SSH Communications Security Oyj
OMXH:SSH1V
SSH Communications Security Oyj
SSH Communications Security Oyj engages in the provision of security software solutions. The company is headquartered in Helsinki, Etela-Suomen and currently employs 123 full-time employees. The company went IPO on 2000-12-22. The company specializes in the development and retail of solutions for data protection and network security. The firm offers encryption, centralized management and access control, as well as privileged identity management solutions. Its product portfolio comprises Tectia SSH, Universal SSH Key Manager, CryptoAuditor and Tectia MobileID. The firm provides services to financial institutions, public sector, retail organizations, healthcare and educational institutions, among others. The company cooperates with a range of entities, including F5 Networks, IBM, Juniper Networks, Oracle and InfoSec. Furthermore, the Company has offices in the Americas, Europe and Asia, and operates a number of subsidiaries, such as SSH Communications Security Operations Oy and SSH Communications Security Ltd.
Earnings Calls
In Q1 2025, SSH Communications saw a 7.9% increase in net sales to EUR 5.4 million, driven by a 12.9% rise in annual recurring revenue (ARR) from subscriptions. Key product PrivX experienced a remarkable 19% growth, with the company targeting even higher rates moving forward. While EBITDA stabilized at EUR 0.2 million, EBIT took a hit, showing a loss of EUR 1.1 million due to a EUR 0.4 million R&D write-down. The company's liquidity improved, ending the quarter with EUR 3.5 million. Notably, SSH aims for positive EBITDA and cash flow in 2025, with ARR at EUR 20.5 million by year-end.
You don't have any saved screeners yet
Welcome to SSH Communications Securities' Investor Call for Q1 of 2025. I'm Aino Virolainen. I am a member of the SSH finance team, and I also handle our Investor Relations. The results will be presented by our CEO, Rami Raulas; and our CFO, Michael Kommonen. After their presentation, we will have time for questions. [Operator Instructions]
The call is hosted with our own solution, SalaX Secure Messaging. The call will be recorded and the recording as well as the presentation material will be available in our Investor pages.
And now it's time to start. So I will give the floor to our CFO, Michael, who will start with the financials. So please go ahead.
Thank you, Aino. Good morning, and welcome also on my behalf to our first quarter investor call.
Let's start by looking at the financials of the first quarter. So the net sales grew 7.9% in the first quarter, and EBITDA remained stable at EUR 0.2 million, the same profitability we had on EBITDA level a year ago in the first quarter.
So the sales reached EUR 5.4 million. Underlying or underpinning the sales growth was a subscription ARR growth of 12.9% and PrivX subscription sales grew 15% in the first quarter.
On the profitability side, a couple of things impacted our profitability. On the spend side, we had increased spend in regulatory certifications in North America partially and also the expansion of our North American organization increased our costs somewhat in the first quarter.
Looking further down the income statement on our EBIT, our EBIT was negatively impacted by write-down as a result of us refocusing R&D efforts in the Secure Message and Secure Communication business unit. So that write-down was EUR 0.4 million. And again, that is visible in our EBIT for the first quarter.
On the market and portfolio side, we closed several PrivX deals globally in all 3 regions in the first quarter. We also saw several deals in Tectia, especially in Europe and APAC. These deals materialized in the first quarter. Rami will elaborate a bit more on those going forward.
If we look at the -- some other key metrics, key figures of the first quarter, overall subscription sales grew 11.4%. Our deferred revenues were down mostly because of seasonality, declined somewhat to EUR 11.8 million. EBITDA, as mentioned, EUR 0.2 million. And on the EBIT, we can see the negative impact from the write-down, so EBIT EUR 1.1 million, negative.
Cash flow from operations was broadly in line with the previous year quarter, slightly lower at EUR 0.7 million. The liquidity position, however, improved in the first quarter. We ended sequentially compared to the end of 2024. We ended the quarter with EUR 3.5 million of total liquidity.
So with that, I'm happy to hand over to our CEO, Rami Raulas. Rami, welcome.
