11/29/2023

speaker
Operator

Hi, everybody. Welcome to Okta's third quarter fiscal year 2024 earnings webcast. I'm Dave Gennarelli, Senior Vice President of Investor Relations at Okta. With me in today's meeting, we have Tom McKinnon, our Chief Executive Officer and Co-Founder, and Brett Tai, our Chief Financial Officer. Today's meeting will include forward-looking statements pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including but not limited to statements regarding our financial outlook and market positioning. Forward-looking statements involve known and unknown risks and uncertainties that may cause our actual results, performance, or achievements to be materially different from those expressed or implied by the forward-looking statements. Forward-looking statements represent our management's beliefs and assumptions only as of the date made. Information on factors that could affect our financial results is included in our filings with the SEC from time to time, including the section titled Risk Factors in our previously filed Form 10-Q. In addition, during today's meeting, we will discuss non-GAAP financial measures. Though we may not state it explicitly during the meeting, all references to profitability are non-GAAP. These non-GAAP financial measures are in addition to and not a substitute for or superior to measures of financial performance prepared in accordance with GAAP. A reconciliation between GAAP and non-GAAP financial measures and a discussion of the limitations of using non-GAAP measures versus their closest GAAP equivalents is available in our earnings release. You can also find more detailed information and our supplemental financial materials, which include trended financial statements and key metrics posted on our investor relations website. In today's meeting, we will quote a number of numeric or growth changes, as well as discuss our financial performance. And unless otherwise noted, each such reference represents a year over year comparison. Now I'll turn the meeting over to Todd McKinnon. Todd.

speaker
Dave Gennarelli

Thanks, Dave. And thank you, everyone, for joining us this afternoon. We want to kick off this call by addressing what's top of mind for everyone, so we're trying a new format this quarter. In light of the new security blog we posted this morning, we felt it was important to get the earnings release and guidance out before the market opened as well. At around the same time that the earnings press release hit the wire, we posted prepared remarks to the IR website, which contained some of my typical commentary around customer wins and other notable news from the quarter. This new format allows me to spend more time discussing the new information while also leaving more time for Q&A. I want to start by summarizing the update we shared in a blog post this morning related to the October security incident involving our support case management system. Upon deeper analysis of the event, we determined that the threat actor obtained the contact information of our support portal users across a significant portion of our customers, including the names and email addresses of all Okta admins, except customers in our FedRAMP high and DoD IL4 environments. While this information cannot be used to directly access an Okta environment and does not include user credentials or sensitive personal data, a threat actor may use the information for targeted phishing attempts. With this more detailed information, we felt strongly that sharing this information will help our customers better protect themselves against an increased risk of phishing and social engineering attacks. We have engaged a digital forensics firm to validate our findings and currently expect that they will complete their analysis in mid-December. Once finalized, we will share the report with customers and publicly. Now let me address what Okta is doing to better protect ourselves from security threats. Over the years, we have dedicated significant resources toward securing our product environment Given recent events, we recognize that we need to do more to improve the security architecture of our broader operations. That includes the applications we use, the hardware we deploy, and the vendors we work with. Over the past few weeks, we have taken several steps to further strengthen our security posture. We've initiated a hyper-focused security action plan by rallying the entire organization, as well as engaging with third-party security firms to fortify our team's efforts. The stakes are high and we will do whatever it takes to protect our current and future customers. Bolstering our security environment is by far the highest priority for Okta. The job of securing the Okta ecosystem will never be done. But during this hyper focused phase, no other project or even product development area is more important. In fact, the launch dates for the new products and features that we highlighted at Octane last month will be pushed out approximately 90 days. the exception being Okta Privileged Access, which becomes generally available this week. Now turning to our Q3 results. Top line metrics were strong. We continue to experience particular strength with large customers. Similar to the past few quarters, our fastest growing cohort was customers with $1 million plus ACV with growth of over 40%. It was also a strong quarter for new and upsells across our public sector vertical. We also produced record non-GAAP operating profit and record free cash flow in the quarter, as we continue to demonstrate the leverage in our model. In other news, we're thrilled that John Addison, who has been our interim CRO since the start of this fiscal year, has been appointed to the permanent position. With John's appointment as CRO and our continued confidence in the go-to-market leadership team, We have closed the search for a president of worldwide field operations. Okta is driven by our vision to free everyone to safely use any technology. The measures we're taking to increase the security of Okta and our ecosystem gives us confidence in our ability to move forward. We will come out of this even stronger because Okta is the only modern platform for neutral and independent identity access management, governance, and now privileged access. Before turning it over to Brett, I want to thank our employees for their tireless efforts. I want to thank our customers and partners who put their trust in Okta every day. I also thank everyone who supported us at Octane last month, where we had over 4,000 people at the live event in San Francisco and over 19,000 viewing online. Now I'll turn it to Brett to walk you through more details of our financial results in Forward Outlook.

