The Colonial Pipeline cyberattack last month had all the makings of a great movie script...
Russian hackers, disrupted critical infrastructure, a cybersecurity collapse, and long lines at gas stations showed up in the nightly news in a way we haven't seen since the 1970s. It's no wonder that the event made front pages for weeks.
Since then, continued headlines are popping up about new cyberattacks. Just last week, Colorado-based meat processor JBS had a similar attack knock out its production.
Treating these all as one-off events misses the point, though...
The bigger story from this wave of attacks is how ransomware is no longer a casual game. It's a genuine business, and some groups have started to specialize in offering the service to clients.
People love to talk about "Software-as-a-Service" ("SaaS") businesses and the massive scalability and profitability of these companies.
It's not just investors who love the model... Hackers do too.
As a recent Bloomberg article highlighted, DarkSide (the hacker group that helped contribute to the Colonial shutdown) created a business out of "Ransomware as a Service." It didn't run the Colonial shutdown for its own purposes. It just provided the plug-and-play solution for someone else.
This hacker group has thought so much about commercialization that it even has rules. Particularly, it refuses to target nonprofits.
This serves as an important warning. The business of cyberattacks is highly profitable and highly organized. The issue is only going to grow, especially as more work is performed on computers.
Companies and individuals must take more precautions to protect themselves from these potential attacks...
And that's where cybersecurity firms like CrowdStrike (CRWD) come into play. The company provides security solutions domestically as well as globally.
Importantly, its offerings are tailored for the current environment. They are based in the cloud and built to protect the booming business in cloud storage and technology.
Today, when more and more cyberattacks are likely to occur, the demand for the company's products should increase.
For that reason, investors might assume that CrowdStrike is an automatic buy. After all, if the stock is going to have booming demand for its services, why wouldn't you want to buy it, right?
But as our Embedded Expectations Analysis highlights, just being a great and growing company alone doesn't mean its stock is a buy...
You need to make sure the market isn't already pricing the company to see massive growth. If it is, then that growth won't move the stock higher. And if the company grows, but not as much as the market expects, the stock could even crater.
To better understand what the market is pricing in, we can use our Embedded Expectations Framework.
Here's how it works...
Most investors determine stock valuations using a discounted cash flow ("DCF") model, which makes assumptions about the future and produces the "intrinsic value" of the stock.
Here at Altimetry, we know that models with garbage-in assumptions only come out as garbage. Therefore, we've turned the DCF model on its head with our Embedded Expectations Framework. We use the current stock price to determine what returns the market expects.
In the chart below, the dark blue bars represent CrowdStrike's historical corporate performance levels in terms of return on assets ("ROA"). The light blue bars are Wall Street analysts' expectations for the next two years. Finally, the white bars are the market's expectations for how CrowdStrike's ROA will shift over the next five years.
Wall Street analysts expect CrowdStrike's Uniform ROA to fade slightly from 7% this year to 3% in 2022.
Despite the company not seeing improving returns, the market is pricing in Uniform ROA to expand to 24% by 2025. Those are lofty expectations for a company that's never seen ROA break 10%.
And the market's expectations for CrowdStrike's growth aren't any more reasonable...
The market is already pricing the company for 40% growth per year, which is below what the company has done historically. However, this still implies that CrowdStrike will double every 20 months or so, continuously.
That's a staggering amount of sustained growth. Even with the booming demand for cybersecurity, that may be hard to achieve.
While CrowdStrike has impressive tailwinds and potential for demand to skyrocket on increased cybersecurity attacks, the market appears to already be pricing the best-case scenario for the company from all these tailwinds.
That is why it's so important to not just invest in themes... You also need to understand if the theme is already priced in for a company before buying. Otherwise, you can end up with a great story – and even a great company – but not a great stock investment.
Regards,
Joel Litman
June 9, 2021