Thank you, Michael. So I wanted to take you through a little bit about what we achieved in Q1, and how we are now moving forward in Q2, and towards the rest of the year.
Focus has been on 2 things in the past year and moving forward. It has been -- on one hand side, it has been on improving and making our solution offering more competitive and more compelling. And secondly, about getting our marketing and sales activities on to a higher level to increase demand and the amount of business opportunities we can create for ourselves.
Now we are celebrating, as said already earlier in the previous calls, the 30-year anniversary, and we're going to use that to our advantage to talk about the presence that we've been able to have in helping to make the Internet safe for the past 30 years, and now it's proving it safe for the next 30 years with quantum-safe encryption and protection technologies.
SSH's protocol itself and Tectia as a commercial product is still going strong. You can see some examples there: windmill parks, subway stations, connected cars, still using that. And indeed, what I wanted to show here is a couple of cases of actually new Tectia deals with the bank and finance industries in Asia; telecoms operator in the U.S.; space operator in Europe; Nordic financial, major finance and insurance organization for mainframe; security, they are still working around; and some other financial customers and other authorities.
So apart from people using open source, there's certainly a good growth pace still for commercial solution for government industries and for better security.
But next, let's have a quick look about our performance globally. So in Q1, we were able to grow in Asia, continued strong, actually up to 50%, and on the average growth rate in Europe. In the U.S., we still did not grow in the Q1, and we have made some initiatives there, which relate to building a new team, enhancing and reconstructing and putting effort in our partner network, and getting an approval for encryption validation for -- that is approved by the U.S. government.
So with the new team, Sean McAllister was appointed, a young talented leader, last year. And now we've been building a team for marketing with Barbara and Chris; for sales with [ Bhumi ] and Ben; and for partner management with Megan; and then technical capabilities with [ Saketh ] and Praful. This is not a whole team, but these are the new additions to our team and new roles in the team. So I feel pretty confident that we have now a new gear in in the U.S.
And we aim to grow with our partners. So we continue to develop our partner business and grow our partner business. We were in many events. This is a picture from Australian event. We were at the Cybersecurity Summit in Singapore, at Security Days in Tokyo, a couple of OT -- operational technology events together with our partners. We signed a few new partner agreements here in Finland with Loihde, mainly focusing on OT markets.
Actually, today, we are announcing a signing of a partnership with Cinia. This is me and Jaakko from Cinia shaking hands. So that will come out today. And then we signed a partner agreement to enhance our product and offering portfolio with Honeywell. A bit more on that later on.
And we were -- we had partner days in Europe, in Prague, very successful partner days. So we're going to have another partner event -- partner days for about 50 partner representatives in Asia, in Bangkok in 2 weeks' time. So really a lot of activities with partners moving forward.
Coming back to the other element of the game here, a compelling and competitive solution portfolio. And then on the second hand, marketing and sales. We've been able to simplify our product offering. So nowadays, we talk about 3 core businesses, the biggest one being PrivX Zero Trust Suite, complemented with Network Security, and then Human Secure collaboration.
We added also a few things into that last year, which are now coming into play, new versions and functionalities for the Secure Messaging, OT Insights -- PrivX OT Insights for complementing our OT offering, and then file encryption solution as well.
So with that in mind, I want to take an example of one industry, which actually -- which is the defense and defense-related providers, actually using all of our solutions. So there's no reason why other markets and other customers [technical difficulty] Secure Messaging, it's about secure networks and access management. We're not even talking about privileged access management when we talk about defense because everything is privileged in that space. So I guess you could call our solutions military grade in a sense.
This is the work we've been doing in the past 3 to 4 years, and now we are achieving some success with that. And there's one area which we did not focus on yet, which is kind of secret level encryption device or solution. A single country market is too small for that. But we are looking ways to expand our presence in the defense market through strategic partnerships with the defense operators globally, both in Europe and in Asia, especially.