speaker
Dave

Thanks, Todd, and thank you everyone for joining us today. The actions we've taken over the past few quarters to drive efficiencies in our cost structure continue to yield impressive results. I'll review our third quarter results and our outlook, but first I'll start with some commentary on the macro environment. Macro headwinds, while stabilized, continue to impact our business. Metrics that we use to gauge the macro environment, such as contract duration, average deal size, and pipeline mix, were largely consistent with what we experienced in the first half of the year. Separately, we published the advisory regarding the recent security incident on October 20th, which was 11 days ago in the quarter. While business at the close of the quarter slowed somewhat, our overall financial performance in Q3 was strong. Turning to Q3 results. Total revenue growth for the third quarter was 21%, driven by a 22% increase in subscription revenue. Subscription revenue represented 97% of our total revenue. International revenue grew 20% and represented 21% of our total revenue. FX had a minor impact on total revenue growth, but was a two-point headwind to international revenue growth. RPO, or subscription backlog, grew 8%. The general shortening of contract term length signed over the past several quarters has impacted total RPO growth. Our overall average term length remains just over two and a half years. Current RPO, which represents subscription backlog we expect to recognize as revenue over the next 12 months, grew 16% to $1.83 billion. Turning to retention. Consistent with prior quarters, gross retention rates remain strong in the mid-90% range. Our dollar-based net retention rate for the trailing 12-month period remained strong at 115% and was driven by both upsell and cross-sell activities. Similar to the past few quarters, macro-related pressure resulted in smaller seed expansions than in previous years. We believe this trend will persist in the current environment. The net retention rate may fluctuate from quarter to quarter as the mix of new business, renewals, and upsells fluctuates. As I've noted previously, we've experienced a macro-related shift in our business mix to more upsell and cross-sell versus new business. Before turning to expense items and profitability, I'll point out that I'll be discussing non-GAAP results and less otherwise noted. Looking at operating expenses, total operating expenses for the quarter were lower than expected. The better than expected profitability is due to the combination of revenue overperformance and our continued focus on spend efficiency measures. Total headcount at the end of Q3 slightly increased sequentially to approximately 5,900. Q3 free cash flow was a record $150 million, yielding a free cash flow margin of 26%. Free cash flow was significantly better than expected, driven by billings and strong collections. During the third quarter, we opportunistically repurchased $150 million of our 2026 convertible debt notes. This resulted in an $18 million gap only gain. Over the past three quarters, we've repurchased $900 million of debt resulting in a $91 million gap only gain. We will continue to regularly evaluate our capital structure and capital allocation priorities. Our balance sheet remains strong, anchored by $2.13 billion in cash, cash equivalents, and short-term investments. Our cash, cash equivalents, and short-term investments position net of remaining convertible debt is $820 million. Now let's turn to our business outlook for Q4 and FY24 and a preliminary look at FY25. As always, we take a prudent approach to forward guidance. We are factoring in a stable but still challenging macro environment. We're also factoring in the recent security incident. For the fourth quarter of FY24, we expect total revenue of $585 million to $587 million, representing growth of 15%. Current RPO of $1.875 billion to $1.880 billion, representing growth of 11% to 12%. Non-GAAP operating income of $102 million to $104 million, which yields a non-GAAP operating margin of 17% to 18%. And non-GAAP diluted net income per share of 50 cents to 51 cents, assuming diluted weighted average shares outstanding of 180 million. For FY24, we are raising our revenue outlook by $30 million at the high end of the range. We now expect revenue of $2.243 billion to $2.245 billion, representing growth of 21%. We are raising our outlook for non-GAAP operating income by $65 million at the high end to $283 million to $285 million, which yields a non-GAAP operating margin of 13%. Non-GAAP diluted net income per share is raised to $1.47 to $1.48, assuming diluted weighted average share is outstanding of $179 million. and we are raising our free cash flow margin outlook for FY24 to 19% from 15% previously. On a dollar basis, that's a raise of over $90 million and sets us up to close the year achieving the rule of 40. While we are still in the early phases of financial planning, we would like to provide a preliminary view of FY25. I'll reiterate that we are prudently factoring in a stable but challenging macro environment, as well as potential impacts from the recent security incident. We continue to focus on expense control and estimate a non-GAAP operating margin of approximately 17%. We're also targeting free cash flow margin to be at least 19%. From a revenue perspective, we estimate total revenue to be in the range of $2.460 billion to $2.470 billion, or growth of approximately 10%. We are applying a static 26% non-GAAP effective tax rate for FY24 and FY25. To wrap things up, we are confident that we've set the path of profitable growth for years to come. We continue to focus on initiatives to drive the top line while making significant progress to drive improvements to our operating and cash flow margins. With that, I'll turn it back over to Dave for Q&A. Dave?

