Company: Rapid7 (RPD)
Business: Rapid7 is a global cybersecurity software and services provider. Its products span across information security, cloud operations, development and information technology teams, enabling them to understand attackers and leverage that information to take control of their fragmented attack surface. Rapid7 Managed Threat Complete is the company’s flagship offering, and it includes the Rapid7 Managed Detection and Response program. Rapid7 also provides risk and threat coverage through InsightIDR and Insight VM services, making them available in a single package. Its security solutions help more than 11,000 global customers unite cloud risk management and threat detection.
Stock Market Value: $2.69B ($43.23 per share)
Activist: Jana Partners
Percentage Ownership: n/a
Average Cost: n/a
Activist Commentary: Jana is a very experienced activist investor founded in 2001 by Barry Rosenstein. The firm made its name taking deeply researched activist positions with well-conceived plans for long term value. Rosenstein called his activist strategy “V cubed.” The three “Vs” were” (i) Value: buying at the right price; (ii) Votes: knowing whether you have the votes before commencing a proxy fight; and (iii) Variety of ways to win: having more than one strategy to enhance value and exit an investment. Since 2008, the firm has gradually shifted that strategy to one which we characterize as the three “Ss” (i) Stock price: buying at the right price; (ii) Strategic activism: sale of company or spinoff of a business; and (iii) Star advisors/nominees: aligning with top industry executives to advise them and take board seats if necessary.
What’s happening
On June 26, The Wall Street Journal reported that Jana has taken a significant position in Rapid7 and may urge the company to sell itself, as well as improve operations and forecasting.
Behind the scenes
Rapid7 is a cybersecurity company that expands the expertise of its clients’ security operations. Its Managed Threat Complete flagship offering combines end-to-end 24/7 managed detection and response with vulnerability management offerings. Historically, the company has focused on on-site cybersecurity operations, but it has begun to expand into the explosive growth area of cloud security. Rapid7 operates in a highly attractive industry and is the beneficiary of some meaningful tailwinds. In a time where software budgets are being cut or reallocated toward AI, the threat of cyberattacks looms large and presents a great enough risk that spend is either flat or increasing for these types of services. In addition, cybersecurity analysts and internal security staff are limited, so there is a tremendous need for outsourcing. With more complex operations and numerous applications both on-site and in the cloud, Rapid7 is well-positioned to continue growing and aims to be a high-quality provider for subject matter experts who may not be able to retain the services of their largest and most expensive competitors.
Despite its favorable position, the company has delivered negative returns on a one-, three-, and five-year basis. Rapid7 is one of three main players in vulnerability management, yet it’s assigned a much smaller revenue multiple (3x) compared to peers Tenable (5.5x) and Qualys (8x). One factor in this is that Rapid7 offers a combination of low- and high-growth cybersecurity offerings, which is difficult to value, but more important are the multiple slip-ups by management, exacerbated by a lack of oversight by the board. First, the company has undergone changes to its sales model, including a shift to selling packaged products from selling offerings individually. It’s also moved to a channel model from direct. Next, the company has encountered challenges in bringing its cloud product to market. In addition, to shift from pure growth to a profitable software company, Rapid7 has focused on meeting targets for $160 million in free cash flow and improved margins. In August 2023, likely in pursuit of these goals, the company abruptly announced plans to reduce its staff by 18%. Rapid7 has had further retention problems in key executive roles, including the departure of its chief innovation officer and its critically important chief operating officer and president. Finally, the company has not been able to properly make forecasts, leading to tremendous investor uncertainty and questions of board oversight. In February 2024, the company announced its 2024 guidance, which it stated it was highly confident in, only to cut it in May when the company delivered its Q1 results. That led to a 17% stock price decline on May 8. This is a company operating in a highly complex and dynamic space – it is doing everything all at once and has seemingly failed to deliver.
With a company like this, there are generally two paths to shareholder value creation: (i) a long-term plan involving board reconstitution, management overhaul and review of strategic and operational plans and (ii) a shorter-term plan to sell the company to an interested buyer who can make those changes. With respect to the long-term plan, Jana generally works with industry executives and consultants in performing due diligence and implementing its activist plans, and we do not expect this situation to be different. The firm will often bring these individuals to the table to serve as director nominees, if deemed necessary. Jana is experienced in getting these experts on company boards, where they often serve as assets in getting the company to correct its issues, from operational to governance to capital allocation. But Jana also has extensive experience in strategic activism and getting portfolio companies sold. We expect that Jana will advocate for the strategy it expects will maximize shareholder value on a risk- and time-adjusted basis. Given the problems the company has been experiencing and the lack of CEO focus (Aside from being chairman and CEO of Rapid7, Corey Thomas is on the National Security Telecommunications Advisory Committee, chair of the Federal Reserve Bank of Boston and a member of the Council on Foreign Relations. He also serves on the boards of the Blue Cross Blue Shield of Massachusetts, LPL Financial and Vanderbilt University.), a sale looks like it could be the easier and more certain path if there is a suitor at the right price.
Given industry tailwinds, there may be several strategic and financial buyers interested in this company. Recent transactions in the cybersecurity sector include Cisco’s $28 billion takeover of Splunk and Francisco Partners’ $1.7 billion acquisition of Sumo Logic. If Jana does advocate for a sale of Rapid7, it will ask the board to do it through a full sales process that attains the highest value for shareholders. In addition, Jana has a strategic partnership with Cannae Holdings, which could be helpful in providing the equity in a strategic transaction with a private equity firm. Consider that in 2019, Cannae joined with private-equity firms to buy Dun & Bradstreet. It is important to note that even if Jana thinks a sale of the company is the best way to optimize shareholder value, the firm will still have to get the board to agree. This does not look like a board and management team that will just go quietly. In such a case, Jana’s remedy would be to launch a proxy fight, but that could take some time. The 2024 annual meeting just passed on June 13 and the director nomination window does not open until Feb.13, 2025.
Ken Squire is the founder and president of 13D Monitor, an institutional research service on shareholder activism, and the founder and portfolio manager of the 13D Activist Fund, a mutual fund that invests in a portfolio of activist 13D investments.
Source: Investing - cnbc.com