But let's have a look at one of our key products, the main product -- main growth product, which is PrivX Privileged Access Management. Maybe just a word on here as well is that there's a -- in many countries nationally a request or requirement to do encryption family solutions, and we certainly have that encryption family solution, our main supplier for that now.
So on PrivX, the annual recurring revenue in Q1 grew 19%, and we had some new customer wins in that area. Not a single big deal, smaller, medium-sized deals with some service providers, retail and wholesale company, cloud service, managed service provider for manufacturing industry, and again, more for the defense sector.
So with PrivX, we introduced also new versions, actually 2 new versions in Q1, and added new functionalities into PrivX. High availability, I mean these are critical systems. All the critical connections to critical data go through a solution like PrivX. So it has to stay up 99.999% of the time.
We've added all the latest protocols for quantum-safe encryption for the connections that go through from users or systems to market environments, whether they are databases or servers or network devices or applications.
We've enhanced our presence to automatically work with cloud operators. We've already been compatible with Azure, AWS, Google. Now we added Oracle Cloud and quite a few service providers also using OpenShift, which we are compatible for, finding automatic resources in the cloud environments, onboarding them automatically, scaling up and down automatically, and connecting to the targets for users and applications as well.
Then we added a few more OT-related -- operational technology-related security components into PrivX. The whole method of accepting access to manufacturing sites or critical infrastructure has to happen from the site. Somebody on the site has to allow access. So the whole workflow and approval process tools were developed.
And we now introduced to the market the integration of Network Security and PrivX Access Management, so PrivX and NQX integration. A little bit more on that in a while.
And moving forward, we are now bringing -- in the next PrivX release, we are bringing FIPS, which is the U.S. federal approved cryptography for the U.S. government business. We have partners in the U.S. and we have a Federal Inc. company in the U.S. as well. So this is something that will enhance our opportunities to engage more with the U.S. government business as well.
And then indeed, moving forward on the simplification and focus on the solution architecture, solution branding, if you wish, we are going to bring to market PrivX Key Manager in a matter of a couple of weeks, which is an enhancement and the next generation of what used to be called Universal Key Manager, automatically moving -- removing the need of having to rotate passwords, let alone passwords, but also security keys and making it fully automatic for customers to create connections without having to change or renew keys at all.
PrivX Desktop will be released a little bit later in Q2. That is the next generation or future development of what used to be called Tectia Client. So enabling secure connectivity from workstations and remote engineering workstations without the need of having to use VPN -- complicated and expensive VPN solutions.
We will also, in Q2, be releasing PrivX IT Insights, which is a further development from what earlier was called risk assessment, where we are adding capabilities to scan and discover assets, accounts, targets, resources in the IT landscape, whether it's computers, servers, databases, applications or network devices, and the state of their health. And we'll be adding generative AI development to that. That is a big investment we're making at the moment to further automate that process.
Then on the OT side, actually pretty comparably, we have now a partnership with Honeywell, which gives us PrivX OT Insights, i.e. being able to find assets, onboard them automatically, and monitor their connections and vulnerabilities and threats in the OT landscape.
And we've already have had -- under the PrivX branding, we've already had PrivX Authorizer, a mobile app; and PrivX Device Trust authorizer with the partnership with the Beyond Identity.
So all of that is going to happen in Q2 to further simplify the PrivX branding or product naming, and to have more functionality so people can start from the kind of asset discovery or environment discovery, and analysis or they can start from the endpoint security. So multiple opportunities there.
And indeed, as Michael mentioned, we have some new cases there. But the integration between PrivX and NQX is a unique offering that we have, which is no other PAM vendor or access management vendor, and no other network solution vendor can offer, where we simply combine the access management capabilities of PrivX, authenticating the user, authorizing the user. And then add to that the capability of just establishing a just-in-time tunnel as well. So we even make the network connection ephemeral.
It's only valid for the time of the session. It's created automatically. And PrivX commands NQX to open a quantum-safe tunnel. And then when the job is done, everything is destroyed, and set up next time around. So there's nothing permanent, nothing is left behind. There are no open doors, because in the OT environment, everything has to happen from the right-hand side. So ports and gates are not open until they are told to be opened.