speaker
Operator

Thanks, Brett. I see that there are quite a few hands raised already, so I'll take them in order. And in the interest of time, please limit yourself to one question so that we can get to everyone. And then you're welcome to queue back up for additional questions. And with that, we'll go to Brian Essex at J.P. Morgan.

speaker
Brett

Great. Thank you. And thanks for taking my question. I guess I'll start off with the easy one, and that's the preliminary fiscal 25 outlook. And I just want to ask in the context of, I guess, taking into consideration two issues in particular. One would be the impact, as you guys alluded to, of the most recent breach on your pipeline, close rates, customer relationships. And the other would be, I guess, the need for you to improve your relationship with channel partners in order to drive better growth. So with regard to that preliminary outlook, How should we think about assumptions baked into that outlook, particularly as it relates to traction or churn with customers and contribution from partners considering these issues? And where in the spectrum of guidance being, quote unquote, kitchen sinked, can we consider this forecast to be?

speaker
Dave Gennarelli

Hey, Brian, thanks for the question. And thanks for jumping on the release this morning early before the market. That was a little bit atypical. given the situations of the customer advisory, but we appreciate you covering it and everyone else that covered it as well. We know it's extra, you know, something you weren't planning for us. We appreciate it. I'll comment just on the business strategy behind the guidance. First of all, I think that might be helpful. The We have, it's very important and it's very clear to everyone at Okta that security is the top priority. We've prioritized security at some level over the years. And, you know, it's been balanced with other priorities, growth, new product development, and various things to run the business. And those efforts... i'm simplifying a little bit but often have gone into product security infrastructure making sure that was um you know very very solid and we know now that we you know that's not good enough we have to do more we know that okta is uh you know one of the most targeted companies in the world because of the leadership position we have in this important market of identity access management and that makes us a along with other cybersecurity companies, extremely targeted and relentlessly attacked. And we have to raise our game to be able to defend ourselves and our customers against those attack. So we're really upping the level of priority. And it's very clear to everyone at Okta that for the end of this year and going into next year, that the number one priority is securing Okta and securing our customers full stop. And everything else is prioritized after that. And the second most, you know, the number two priority is after security is, is growth and profitable growth, profit, profitably growing the business. And I think you, you see that reflected in the business strategy in terms of the direction we're giving teams that we have a 90 day all hands on deck in terms of focusing on bottoms up ideas and security efforts across the company, getting help from outside industry experts, tops down to bolster our own experts. We've done this in various degrees over the years, but we're really aggressively doing more of this to get all the best minds and best input on these opportunities and problems for us. We're making sure that it's not just a one year or one quarter change. It's really a continued accelerated evolution of our cultural change to really being having the culture of one of the most secure companies in the world remember Okta started as a it was our focus was enabling technology and and making it easy to adopt the cloud it wasn't necessarily started 15 years ago as a cyber company now that changed a few years into the company and it's very clear to us now that and has been for the last few years that the bar is the most secure company in the world full stop And so that's the number one priority, and that's what we're focused on. And then part of that, of course, is kind of the last pillar that we're really focused on now, which is making sure the products themselves, as customers use them, the actual security use cases on those products are prioritized incredibly highly. A great example of that is making sure that when we think about managing access to privileged resources, with our new privileged access management product, making sure we prioritize and make it work great with our own oct administration console because attackers are going after that because that's such a valuable target so it's a wholesale clear communication to customers and to employees and to partners and investors that security is the top priority full stop and we will stop at nothing to make sure we become one of the most secure companies in the world because it's kind of clear to everyone that we're short of where we need to be now and we will fix that

speaker
Dave

And I'll just add a couple of comments there, Brian. Thanks for not one. Nice to see you. Thanks for the question. But in terms of the guidance philosophy, really no difference from what we've done before. You know, I think we all know for years now we give this early look. It's a prudent look. We've got five quarters ago. We've got a big Q4 ahead of us. And so, you know, we're factoring in two major factors, like I said, a few minutes ago, which is, you know, around the macro and then also around this security incident and making sure we're being prudent about the guidance at this point, given, you know, how far out we are from the end of FY25.

