Okta, Inc.’s (NASDAQ:OKTA) highly embarrassing security incident in January involving a breach through its third-party provider Sitel by hacking group Lapsus$ impacted its stock. However, some Street analysts did not consider the hack as “material” on its forward projections. For example, BTIG retained its Buy rating on Okta, believing the impact to be “small.” It added (edited):
We have done a lot of independent fieldwork to better understand the implications to Okta from the company’s recent third-party breach disclosure.
We also conducted a survey of 25 Okta customers. Therefore, we believe that any impact from the breach will be relatively small and contained within FQ1.
Still, there’s modest potential for risk on new customer additions. That said, we believe the headwind will be relatively small and abate within three months. Furthermore, we see little to no risk in existing customer expansion initiatives or churn. (The Fly)
However, we remain unconvinced. We think the credibility impact from Okta to provide timely disclosure has riled several customers and notable cybersecurity providers/partners.
Furthermore, Okta is not the only leading IAM/MFA player in town. For example, CrowdStrike (CRWD) highlighted that it works with several identity partners, including Ping Identity (PING), Duo (CSCO), CyberArk (CYBR), and Google Authenticator (GOOGL) (GOOG).
Therefore, we think Okta’s delayed response has severely impacted its credibility. Notably, management’s response certainly didn’t do justice to its stock’s implied growth premium.
Investors should also note that IAM/MFA providers have consistently traded at a considerable discount to OKTA stock. Hence, we believe that OKTA could remain in the penalty box in the near term.
Okta Riled Its Customers For Its Delayed Response
Okta’s embarrassing incident has caused a stir among its customers that used it as an identity provider. The impact wasn’t so much about Okta getting breached. Breaches have happened to security providers, and even Microsoft was also breached recently. But Okta customers were justifiably upset with the company’s best practices regarding such disclosure.
Cybersecurity partner Tenable (TENB) was “infuriated.” CEO Amit Yoran articulated (edited):
Two months is too long. This compromise should have been disclosed when Okta detected it in January or after a competent and timely forensic analysis.
No indicators of compromise have been published, no best practices and no guidance has been released on how to mitigate any potential increase in risk. As a customer, all we can say is that Okta has not contacted us. And, to the best of our knowledge, we are not affected by the breach. Out of an abundance of caution, we are taking what we believe to be logical actions to minimize exposure.
Trust is built on transparency and corporate responsibility, and demands both. I’ve been in the space long enough to know that security is imperfect. Even Mandiant (MNDT) was breached. But they had the fortitude and competence to provide as much detail as they could. And they remain one of the most trusted brands in security as a result. (Amit Yoran’s LinkedIn)
Furthermore, Cloudflare (NET) was also visibly upset at Okta’s initial response. CEO Matthew Prince articulated (edited): “Can anyone who’s gotten a satisfactory answer to #Log4J, #Lof4Shell from Okta raise their hand? We certainly haven’t. #rottenfishstinks.” Prince then assured Cloudflare’s customers that none of its customer accounts had been compromised. In a subsequent post, the company further clarified that it only used Okta for their internal employee accounts, but not for external customers.
Given Prince’s exasperation over Okta’s response, we don’t think NET will even consider using Okta for its customers moving forward.
Unprofitable Business Model Leaves No Room For Compromise
Okta reported robust revenue growth in its recent FQ4 earnings report, reaching 63.2% on $383M in revenue. However, its GAAP operating margins demonstrated that the company is nowhere near profitability, despite its growth.
Moreover, such a growth-focused strategy could work against Okta moving forward as it needs to work harder to convince customers on the sidelines given the loss of its credibility. As such, onboarding new customers could be increasingly costly, further impacting its weak bottom line.
Therefore, we think its weak fundamentals don’t bode well for Okta until it thoroughly addresses its best practices on material disclosures moving forward.
We encourage investors to pay attention to how its key customers react to such guidance. Notably, they should also observe how its cybersecurity partners work with Okta moving forward. We think these players have a massive influence on the integration with Okta, given the multitude of options available. CISOs deliberations would most certainly involve inputs from cybersecurity players like Cloudflare and CrowdStrike moving forward.
Notably, Cloudflare and CrowdStrike partner with Ping Identity in its Critical Infrastructure Defense Project. Therefore, we believe PING could feature more in their discussions with their customers. As Cloudflare and CrowdStrike investors ourselves, we are glad the duo didn’t pick Okta for its project.
Is OKTA Stock A Buy, Sell, Or Hold?
OKTA stock’s growth premium has certainly been digested significantly. But, it’s not surprising given that the market has consistently accorded a much lower premium to its IAM/MFA peers, as seen above. Nonetheless, it still traded at a premium, and we believe it could remain in a range or move lower.
Given lower peer multiples and a lack of management credibility, we think there are insufficient near-term catalysts to re-rate OKTA stock.
Investors should also be wary of using the average price targets ((PTs)) to add exposure to OKTA stock. The Street has gotten it “horribly” wrong over the past year, as they continued to revise OKTA stock downwards.
As such, we rate OKTA stock at Hold.