So with that, let's have a quicker look again on what's happening in the OT space. We've been talking about OT as the big growth market. And certainly, we are now seeing big -- next steps happening in that market. So this integration of ephemeral tunneling on secure tunneling between sites and from engineering workstations to sites is certainly a great addition to our offering.
We talk about IT and OT convergence, meaning that there are nowadays necessity to connect to operational technology, sites, manufacturing plants, windmill parks, oil rigs. Earlier, they used to be kind of air gapped like in oil and gas, for instance. You will not allow changes or connections to those remotely. But it is all now changed and changing. And all those companies are looking for now solution for secure access and the integration between the IT platform and the OT platform. And that's why we are expanding and moving forward.
What we have seen now, we've been recently in a couple of Gartner analysts big events called Identity and Access Management Summits in U.S. and in London, talked to about 450 people face-to-face in those events. And they are mainly IT people. And what we've seen there is that half -- nearly half of the discussions are around OT. So people are keen to find out how they can improve their security for OT.
Conversely, we've been to OT security events. CS4CA and ManuSec are 2 events in the U.S. and Europe. Typically, they have been only representatives from OT security from companies, from the manufacturing part of the organization. But now in those 2 events this year, we've seen nearly half of the people are from IT security: CISOs, CIOs or cybersecurity specialists from the IT side. So certainly, at least on the people level, this is already converging.
And what we are so now offering is a converged solution between IT access management and OT access management, and then enhancing our OT access management with the partnership with Honeywell.
And you may have seen the press release on that. And indeed, what that does and helps us, it helps us find the assets, onboard the assets, monitor if there are any unnecessary or illegit network accesses to the target devices, control devices in manufacturing sites, and then see vulnerabilities, block vulnerabilities from happening, and then producing compliance reporting as well. And we are integrating these solutions together.
The other key element is the architecture of PrivX itself. In the IT side, you have certain requirements for a privileged access management solution, typically about identities, identity management, entitlements, authorizations of users, auditing, recording, just-in-time zero standing privilege access methods.
On the OT side, these requirements are a little bit different. It's more about approvals and workflow processes. It's about the norms and standards like MIST 2 or 62443 IEC, which are totally different from the IT side of requirements. And you have some certain protocols or connection methods, which by default were not encrypted or protected at all initially, like OPC UA or Modbus S7 or PROFINET or those kind of things, which have to be protected and encapsulated into secure connections as well.
And what is unique in our solution, which I don't think anybody else can do, is that customers can use one platform for that and reduce the cost of ownership, and have a simpler way of managing systems just on one platform, whether it's divided in 2 installations or 2 services or run as a one service.
And indeed, we've been active with OT, with a lot of activities. We've been in, as I mentioned, in OT events. These are some pictures from those OT events. And we are quite nicely represented in one of the latest, just came out a few weeks ago actually, at the end of Q1 in an industrial cybersecurity bias guide, where you don't see apart from one typical IT access management solution vendors, you see specialists from the OT side that kind of further, again, highlights the uniqueness of our offering between IT and OT that we can make with PrivX.
And we are working on customer cases. And I'm actually happy to kind of announce that together with our new partnership, there's a new customer win just right now about -- on a global automation company, specializing in intralogistics solutions and robotics and automated material handling systems. You'll see more about that a bit later on in the coming weeks.
But still coming back to that Network Security, and I mentioned NQX, and how we are deploying that also now for the OT side. So let's have a look at what's happening in the Network Security, NQX part of the business. That also grew 23% year-on-year. So we're moving forward there.
Initially, the whole development was aimed at the defense market. We have then moved forward with the defense contractors and suppliers, supply chain security as well. A new entrance area for us, which we've been working on, and now good success in Q1 is data center operators, data center to data center or rack-to-rack within the data center, secure connectivity with really high level performance, low lag times. There's really special requirements for performance, but then connected with security.
