WHK to Thrive as Cybersecurity Takes Centre Stage

Disclosure: S3 Consortium Pty Ltd (The Company) and Associated Entities own 4,328,547 WHK shares and the Company’s staff own 195,000 WHK shares at the time of publishing this article. The Company has been engaged by WHK to share our commentary on the progress of our Investment in WHK over time.

Cybersecurity is now front and centre in the minds of millions of Australians who have been affected by the Optus and Medibank cyber attacks.

Headline after headline in the media has been around the failings of governments and organisations to protect people’s data.

Companies are scrambling to shore up their cybersecurity defences and governments are quickly moving to introduce legislation to force companies to deploy cybersecruity.

With all eyes now firmly on this space, it’s the perfect time for our cybersecurity Investment WhiteHawk Ltd (ASX:WHK) to start announcing some of its long awaited large deals.

WHK was our first ever Investment in the Next Investors Portfolio, when we named it our Tech Pick of the Year back in May 2019.

WHK’s technology helps large organisations assess and mitigate cybersecurity risks across their sprawling supply chains.

Current clients include US federal government agencies, US defence agencies and large corporations.

WHK’s share price has drifted downwards over the past two years in line with the sell-off in the broader tech sector.

With rising interest rates, many tech companies with longer-dated pathways to profitability have been hammered in an environment that favours commodities and companies with existing profits.

We think the macro picture is about to change for WHK.

US legislation mandating cyber risk mitigation of supply chains FINALLY comes into force in early 2023, after multi-year delays.

We expect this to be a big catalyst for WHK to sign more new deals as companies and governments are mandated to implement in cybersecurity.

When we first Invested in WHK, we were expecting this legislation to come into effect shortly after and turbocharge WHK’s new client sign-ons. So after years of delays it’s great for WHK that these new US laws are finally being implemented.

After a quiet year on the announcement front, WHK received a big endorsement yesterday when its global social media company client re-signed for a further 12 months of cybersecurity protection - with an option to expand.

Such a renewal of a technology contract is a very positive sign as it demonstrates that the client is getting value from the product after using it for the first year.

This contract renewal is a great result and comes as hundreds of tech companies are slashing their workforces to cut costs.

Since first Investing in WHK in May 2019, our Investment has been up as high as 380% to reach 46.5c per share.

But after a fairly quiet 12-24 months from WHK, a couple of key contract delays, US government delays in implementing expected supply chain cybersecurity laws, and the 2022 NASDAQ tech wreck that battered even the largest U.S. tech stocks, WHK’s share price is now below our Initial Entry Price of 9.7c.

Over the years, we’ve increased our Investment no fewer than four times and we still like the company as it continues work to progress more deals with new and existing clients, including US federal government departments and Fortune 500 companies.

Deals with these large, complex organisations take a long time — but when they do land they are big and tend to be extended well into the future.

Much of our confidence WHK’s ability to secure and deliver on such contracts comes down to its management, particularly CEO Terry Roberts, a former deputy director of US Naval Intelligence and 35-year veteran of the US national security and cyber intelligence community.

We continue to back Terry to secure more contracts at the highest levels of the US government and industry after the company, as well as the wider cybersecurity industry, faced a number of obstacles.

We have been patient with our WHK Investment however.

Pending legislation (that would require the 330,000+ U.S. Department of Defense supply chain companies to have adequate cybersecurity protections) has suffered delays as the Biden administration — which has been vocal about its support of cybersecurity — worked to put its own stamp on it.

Version 2.0 of that legislation is now set for release in May 2023 and WHK, alongside its partner Amazon Web Services (AWS) Federal, has engaged with the DoD to demonstrate cybersecurity solutions.

In Australia, the Optus hacks and Medibank data breaches amplified the urgency of ramping up cybersecurity measures, with the federal government increasing penalties for data breaches and the launch of the AICD Cybersecurity Governance Principles to assist Australian directors oversee and engage with management on cybersecurity risk.

WHK sees opportunity to provide its services in Australia, recognising the “obvious high need” for effective cyber security risk reviews and citing the high cost data leaks at Optus, Medibank Private and Woolworths as examples.

With things starting to reach a boiling point for the cybersecurity industry, and with governments increasingly looking to legislate for cybersecurity protections, we expect cybersecurity to be a strong Investment thematic in 2023.

We think the best is yet to come for WHK and expect to see major progress in regards to WHK signing on new clients and contract extensions in 2023.

We have been Invested in WHK for many years now and increased our Investment multiple times at well above 10c. In that time we have gotten to know Managing Director Terry Roberts and we back her to deliver on our Big Bet for WHK, which is currently capped at just ~$18M:

Our WHK Big Bet

“WHK becomes a $500M technology by securing new contracts and partnerships as legislation and public pressure force governments and companies to invest in cybersecurity”.

NOTE: our “Big Bet” is what we HOPE the ultimate success scenario looks like for this particular Investment over the long term (3+ years). There is a lot of work to be done, many risks involved - just some of which we list in our WHK Investment Memo. Success will require a significant amount of luck. There is no guarantee that our Big Bet will ever come true.

WHK re-signs global social media company

As announced yesterday afternoon, WHK has re-signed its global social media client to a further 12 months contract of cyber and business risk monitoring.

The deal will add US$825,000 in new revenues from 1 January 2023.

But we think even more interesting is that the contract includes further options to extend the service beyond the client’s initial 300 suppliers, vendors, and partners into other business units.

Due to the confidential nature of its cybersecurity services, WHK can’t reveal the name of the global social media company but it says that it is one of WHK’s largest clients by market value.

