CynergisTek, Inc.

to Synergist Tech's 2021 Second Quarter Earnings Conference Call. Today's conference is being recorded. Joining us today from the company are Mr. Mac McMillan, President and Chief Executive Officer, and Mr. Paul Anthony, Chief Financial Officer. Before we begin the formal presentation, I'd like to remind everyone that some statements made on the call and webcast, including those regarding future financial results and industry prospects, among others, are forward-looking. These forward-looking statements can be identified by the use of forward-looking terminology such as believes, expects, anticipates, would, could, intends, may, will, or similar expressions, and are subject to a number of risks and uncertainties that could cause actual results to differ materially from those described in the conference call. Certain of these risks and uncertainties are or will be described in greater detail in the company's SEC filings. Given the risks and uncertainties, listeners should not place undue reliance on any forward-looking statement and should recognize that the statements are predictions of future results, which may not occur as anticipated. Synergist Tech is under no obligation and expressly disclaims any such obligation to update or alter its forward-looking statements, whether as a result of new information, future events, or otherwise. At this time, I would like to turn the call over to Mac McMillan.

Thank you, announcer, and good afternoon, everybody. I never expected to be back in this seat, but I am and I'm already at work. As a board member, while I was encouraged by what I saw as good progress in rebuilding our business after the impacts from COVID, I felt we could and should be doing more and seeing quicker progress towards our return to growth. And as I told our employees a couple of weeks ago, my decision to return was made easier by the fact that this company continues to have a tremendous pedigree and reputation in the industry, particularly with our customers, but also with our competitors, which is directly related to their professionalism, talent, and commitment to what we do for our clients. And we have phenomenal clients, some of whom have been with us for almost two decades now, since 2004. That type of longevity does not happen without building client loyalty by upholding the highest standards in our services and pursuing success in everything we do. It happens by solving the challenges that customers face and delivering positive outcomes for them consistently, engagement after engagement. It's been encouraging to have so many of our clients, as well as others in the industry, even some of you, reach out to me and welcome me back. But more importantly, the offers of support have been greatly appreciated. I know that some might be concerned that we will return to what was perceived as a single healthcare focus. but I can assure you that never was and will not be the case going forward. There have been some great improvements and additions made to our services in the past 18 months that provide real benefit to our customers, and we're not going to abandon those because they can be applied more broadly to many industries as well. But health care is our core business and the primary source of our revenue. We need to be aware of that. and we will allocate the appropriate amount of attention and effort in promoting our business in a balanced way. Our sales organization, for the first time in a long time, is near full strength with solid sales leadership. We have new board members since I was CEO last who are more engaged than ever. And since my return, we have improved the strength of our board membership with the addition of John Flood, a shareholder himself who brings 35 years of capital markets and investor relations experience to the board. We recognize that investor support and capitalization are important to our future. Shareholders have been asking us to add this type of expertise on our board, and now we have it. To say that the company hasn't faced some tough times this past 18 months would be naive, and to say my predecessor did not manage during one of the most difficult times in corporate history would be unfair. But despite that, the company did make strides in its efficiencies. It did develop new service offerings, and it did position itself as the market leader in readiness for CMMC, even though, unfortunately, our performance as a company overall is not where any of us would like it to be. That, as they say, is water under the bridge, and where we must focus now and where I plan to focus is on the future. With the leadership changes, the changing environment post-COVID, which is still challenging, and the long-term market opportunities increasing, one of our first priorities is to do a deep dive and revisit and update our strategic plans to be well-positioned to capitalize. This will include an emphasis on investing in accelerating growth over near-term profit. We have a solid foundation with a leadership position and strong relationships in health care. And the addition of the CMMC initiative, greatly increasing our addressable market, creates the opportunity to become a much larger company over the next 12 to 24 months. One of the first responsibilities of leadership is to create a shared vision for the organization to focus on, and I understand how important that is. But a close second priority will be to concentrate on immediate short-term execution and results, which has already begun. This company was recently paid what I consider one of the highest compliments as a services business can receive. A recent independent industry analyst report listed Synergistec as one of the top cybersecurity companies that healthcare CIOs consider as a true partner. This is a goal that has always been a core value of this company and has guided what we do, what we create, and how we serve. As a result, this company has a great legacy. We have a great reputation and we can be so much more than we are today. Our commitment is to build a more successful company for our employees, our customers, and our shareholders. We'll do that by creating that shared vision, a solid plan, and then executing. Successful organizations, successful businesses, successful teams all share two things in common, focus and the will to win, meaning winning is paramount in everything we do, and winning is part of our culture, and we intend to build on that. As I've mentioned already, we now have a strong, capable sales leader in Steve Rivera who wants to win and lead a winning sales team. While we have a fairly new sales team at Synergist Tech, they are a seasoned and experienced set of sellers, and they have already put some wins on the board and are anxious to do more. Just these past few weeks, we have landed several new clients and multiple wins, as you have seen in the press releases recently sent out. all to the credit of that sales team and a delivery organization that are working more closely together now than I've ever experienced in the past. We want to capitalize on that collaboration and those wins and increase their frequency. To that end, we have already taken steps to restructure and strengthen sales to provide better nationwide coverage, to enhance our ability to more effectively cross-sell all of our services, and created very focused service overlays for areas like healthcare and CMMC. To further support our client alignment and sales, we have restructured our delivery organization to provide dedicated consultant directors. These positions better provide support to our customers and serve as the dedicated conduit of support to our sales team. To get more specific on progress, the sales team has been active in identifying and pursuing new opportunities, and we are seeing things rebound. and we are on track to see pipeline creation at a 33% higher rate than last year. In fact, through the first six months of 2021, we have seen nearly 6 million in new pipeline generated each month. To give you more information to track our progress, we have decided to start disclosing our bookings. Again, something that many of you have asked for more color on. We saw a significant increase in our quarterly bookings from Q2. when compared to last year's Q2 and again when compared to Q1 of this year. More importantly, this resulted in an increase in our pre-sold revenues. The good news is we are seeing things begin to head in the right