LGMS's 9MFY24 came below expectations. While the cybersecurity sector in Malaysia and Southeast Asia shows strong growth potential, LGMS faces challenges related to product/service awareness and the gradual enforcement pace of government regulations. As a result, we have lowered our FY24-25F earnings forecasts by 24-18% and lowered our target price to RM1.25.

Consequently, we downgrade our rating to MARKET PERFORM from OUTPERFORM.

LGMS's 9MFY24 earnings of RM8.3m (+10% YoY) came in below expectations, accounting for 52% each of both our full-year forecast and consensus estimate. The key negative variance was primarily due to lower-than-expected turnover and margins.

YoY, its 9MFY24 top line grew by 29%, driven by increased project billings across all business segments. The key cyber risk prevention segment, which accounted for 69% of group revenue, grew by 17%. The cyber risk compliance segment rose by 62%, while the cyber threat response segment surged by 75%, albeit from a low base, with demand for its services being more ad hoc as it supports recovery after a cyber attack. However, EBIT increased at a slower pace of 10%, with margins declining to 34.7% (compared to 40.6% a year ago), mainly due to higher staff costs following rapid expansion in headcount to 145 (vs. 110 a year ago). Correspondingly, net profit improved by 10% to RM8.3m.

QoQ, 3QFY24 top line declined by 11%, while net profit fell by 41%, due to lower contribution from the cyber risk prevention segment and higher staff costs.

Outlook. The cybersecurity sector in Malaysia and Southeast Asia holds significant growth potential, as the industry remains in its early stages.

Malaysia's Cyber Security Act 2024 (Act 854), which came into effect on 26 August 2024, represents a major milestone in bolstering the nation's cybersecurity defences. In line with these developments, LGMS introduced "StarSentry" in June 2024-a groundbreaking plug-and-play device that easily integrates with users' networks, automatically scanning up to 254 connected devices for vulnerabilities. Tailored for SMEs and larger corporations in need of cost-effective, user-friendly security solutions, this product is expected to contribute to the group's performance positively.

However, while aligning with management's view on the prospects of cybersecurity, we believe that product/service awareness and the extent of government enforcement (see overleaf for details) will be key factors in shaping the group's outlook. Given the expected extended period for product/service awareness, coupled with gradual pace of government enforcement, we are becoming less optimistic about the company's near- term prospects.

Forecasts. We have lowered our FY24-25F earnings forecast by 24-18%, respectively, to reflect higher opex ahead driven by increased labour costs and rising marketing expenses for various awareness campaigns.

Valuations. Correspondingly, we lowered our TP by 18% to RM1.25 (from RM1.53) based on a unchanged targeted FY25F PER of 30x, aligning with global peers' forward mean such as Qualys, Fortinet and Akamai Technologies. There is no adjustment to our TP based on ESG given a 3-star rating as appraised by us (see Page 4).

Investment case. We like LGMS for: (i) strong growth potential in the under-penetrated cybersecurity markets, (ii) a robust competitive edge due to high vendor qualification barriers, and (iii) new proprietary certification software expected to drive future growth.

Grace period for gradual transition. Based on our recent discussions with Cybersecurity Malaysia (CSM), there will be a transitional "grace period" of 2-3 years before the full enforcement of the Cybersecurity Act (CBSA) 2024. This period will allow National Critical Information Infrastructure (NCII) entities ample time to align their cybersecurity practices with the act's requirements. During this time, CBSA will focus on gathering data to assess its effectiveness, rather than imposing significant penalties. This approach aligns with the government's emphasis on preventing cybersecurity incidents, rather than penalising violations after they occur. Additionally, we understand that NACSA may issue warning letters to NCII entities found in breach of CBSA 2024, encouraging voluntary compliance and prompt rectification to avoid legal repercussions.

Risks to our call include: (i) longer-than-expected gestation period for its regional expansions, (ii) economic downturn resulting in customer lowering budget allocated for cybersecurity, (iii) reluctance to spend on cybersecurity services due to the lack of knowledge and awareness in emerging countries, and (iv) failure to maintain the extensive list of accreditations due to potential loss of critical talent.

Result Highlight Revenue Breakdown (by segment) FYE Dec (RMm) 3Q24 2Q24 QoQ Chg 3Q23 YoY Chg 9M24 9M23 YoY Chg Cyber risk prevention 6.2 8.2 -24.1% 5.5 12.3% 21.0 17.9 17.4% Cyber risk mgmt & compliance 3.4 2.2 58.4% 2.1 61.9% 7.0 4.3 61.9% Cyber threat & incident response 0.6 1.2 -47.0% 0.7 -12.9% 2.4 1.4 75.4%

Source: Kenanga Research - 28 Nov 2024