And typically security is an overhead that takes down performance. In our solution, that is not happening. There's only 4% degradation when you run full-blown quantum-safe encryption on network devices. And we are focusing on European cloud providers as well. A few more words on that in a second as well.
So we're also finding and developing new market opportunities next to the OT opportunity with European telecom sector and Asian telecom operators and government use cases, especially in Asia and Europe as well. And as I mentioned, one of the new grounds is data center operator. This was a press release that we --
So there's a family of different solutions. The blue boxes there talk about throughput. So on a 10 gigabit line, you can get the throughput of closer to 10 gigabits. And on a 100 gigabit line, you get throughput closer to 100 gigabit. So that's what they are scaling. Scaling from small boxes or small deployments that can be in the field, in a moving machine, a tank or a ship or a vessel or a remote site like an embassy, as an example, all the way up to a massive data center connections where you need high bandwidth, high performance.
Typically, those solutions cost hundreds of thousands. We have a very affordable solution, because we're using standard hardware and standard infrastructure technology in our solutions, not bespoke expensive technology. But again, a high performance because of a few features that I wanted to share with you here as well. If you can make -- all right.
So there are some interesting key features, Secure Boot. These are really easy to take into use. Anybody could take them into use, and they will only kick off and start if the security of the device and the software is interlinked on the site.
Crypto agility, so we will be implementing, as one of the first vendors, new algorithms when they come through the standardization processes. Crypto module means that customers can deploy their own cryptography. That will be hush-hush projects, but technically that's possible. And then we have built some clever network connectivities and the high-end performance coming from the architecture of the devices, and especially software means that we can scale in an unprecedented way.
But not so much about features. It's more about what are the kind of benefits of that. So it's about the automation and ease of use, ease of taking the solution into use. Of course, it's important to have the accreditations, National Cybersecurity agency accreditations. We are in the final stages of NATO and European Union approvals for restricted level, which will open us new market opportunities in those spaces.
We already mentioned PrivX Privileged Access Management and NQX integration, which I think is pretty unique. We can just encapsulate all OT unprotected old OT environments into a secure environment, and the performance against hardware-based solution is 6x faster.
And toward the end here now, just a few complete -- to complete the enhancements and development on our portfolio. Just a few words on SalaX Secure collaboration and Secure Messaging. Now we already have a strong base in Secure Messaging with the Secure Mail, with the acquisition on many years ago and further development of that. But what we see happening in the market is that mail and Secure Mail itself is not growing.
We have grown a little bit in that. There are some new customers there as well. But the market is really rapidly moving into [indiscernible] or secure messaging, secure fast messaging type of solutions. And that's why we decided to enter that market.
A few years ago, we decided to base our solution on so-called MATRIXX open platform technology, which is a European development platform up to about 160 million users, and many interesting instances on that technology stack with French government, German healthcare, German defense, many Swedish public sector customers, and so on and so forth.
And there's kind of a bit of compelling reasons for that as well. So first of all, for many government organizations who are running these services for themselves, many still are based on Skype or Skype for Business that is coming to an end of life. So there's a replacement requirement there.
And then, of course, because of the policies, compliance, and really adhering to company standards, people need to understand what can be communicated where. So typically, you would not invite people to your communication platform when you deal with secret or confidential data, right? So you don't use signal for that purpose as an open platform, as we all have seen recently as well.
But what we have now added to that is a secure offering. So we are offering SalaX Secure Messaging from Secure Cloud, European cloud service operation as a SaaS offering. This is new, just came to market. And we'll also be promoting our solution with the free trial onto the market, being released this week or next week.
So I see a great opportunity there, especially given that we have a strong base already in the secure messaging part from the Secure Mail side of things from the past.
So with that in mind, I'll just summarize here how our portfolio has been now completed overall, and invite Michael to join here for an outlook and Q&A session.
Okay. So the outlook for 2025 remains unchanged from what we communicated in February. So we expect net sales to grow during 2025 compared to 2024. We estimate EBITDA and cash flow from operating activities to be positive for 2025.