direction. Growth requires net new business in addition to renewals and upselling, and our team is focused on adding new clients while continuing to expand our relationship with the ones we already have. The sales team has closed a number of new logos that included several new large health systems and Tier 1 universities. Our Redspin division has also added some new non-healthcare logos, and we were able to leverage our first mover position with CMMC to grow that pipeline as well, adding numerous Fortune 500 companies, which should position us well to take advantage of consulting and assessment opportunities. Despite delays by the DoD, we have already closed several CMMC deals. Specifically, as it relates to CMMC, let me give you some updates on our pursuit of that business. First, we announced in Q2 that we were the first organization to successfully pass the CMMC Level 3 certification as an authorized CMMC third-party assessor organization, and we are ready to conduct CMMC assessments as soon as DOD has everything in place and says go. We anticipate assessments beginning in the fourth quarter. Secondly, we are one of the first organizations approved to provide CMMC training, which we also expect to begin in Q4. And recently, we announced we will be allowing organizations and individuals to register ahead of time for training, and already in just the first few days since that announcement has gone out, we have had multiple individuals express interest. Even though that's still early, it's still another good sign. And lastly, and most importantly, we can provide consulting services to those needing help with CMMC readiness now. To summarize, we are certified and prepared to offer services under all three categories, consulting, assessor, and training. We are currently building out a more detailed business approach to executing our CMMC opportunity based on the services we can provide now and the DOD's schedule going forward. The volume is behind as we deal with delays from the government, but we still see the tremendous opportunity in front of us, and we are extremely excited and prepared to take this on. Our target was to achieve certification and to start generating CMMC-related revenue by Q4 of this year, which we have accomplished. We began booking deals last quarter and have seen close to 100 leads since then. Fueling the funnel is important. Sales, as we all know, is a matter of numbers, from leads to prospects to opportunities to deals. We are beginning to see recent investment in our digital marketing efforts start to pay off. We recently debuted our new Synergistic and Redspin websites. If you haven't seen those, I encourage you to go take a look. And our initial data shows that a 25% increase in web visitors with people engaging more directly and more frequently with our content, an uptick of some 33%. Additionally, deployment of more focused account-based marketing strategy and tools have contributed to net new logo opportunities, nearly 3 million in just the last couple of weeks. Many of our leads still come from our educational efforts and interactions with customers at events. Our SynergistX Summer Series that includes seven virtual mini events connecting leaders within healthcare industry and others to discuss topics around cybersecurity and privacy is now in full swing. We had folks attend both Black Hat and HIMSS annual conferences recently, where we provided two presentations covering cybersecurity challenges and medical device security. And we also attended several other smaller events around the country as well. We continue our virtual marketing efforts, but lately we have been able to meet with some customers in person, and have taken advantage of that. That said, we have still seen some healthcare institutions pull back and cancel travel lately due to the surge we're currently experiencing. This is especially true of children's hospitals right now. We are hopeful that this new resurgence of COVID-19 will not cause more delays like we saw last year. We are addressing the future integration, further integration of the services offered by our backbone group to provide better sales and marketing support to those efforts as well. In addition to their existing IT audit and EPCS offerings, we are looking to add SOC 2 and PCI audit credentials and service offerings to their mix. Our audit group can provide service in three forms, as augmentation to a client's audit organization or staff, as consulting opportunities, or as formal audits. In addition, members of this group will be cross-trained and available to fulfill CMMC requirements as well. Another trend we are tracking is the significant changes occurring in the cyber insurance marketplace. Cybersecurity insurance premiums are increasing dramatically, and in many cases, carriers are dropping coverage altogether. When organizations do get coverage, they can expect a much more detailed application and and increased requirements from the carriers before binding coverage. Those requirements can include independent third-party validation of their programs, as well as their controls and higher standards for compliance. In speaking with healthcare CIOs at HIMSS last week, we learned this is an ongoing concern. Add to that the recent Scripps experience where they estimated the cost of their breach to be somewhere around $113 million, and only expect cyber insurance to cover 21 million of that cost, and you have a not-so-positive formula of high premiums, demanding underwriting requirements, and less-than-optimal payouts. This all translates to potentially higher demand for cybersecurity and privacy services as organizations realize that they have to prepare for breaches and meet higher expectations. We are actively pursuing opportunities with cyber insurance providers to be able to offer services to their clients as well as to them. And lastly, we just released our annual report titled Maturity Paradox, New World, New Threats, New Focus. This report is the work product from just under 100 assessments we completed of healthcare organizations across the continuum, including hospitals, physician practices, accountable care organizations, and business associates in 2020. It's the fourth annual report of its kind, showcasing lessons learned from analyzing those annual assessment results, providing a benchmark for the industry. As we have seen in previous years, healthcare still has a tremendous need for cybersecurity privacy and audit services. One of the highlights of this year's report that I'd like to call out was the fact that it reinforced what we have been seeing. that most hospitals still critically lack the ability to secure their supply chains effectively. 76% of healthcare organizations fail to secure their supply chain, and over 64% of organizations are below a passing grade when measured against the NIST cybersecurity framework requirements for protecting information. Supply chain security is a significant risk to all businesses in America. and frankly around the world, as we have seen this past year with the volume of ransomware attacks targeting critical supply chain partners. One of the most prominent examples of this was the Colonial Pipeline breach that got everyone's attention this past summer and highlighted the vulnerability in our energy sector. Supply chain breaches have caused problems for healthcare from hospital operations to data protection and even patient safety and health. Third-party vendors host critical systems and data, have system-level network access, provide critical services, have physical access to healthcare organizations, and are an integral component of service delivery for most institutions. Their disruption is the hospital's disruption. Our report highlights the continuing challenges that healthcare, and for the most part, all industries face. The problem of protecting data in a hyper-connected, ever-expanding information ecosystem with a relentless threat is daunting. Recent data indicates that the Department of Health and Human Services has opened 308 investigations since January alone into data breaches of retail pharmacies, hospitals, clinics, and other healthcare businesses. Their work, our work, is never done. I want to thank you for all your support and ask for your patience as I jump in and start to build out a more detailed business plan that we expect to share with all of you as soon as we can. And with that, I'd like to turn it over to Paul.