Considering that WHK provides services to companies including those in the Fortune 500 and top U.S. financial institutions, this is surely a well-known social media brand and we see huge potential if it opts to roll out WHK’s cybersecurity solutions to more of its likely 1000s of suppliers/vendors.

Following the initial contract signed last year, WHK will continue to provide its SaaS Solution of automated cyber and business risk monitoring over the coming year.

Then, as the client desires, WHK can expand to provide its vendor risk monitoring and mitigation solution into a large program across thousands of vendors/suppliers.

We note that today’s US$825,000 (A$1.22M) contact is for a lower dollar value than the initial US$1.5M contract from a year ago. That’s because the initial contract included one-off upfront costs involved with the platform rollout, which suggest that the client always had a long term relationship in mind.

Being a contract renewal also provides strong validation of WHK’s cyber supply chain risk management capabilities and suggests this client to engage WHK over the long term.

This contract is but one of a number of WHK’s revenue generating contracts, while it continues negotiations and proof of concept opportunities to grow those revenue streams further.

Securing contracts with large organisations can be arduous, but once signed can be very lucrative over the long term. Here are a handful of WHK’s other key deals:

• 7 year contract with the U.S. Federal Department of Homeland Security - (DHS) CISA QSMO Cybersecurity Marketplace, as sub-contractor to Guidehouse for US$1.5M to US$1.8M fiscal year 2021.
• Prime Contractor on a U.S. federal government department contract - Chief Information Security Officer (CISO) Cyber Risk Radar contract for a base year and 4 option years, worth up to US$1.18M annually.
• A 2nd contract with US federal government department CIO - 5 years (1 year with 4 option years) Cyber Risk Policy subcontract. Second full year (12 month) revenue to WHK is expected to be between US$300K to US$500K and is subject to refinement by the prime contractor and government customer.
• Defence Industrial Base (DIB) company - a total of over US$700K for a comprehensive annual subscription contract with a top 12 U.S. DIB company for 150 suppliers and vendors.

WhiteHawk Ltd

ASX:WHK

WHK didn’t sign a lot of new contracts over the past 12 months, but it continues to progress towards positive operating cash flow status. It invoiced US$2.6M in 2022 through to 30 September, a 132% increase from the US$1.9M invoiced a year earlier, while expenses were similar.

Plus, WHK has a further US$400K in invoicing due after the quarter end.

The company finished the quarter with US$898K in cash and no debt and has since signed a $3M private placement with Lind Global Fund via a prepayment of cash for placements shares and unlisted options.

WHK says the funds will be used to:

• Develop business opportunities in Australia to complement the current US market penetration.
• Expand client engagements across all commercial sales channels to include Sontiq (a TransUnion Company) and Amazon Web Services.
• Advance the number of Cyber Risk Solution partnerships with global consulting firms.
• Close on current and grow future Proofs of Value, that lead to annual subscriptions.
• Improve technical integration with key partner technologies in support of current and future cyber governance, risk and compliance focused client requirements.

New Defense Force cybersecurity rules due soon

The U.S. Department of Defense (DoD) has recognised the huge cyber risks that come from having more than 330,000 U.S. Defense Industrial Base companies.

In response it developed the Cybersecurity Maturity Model Certification (CMMC), a security framework to assess the DoD’s contractors and subcontractors’ security and capabilities.

Essentially, this means that any company that does business with the U.S. DoD will require CMMC certification.

WHK is in a prime position to provide this service.

After we first Invested in WHK we expected the US government to launch and enforce the CMMC shortly after, meaning WHK would suddenly enjoy a materially large, potential customer base that is required by the US government to spend on cybersecurity.

Unfortunately for WHK investors the CMMC launch was delayed by a few years after a change in government - but it is now back on track for early 2023.

WHK was selected by Amazon Web Services (AWS) Federal to participate in DoD engagements and demonstrations regarding the parties Cybersecurity Maturity Model Certification (CMMC) 2.0 joint capabilities.

The framework was all set to be rolled out until the incoming U.S. government decided to release a revamped model — CMMC version 2.0, which is now tipped to arrive in May 2023.

Those following the story might be interested in this podcast discussing the changes:

WHK was all ready to go almost two years ago before the delay, which caused a ripple effect on all associated sales channels that WHK had developed. WHK has now updated these channels and they are ready to launch ahead of the rollout in May next year.

The CMMC will be rolled out in a phased approach with phase 1 requiring a self-assessment. Phase 2, for which timing still to be determined, will require either self-assessments or third party certifications.

All third-party CMMC certification for these DIB companies will be good for three years, and contractors will be required to provide confirmation of compliance annually.

WHK makes it clear that it expects to provide solutions for both phases — as a third party assessor and in assisting the DoD supply chain companies in conducting their self assessment. These companies are not currently at all equipped to conduct self assessments alone.

WhiteHawk says it is uniquely positioned to provide an automated path for DoD contractors to CMMC 2.0 and is working alongside with its U.S. federal focused partners — AWS Federal, as well as D&B (Dun & Bradsheet) and Peraton, which is a private company formed when Perspecta, Northrop Grumman's federal IT division, Harris Corp’s government IT services division, and Hewlett Packard Enterprise Services’ were rolled into one.

With this in mind, we see 2023 as the year WHK finally capitalises on its deep experience and reach to deliver another significant re-rate.

Our 2022 WHK Investment Memo

Click here for our WHK Investment Memo, where you can find the following:

• Key objectives we want to see WHK achieve
• Why we are Invested in WHK
• What the key risks to our Investment thesis are
• Our Investment plan