And as a reminder, at the end of 2024, our ARR was EUR 20.5 million. And in 2024, our net sales grew by 9% to EUR 22.2 million, and EBITDA was EUR 3.4 million in 2024.
So I guess, Aino, we could facilitate some questions if there are any.
Yes. Thank you. I will shortly check the chat for any possible questions. But before that, as usual, the first questions will come from Redeye's analyst, Fredrik Reuterhall. So Fredrik, please go ahead.
Thank you for the presentation. I have a few questions. First, regarding the recruitment in the U.S. Can you give us your trajectory for the rest of the year? Are you satisfied with the number of new recruitments? Or are you going to add on to that? And will there be any more, you think, additional costs related to the U.S. expansion now?
Yes. Well, we certainly, with the recruitments have taken on a bit more cost, as you can imagine. But I think the main part of the investment now, both for solution approvals on the market, the partner network development, and sales and marketing resources are now in place. So I don't foresee any major further investments in that for this year. Now we need to see the results of that investment, obviously.
Yes. That was actually my next question. How do you -- I mean APAC grew pretty nicely in the quarter. And how do you balance the year, the sales effort now between the APAC and the U.S. going forward?
Yes. I mean U.S. is the biggest market. I mean 5 years ago, U.S. used to be half of our business. Okay, we have grown elsewhere, certainly. But we maybe didn't have the right strategy and right resourcing in place in the U.S. And now we're working on that, starting from second quarter of last year and now kind of fulfilling that.
So I have high expectations that we are able to turn the U.S. around it. And when I look at now about the amount of dialogues that we've been having in events, amount of new deals, or opportunities, you might say that we've been able to establish, and also the work that we've been doing now with our existing customers, because we have massive customers, but only buy 1 or 2 products from us at the moment. So the kind of key account management and landing and expanding and enhancing their experience of our further solutions is key.
So I see the right steps being taken there. It's a little bit difficult to estimate how quickly that will show in the numbers, but we'll have to take it step by step.
Yes, makes sense. And regarding PrivX, you grew 19% in the quarter. And if I look at the growth -- I mean the growth rate for last year is a bit lower. Do you think you will manage to have by 20% growth for the rest of the year? Or what do you see there?
Yes, we certainly target that and even higher. I mean that is the biggest part of our business, and it's the highest growth market. I mean the Privileged Access Management market will grow. And there's 2 parts of it. There's new market. There are new customers, new players, who yet don't have a proper solution in place, especially in the OT space, which I hope will take and expect it to take off more now in the coming couple of years.
And then there's a replacement market. Some people have 20-year-old solutions in the market from market leaders. And they're not maybe not happy with those. They are complicated, expensive and they're looking for a more nimble, more cloud, and hybrid era solution. Let's even call it a third-generation PAM, which PrivX stands for. So certainly our aspirations are pretty high. We don't give specific projections, but I foresee an opportunity to grow more in that space.
Okay. And it was interesting to see the product development in PrivX there. And I'm just curious, how much of the product development is from in-house, compared to requests from customers? Can you say something?
Yes, we are -- yes, that's a good question. I used to say in my earlier career that there's always a combination of customer requirements and technology innovations and they kind of meet. But we are really customer market-driven organization. We talk about closer to customer as a theme here as part of our values as well.
So majority of the development is happening in dialogue with our key customers and partners. So we are market-driven. But of course, with our new technology innovations like AI -- generative AI is a good example. I mean customers are not saying, I need -- I want you to deploy generative AI that way. But that's a technological innovation that we need to put in place to see how that can enhance our solutions. But majority of -- large part of the development comes from dialogues and discussions and real requirements for our roadmap from customers -- customers and new projects.
All right. Thank you. I don't see any questions in the chat. So we will close the call.
Thank you very much, Rami and Michael, and thank you to everyone who has been following us online. Our next investor call will be on July 17, when we publish our results for Q2. So thank you again, and we hope to see you in July.