Thanks, Mac. As Mac mentioned, we wanted to start disclosing bookings, so we'll start with our Q2 bookings, which increased to $4.7 million compared to $2.8 million last year. Bookings year-to-date totaled $8.5 million compared to $6.6 million last year. As a result, our pre-sold revenue continued to grow, increasing by an additional half a million to 17.9 million and brings our total increase in pre-sold to 2.3 million from its pandemic low in Q3 2020. Additionally, we saw our cost reduction efforts improve earnings year over year by just under a million. Our balance sheet ended the quarter with 4 million in cash and continues to benefit from reducing debt levels. We continue to qualify for the employee retention tax credits that are provided under the CARES Act and that's included Q1, Q2, and Q3 of this year. Since the end of last year, we haven't taken any additional stock issuances from the $5 million ATM under the shelf registration. We received notice from the SBA late last week that the full $2.8 million in debt that was received under the Paycheck Protection Program was forgiven, and we filed for and are expecting a tax refund here shortly on the carrybacks of available losses from 2020 of approximately $1.4 million. Addressing the Q2 standard financial disclosures, revenue was $3.9 million compared to $4.6 million in Q2 2020. Decrease from prior year was due to lower revenue from managed services, which reduced by $0.7 million to $2.2 million due to the impact of some customers canceling, delaying renewals, and a reduction in net new customers from the pandemic. Consulting and professional services revenue increased $0.1 million to $1.7 million when compared to Q2 2020, as we started to see things rebound from their pandemic lows. Gross margin was 46% for Q2 2021, or an adjusted 33% when excluding the benefit from the employee retention tax credits. This is an improvement when compared to 27% in Q2 2020. The increase in gross margins is due to the staff and expense reductions, reduced travel, and the delivery efficiencies that we've talked about over the last few quarters. SG&A expenses decreased to $2.7 million for Q2 2021 compared to $3.5 million for the same period in 2020. This decrease was due to a drop in payroll and benefit costs from headcount reductions, decreases in travel because of COVID-19, and the benefit from the employee retention tax credits. Non-GAAP adjusted EVA loss was $0.6 million for Q2 2021 compared to $1.3 million last year. Full-year financials and reconciliation of GAAP to non-GAAP information can be found in the earnings release that came out today. In summary, we're starting to see the return of the healthcare market as evidenced by the growth in bookings and pre-sold revenue. We still have work to do, but we've made great progress and will continue to benefit from a clean balance sheet and a simplified capital structure. This concludes the financials and the prepared remarks for Q2. Operator, please open the floor for questions.