speaker
Dave Gennarelli

You asked a question too, Brian, about the channel partners. I would say that's a continued thread and a continuation of what we've been doing this year with our enhanced partner program and clarifying the partners we're working with and investing on the ones that are really moving the needles. The things you've heard us talk about in previous calls, that's an ongoing thing and we're continuing to execute on that and seeing benefits from that in the business.

speaker
Brett

Do you have the pipeline internally to hit that number without incremental improvement and partner contribution or how confident you are in that 10%?

speaker
Dave Gennarelli

We're very happy with where the pipeline is.

speaker
Dave

Yeah, we're confident in what we've given you guys today. Like I said, no change in the guidance philosophy.

speaker
Brett

Thank you. No problem.

speaker
Ben

Let's go to Rob Owens at Piper. Great. Thanks for taking my question. I appreciate the transparency and disclosure of around the breach and realizing these things can take on a life of their own as time passes. But I was curious more so what you're doing for customers to assuage concerns around the breach itself, aside from pushing out some launch dates here and any proactive steps that you're taking to help future retention. Thanks.

speaker
Dave Gennarelli

Yeah, I've, I've, um, Ben, I've had, you know, many, many conversations with customers over the last few weeks, as you can imagine, and the reactions vary. Some are from, you know, thanks for the update. We appreciate the communication. to the other extreme, which is a lot of frustration and concern. The common thread or the common theme is that we're incredibly important to our customers and they're relying on us for their critical infrastructure of their customer identity or their workforce identity. So it really matters. And the first thing they want to know is that do we know how important this is? And are we taking these things seriously? Do we have the right plan in place to react to these things and get better going forward? And when I talk to them, the themes that resonate are really clear priority, comprehensive look at all the threats and all the opportunities across product and infrastructure, making sure the cultural tone from the top is set appropriately. And I can do that in a way no one else in the company can do. So I'm very clear about that. And then the last thing I talked about before is the is how the products can help them be more secure, because this all is about the foundation for their security. And once that foundation is solid, then they can use our products to be, you know, to further enhance their own security. So I think to your specific question about what we're doing specifically, I think it's it's. part of it is being open and transparent. One of the reasons why we thought this most recent disclosure, the one we did yesterday and then publicly this morning, is that when we talk to customers, the number one thing they want is transparency. And they wanna know as soon as possible, What is the risk increase? What are the threats? And our commitment as on our journey to be one of the most secure companies in the world is to make sure we fulfill that commitment and make sure we're open and transparent and disclose all the information we have. So I know it seems a little strange right now, but in some ways, what we did yesterday and today are executing on this plan and this commitment we've made to them. And then I think there's many more things we can do in terms of just making sure customers understand what happened and what we're doing about it. And you'll see us do more toward these communication efforts going forward. But at the end of the day, one of my conversations was with a CISO, a large manufacturing company that's been heavily adopted on Okta. And this is common to how these things go. He said, you know, Todd, the position you are in the ecosystem industry, you are one of the most attacked and focused on from an adversarial perspective companies in the world. And we know that if you take this as seriously as you're saying you do, and you have these plans and these priorities in place to improve your make sure you're one of the most secure companies in the world, that's, that's going to be, you know, more than enough for what we need, because you're going to be attacked way more than we ever will. And so I think they see it as once we communicate the details, and once they can understand our plans and our priority and our focus, they come away with more comfort. But again, at the end of the day, what they really want is no issues like this. And that's, and that's ultimately our goal to try to prevent these whenever possible.

speaker
Ben

Thanks for the color, Todd.

speaker
Operator

Let's go to Adam Tindall at Raymond James.

speaker
Adam Tindall

Thanks, Dave. Hey, Todd, I wanted to ask a little bit more about the renewal process in light of the security incident. Brett mentioned that contract duration continues to shorten. So the thought would be the renewal process is likely happening more frequently moving forward. I wonder what kind of processes you have in place

Disclaimer

This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.

-

-