiarity and relative novelty of many of these companies — it’s just a bit harder for investors (and many CTOs!) to understand Cyber in the same way they understand SaaS. The lack of consolidation in Cyber and the speed of new innovation requires high-velocity work from everyone involved — founders, investors, and stakeholders. What is undeniable is that the gap exists (for now). As our work demonstrates, the fundamentals of many Cyber companies are comparatively sound and undervalued next to their peers in many SaaS domains. But every challenge represents opportunity. Viewed another way, the time it’ll take for public investors to appreciate Cyber is a compelling opportunity for early-stage founders and investors to start now — and take advantage. Postscript:We split into three cohorts: our list of 15 notable Cyber companies, a comparative set of 12 fast-growing SaaS companies, and a final set of the 11 largest technology companies. The average market capitalization of our Cyber cohort was $13.1Bn, so we are benchmarking mature and sizable companies (although they are quite minor compared to the largest technology names, who have an average market cap of $664Bn, or ~51x greater). These names were all public companies listed in the US and the UK, with easily available and audited quarterly financials. This helped us make comparisons of each of these sets over the same period (in our case, over the last year), allowing us to highlight underperformance and outperformance in these sectors relative to the wider market and each other. Data is accurate as of November 2022.
Read newest post →

More recent posts

Lessons in Meta, the Metaverse, and Corporate Governance - Part 1

[Metaverse HQ - 1 Hacker Way, Menlo Park, California.]Meta, formerly a $1Tn company, has been having a poor time this year. Its shares, as of Nov 10, are down 67% YTD, shedding a whopping $600bn in market capitalization in 10 months. Recently, they've been forced to lay off thousands of employees. While Meta's not alone in the myriad of problems now facing many technology companies, and it's definitely not the most battered name in tech this week (does that distinction go to Twitter or FTX?), Meta is unique in the common perception that its biggest problem seems self-inflicted: namely, its vast capital spending on the Metaverse. There is little doubt that Meta is facing big problems, but what can shareholders, stakeholders, or employees do about it? The short answer- seemingly not very much! The slightly longer answer is similar, but requires a little bit more explanation about Meta's leadership structure, dual-class share structure, and a bit of corporate governance theory. Let's delve in. Meta is Facing a Shareholder Rebellion Long-time shareholder Brad Gerstner's recent open letter to Meta captures the prevailing zeitgeist of investor opinion: Meta is committing $10-15bn a year for a decade into a segment that currently generates >$1.5bn in revenue, and investors are fuming. For good reason too: last quarter, its Reality Lab segment's sales fell ~50% YoY due to a reduction in sales of its Quest 2 headset. This is despite core challenges to the business which have led to stagnant sales growth, including competition from TikTok, Apple's recent ecosystem changes, and headwinds in the ad space. Yet, Meta is still expecting to spend >$30bn in CapEx spending this year, while its annual R&D spending has increased by a factor of 1.5x. The inevitable conclusion of less money in, more money out, is a weaker bottom line: free cash flow YTD has fallen 48% YoY.  Yet, Mark Zuckerberg seems to disagree with his shareholders. He talked pretty extensively about the metaverse in Meta's most recent earnings call: “There's still a long road ahead to build the next computing platform, but we are clearly doing leading work here. This is a massive undertaking and it’s often going to take a few versions of each product before they become mainstream. But I think our work is going to be of historic importance and create the foundation for an entirely new way that we will interact with each other and blend technology into our lives, as well as a foundation for the long term of our business.” I'm not going to opine on the viability and future applications of the metaverse here; namely, because I've been really wrong before! The general consensus seems to be that it's coming but it's far away, but I think only time can really tell. What I can look into is how fascinating a future MBA case study this will be: one that won't discuss who's right per-se, but who gets to be right, and far more interesting- who should be right? Lessons in Corporate Governance Let's start with some facts. As of Dec 2021, Zuckerberg owned 13.6% of the company, consisting mostly of his 366mn shares of Class B Common Stock, out of a total circulation of 2.3bn Class A shares and 412mn Class B shares.  Class B shares, which are not tradeable in the public markets, are worth 10 votes per share in stockholders' meetings, versus a mere 1 vote per Class A share. Quite simply, Zuckerburg, through Meta's dual-class share structure, has complete control over his company with more than half its total voting power. As Chairman and CEO, this seemingly gives Zuckerberg a free hand in running the company and its operations - which doesn't bode well for Class A shareholders seeking to change direction on his Metaverse project. Notably, Meta also has quite an institutional shareholder base. As of August, the top five institutional shareholders owned ~25% of Meta, and included names like Vanguard, Fidelity, and Blackrock- all large long-only asset managers. Surely, sophisticated investors such as these would fight for a greater say in Meta's affairs? Yet, it is generally smaller investment managers, such as these, who push for shareholder proposals to remove the dual-class share structure- an idea that is predictably shot down by Zuckerberg year after year since Meta has gone public. Larger shareholders seem more willing to rubber-stamp his Board of Directors nominees, many of whom have been accused of lacking real independence in their ability to oversee the management team and properly protect shareholder interests, in exchange for a more subtle influence on Meta's future direction. The only other alternative for many investors is to sell their stake, which has clearly taken its toll on Meta's share price and multiples. Zuckerberg in his function as CEO, and the Board of Directors as representatives, both have a clear fiduciary duty to maximize value for shareholders. Legally, this fiduciary duty usually involves a duty of care and a duty of loyalty- that directors and officers of the company make informed, material decisions based on all reasonably available information, and do so in a way that does not further their own private interests. Zuckerberg has lost billions this year; I think few will argue that he has gained personally from his pursuit of the metaverse. Even fewer could say if a CEO can ever be convicted for a bad business decision- as long as it was an informed bad business decision. The curiosity is that, despite breaking no laws and no rules, we have a situation where the vision and direction of a corporate leader differs so strongly from that of its shareholders, and the shareholders can do very little to rectify that situation. This situation really digs into the classic notion of shareholder primacy- the theory that maximizing shareholder interest is the primary purpose of the corporation. While few could claim that shareholders didn't know the devil's deal they'd be getting themselves into, I'll recognize that when times are good, nobody really questions what successful managers do.    Conclusions That said, shareholders can still try the courts in very innovative ways. In Part 2, I'll discuss the class-action lawsuit filed against Meta last month, and what else we can learn from Meta, plus a few additional thoughts on dual-class share structures versus fiduciary responsibilities and shareholder primacy. I know that Meta is not alone in its controversial relationship with corporate governance. Google famously has 3 share classes, and its founders can still exert effective voting control in a similar way to Meta's. But Zuckerberg is still at the helm of his company- running its day-to-day operations as CEO- and sits as one of the most classic examples of a successful dropout founder whose tenure now runs nearly 2 decades (nearly as long as Bill Gates's run at Microsoft). Zuckerberg has sole reign at Meta, and only a select few can say they alone control one of the largest companies in the world. But Zuckerberg also seems to see his interest in Meta's future as the shareholder interest, and his voting control ensures that. For public shareholders, asset managers, as well as stakeholders like employees, the message seems to be: you're either with my vision, or you're free to get out. I know many are choosing the latter.    
Read more →