Thank you. If you would like to ask a question, please press star 1 on your telephone keypad. And if you're on speakerphone, please make sure that your mute function is turned off to allow your signal to reach our equipment. Again, press star 1 to ask a question, and we will pause for a moment to allow everyone an opportunity to signal for questions. And we'll go first to Matt Hewitt of Craig Helm Capital Group.

Good afternoon. Thank you for taking our questions, and welcome back, Mac.

Thanks, sir.

Maybe first up, obviously, I think it's over the last two weeks you've had several new wins announced, and I'm curious if we could get a little bit more color on what's driving the decision-making behind those contracts today. You think back over the past year, I mean, hospitals were locked down, so there wasn't a lot being done on the cybersecurity side. So was it just a function of, you know, coming out of COVID, if you will, or is it have to do more with what was going on this spring with, you mentioned the Colonial Pipeline and Scripps, and there was roughly a dozen other major hospital security breaches. Was that driving it or is it a confluence of both?

I think, Matt, it's probably a confluence of both. Most of the folks that I've talked to in the industry have wanted to spend more on security in a lot of other areas and they've just been held back because of the losses that most health systems have sustained during the pandemic. And so there was a time there where basically if it wasn't an operational necessity. Basically, it didn't get signed. That has gotten better. And for a while there, it looked like we were well on the way to reopening. And we had folks, like you heard me say, were actually even talking about getting together in person. Some of that has slowed down a bit now because of the Delta variant and the surge. that we're currently experiencing, which is really impacting our children's hospitals even more so than our acute care centers. But even so, folks are still very keenly aware that they've got to do something about security that's really not an option for them. And so they're really just being more prescriptive about what they're doing and what they're focusing on. The things that they're most interested in right now is obviously maintaining their baseline, which is why most organizations have, we've seen an uptick in the renewals and actually increases in those renewals in terms of the size of those contracts. But also they're focusing on the things that are adding to their resilience from a incident response perspective. And you heard me talk about the insurance thing. I can't tell you how many of the CIOs I talked to at HIMSS this past week who said, you know, Mac, we don't know what we're going to do because they're telling us the premiums are going up or they're not going to cover us altogether. Even when they do cover us, the amount that they're paying out is incredibly small compared to the cost that we're seeing with these incidents. And so I think that's kind of all coming full circle to a realization that they're going to have to do a better job themselves of protecting their environment and being ready to respond to these things because they're not going to be able to count on insurance and it's not going to go away.

