Spruce Point Reiterates Strong Sell Opinion On Mercury Systems Inc (MRCY) From Cybersecurity Intrusion Risk, Sees 50%-60% Downside Potential
Q3 hedge fund letters, conference, scoops etc
Spruce Point Capital Management is pleased to provide a critical update on Mercury Systems, Inc. (Nasdaq: MRCY) (“Mercury” or “the Company”). As a result of our forensic investigative analysis, we reiterate our “Strong Sell” opinion, and see 50%-60% downside ($20.60 to $25.75 per share).
Spruce Point finds evidence to suggest that Mercury could be one of the companies affected by the alleged Super Micro Computer, Inc. (Supermicro) hack, and can demonstrate recent actions taken by management to obscure the relationship. We believe the Street is structurally misunderstanding the magnitude of delays in revenue and rising cost for cyber compliance that Mercury – a company presently without a Chief Information Security Officer (“CISO”) – will face going forward. Based on our expert calls, we suspect that cybersecurity costs could mount to 10% of revenues. Given that management felt it necessary to hide its relationship with Supermicro, we believe Mercury needs to disclose to investors the materiality of its exposure to Supermicro motherboards, the financial impact of any product changes/recalls/replacements, and what plans it has on a go-forward basis to ensure “security” of its mission-critical products.
Exposure Emanating From “Technology Partner” Supermicro
- On October 4th, Bloomberg published an in-depth article highlighting how China infiltrated 30 U.S. companies by inserting a tiny chip into Supermicro motherboards. Navy systems were mentioned specifically as an affected target. Mercury Systems and two of its recent acquisitions – Themis Computers ($175 million / Feb 2018) and Germane Systems ($45 million / July 2018) – each sells to the Navy and other military branches.
- Providing secure and resilient solutions to prime and government customers is the essence of Mercury’s business. Mercury mentions the words “secure” and “security” over 100 times in its annual report.
- Mercury, Themis, and Germane all listed Supermicro as a “technology partner” on their respective websites until last week, when nearly all references to the relationship were abruptly and surreptitiously removed between October 8-9 without explanation
- The existence of Supermicro motherboards in Mercury’s rugged servers presents a difficult-to-quantify tail risk, but could force product recalls and expensive supply chain adjustments, among other costly actions. As a precedent example, the Navy placed restrictions on IBM’s BladeCenter server line in 2015 over supply chain security concerns, less than a year after Chinese manufacturer Lenovo acquired IBM’s server business. (USNI Article)
Cyber Compliance Is Likely To Drag On Revenue Growth And Materially Increases Costs
- A recent GAO report entitled “DOD Just Beginning to Grapple with Scale of Vulnerabilities” highlighted how testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected. Based on conversations with industry experts, we believe that the requirements for winning government business will be rewritten with an emphasis on cyber resilience and a much higher cybersecurity standard. We suspect that awards of new contracts are likely to be delayed as a result.
- Based on our research, Mercury appears ill-prepared to address these new requirements given its relative shortage of cybersecurity personnel, and the fact that both its long-time CIO and Chief Security Information Officer recently departed in August 2018. We estimate that Mercury could have to spend up to 10% of revenue on cyber-related costs going forward, or otherwise make a costly acquisition to comply with these new customer expectations.
- Mercury has quietly hinted at some of these concerns through subtle changes to its 10-K risk factors and safe harbor provisions, and through recent job postings in supply chain procurement and quality control
Deteriorating Financial Metrics, Undisclosed Signs Of Strain, And Evidence Of Misrepresentation
- In our first report, we highlighted Mercury’s risk of losing its small business status for government contracts. Mercury lost this status earlier this year, which has coincided with rising inventories relative to backlog convertible to revenues in the next 12 months.
- Mercury’s gross margins have now fallen below its “low target” of 45%, and could compress further due to Defense Federal Acquisition Regulations Supplement (DFARS) compliance issues and potential product recall costs from the Supermicro fallout
- Additionally, Mercury recently amended its credit agreement for a third time in late September 2018, but never disclosed that it had amended the agreement in December 2017, just as it began factoring accounts receivable. Factoring accounted for a substantial 43% of FY18 operating cash flow.
Mercury’s Irrational Valuation Multiple Could Materially Contract
- Mercury currently has the highest valuation in the Aerospace & Defense industry despite posting the sector’s weakest cash flow as a percentage of revenue and average organic revenue growth
- Sell-side analysts see just 9.5% upside in its share price, but haven’t factored in complications arising from its Supermicro relationship and rising cyber compliance costs.
- Taking these issues into consideration, and discounting Mercury’s multiple to the industry average, we estimate 50%-60% downside
Read the full report here by Spruce Point Capital Management
