Earlier this year packaging firm Nampak suffered a cyberattack in which a ransomware group gained unlawful access to its IT systems and stole sensitive data. Though the core manufacturing operations were only marginally affected, Nampak incurred additional finance costs on working capital facilities because clients couldn’t be invoiced timeously. The company also had to delay the publication of its financial results.
More recently, in what could be described as a life-and-death matter, the communication system of the National Health Laboratory Service was hacked, a breach that severely affected patient care as doctors’ access to test results was delayed. For example, in many cases chemotherapy couldn’t be administered due to missing biopsy results.
There are more alarming stories, but the evidence that cybercrime is on the rise isn’t just anecdotal. According to global financial services group Allianz Commercial, the frequency of large cyberinsurance claims rose 14% in the first half of 2024 after the total number increased 30% in 2023, with data and privacy breaches the biggest culprits. Not included in the data are attempts that were thwarted.
The risks of IT security breaches are amplified by new regulatory and legislative compliance requirements that put an additional burden on firms. For example, the Protection of Personal Information Act requires companies to implement appropriate security measures to protect personal information collected during the course of business. Failure to do so exposes firms to potential penalties and damages claims.
While this trend is bad news for businesses with an online presence (read: most of them), local cybersecurity specialist ISA Holdings is a beneficiary. Since listing on the AltX division of the JSE in 2004 as a value-added reseller of firewall and antivirus software via a reverse takeover of shell company Y3K, its offering has broadened over the years as the global online ecosystem, and associated threats, grew exponentially. Today, almost 90% of revenue is subscription based, as most clients seek a comprehensive service that includes features such as software solutions, network security, access management and incident resolution.
The numbers tell their own story. Since 2006, profit of R8m on revenue of R38m has jumped to profit of R30m on revenue of R100m, a solid compound annual growth rate of 8.6%. Margin expansion from 21% to 30% also implies scale benefits and a better product mix, which is pleasing for a company that doesn’t own the intellectual property (IP) it sells.
The company’s ability to be software agnostic should temper investor concerns over ISA’s lack of an IP moat
Not that the journey has been smooth sailing throughout. In 2019, a major software partner downgraded ISA’s reseller status after the relationship between the two parties soured. Though ISA recorded a material drop in revenue, it demonstrated resilience, and strong customer relationships, by rebuilding the business with new application vendors. The company’s ability to be software agnostic should temper investor concerns over ISA’s lack of an IP moat.
ISA boasts a large proportion of recurring subscription revenue (albeit subject to contract renewals and cancellations), and the company’s prospects look good. Though the share has run hard this year — it has risen 80% by the time of writing — it’s still relatively cheap for an asset-light business with a trailing earnings multiple of just under 12 and a dividend yield of 8.4%. Transactions with joint venture partner DataProof represent nearly 20% of turnover and bear scrutiny. If this equity-accounted investment continues its strong performance, there’s no reason for concern. Given ISA’s strong balance sheet and net cash position, management might even consider increasing its stake.
With 90% of revenue earned in South Africa, ISA’s focus is local, but there’s opportunity to expand to the rest of the continent, whether by following existing clients or seeking new business itself. Like most South African firms it’ll benefit from a successful government of national unity but, unlike exporters, the company would welcome a stronger rand too — as most software solutions are imported, a stronger currency boosts margins and demand by making the company’s products more affordable for clients.
ISA’s investment case isn’t without risk. With a market cap of only R400m, it carries all the typical small-cap perils such as client concentration, staff retention challenges (a major issue, given the scarcity of IT skills in South Africa) and asymmetrical supplier terms.
Fortunately, directors, led by co-founder and current CEO Clifford Katz, 54, own 65% of the business, thus there’s a strong alignment of shareholder and management interests. It’s also not inconceivable that a bigger IT player or private equity firm might look to acquire the group.
The company’s interim results for the 2025 financial year are due soon. Given the lack of a trading statement so far, profits probably won’t vary by more than 20% from the prior period, whether positive or negative. Note that, depending on the quantum of working capital — including cash — that’s held in hard currencies, revaluations of foreign balances could affect earnings.
In cybersecurity, the threat vectors are vast and include phishing, malware, network attacks and bots. With the evolution of AI the sophistication and number of threats will grow, so demand for ISA’s services to keep the bad guys out will grow too.
As the old investment and business mantra goes, phish where the phishes are.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.