Yeah, you mentioned operational necessity, I guess. If you saw, you know, seeing what happened with Scripps and their inability to treat patients for several weeks, I guess that would qualify as an operational necessity, but we'll see what happens here. In the press release, you mentioned the Fortune 500. Is that entirely tied to the CMMC opportunity, or are you starting to see interest in even beyond the government mandate? Are you seeing companies reach out, maybe not tied to that program, but just recognizing what's going on around them and maybe the need to have a heightened level of security?

Well, I think it's both because if you remember, we put the non-healthcare business under the Redspin brand division or the or the CMMC umbrella. And so that's where we're seeing those logos, if you will, show up. But yeah, I think it's a little bit of everything, but certainly, you know, the good news is that we are beginning to start to see some traction with CMMC. We're still lagging as a result of DOD lagging because there's certain parts of the program that still have not been approved by the government yet. And so there's certain things you can't do until that occurs. But what we're finding is that people do want to get ready and they are willing to spend the dollars on the consulting side, which is good because we can support them there as well. And generally there's interest across the board. So we're hoping that what will end up happening is that by the time they get ready to kind of open the gates, so to speak, we will have everything teed up to include a healthy pipeline as well as the mechanisms to support that to be able to exploit it.

Okay, great. And then periodically over the past year or so, there's been discussion about medical device cybersecurity. I'm just curious, how are those discussions progressing? Are you seeing interest from some of the device manufacturers and players in that market. Any color there would be helpful.

So there's still a tremendous amount of discussion around medical devices. And frankly, it's not just medical devices, it's devices in general. Because when you look at a hospital's environment or just a business's environment, we have literally hundreds or thousands of devices connected to our networks today. medical devices just being one type of device that's connected and having a little bit different kind of import or impact because it's in some cases connected to a human or part of care delivery. But devices in general are, just like third parties, are becoming a real concern for just about everybody because they're recognizing that Many of the attacks that they're seeing are occurring through devices or relationships that are not necessarily under their control or that they don't have as good a control of as they should. And they're realizing all of a sudden, as I said in my remarks, that any disruption to them is a disruption to the hospital as well or to the business as well. And so they're having to kind of broaden their perspective as it relates to what is my threat footprint and what is my responsibility for maintaining my business when I'm taking advantage of using all these different capabilities that are now causing me to have critical systems, critical data, critical processes either hosted or performed by other people or a device on my network that that I may or may not have as much control over as I thought I did.

Got it. All right. That's very helpful. Welcome back again, and thank you for taking the questions.

Thank you, Matt.

And as a reminder, you may press star 1 on your telephone keypad if you have a question. That is star 1 for questions. And...

With no other questions in the queue, that does conclude the question and answer session. I will now hand it over to Mac McMillan for any closing remarks. Mac, please go ahead.

Thank you again, Operator. Again, I want to first thank everyone who has reached out and expressed their support for this team and our company. I want to also thank you for your support you show through your continued investment. I want to reiterate that we have a great company. It has great bones, as they say, with an incredibly talented staff. We live and work in a time when what we do is critically important to the people we serve. There aren't enough of us to meet all of that need. We have reset our sights on execution and growth and are pursuing the emerging opportunities that are in the market. We want to build and deliver services that help our clients solve the problems in cybersecurity, privacy, and compliance that they face. And we want to maintain our first among peers reputation as a trusted partner. Our board is active in helping to shape the direction of the company, and we are and will be engaging at all levels, staff, management, board, and investor, to redefine that path. Our near-term goal, simply stated, is to return this company to double-digit growth. Thank you for attending today.

Until this concludes today's call, thank you for your participation. You may now disconnect.