Acquisition Will Deliver Speed and Security from App Development to Production, Bridges CA Security Business with its Broad DevOps Portfolio
NEW YORK, March 6, 2017 – CA Technologies (NASDAQ:CA) today announced it has signed a definitive agreement to acquire Veracode, a leader in securing web, mobile and third-party applications across the software development lifecycle, for approximately $614 million in cash. The transaction is expected to close in the first quarter of fiscal year 2018, and is subject to customary closing conditions, including regulatory approvals.
The combination of CA’s portfolio with privately-held Veracode will establish CA Technologies as a leader in the Secure DevOps market through the automation and scaling of application security testing (AST) to develop and deploy applications faster with fewer defects. With Veracode, CA Technologies bridges its Security business with its broad DevOps portfolio and adds to its growing SaaS business. Veracode extends CA’s go-to-market strategy into midsize enterprise customers while CA accelerates Veracode‘s global reach into larger enterprise customers.
“Security testing is growing faster than any other security market, as AST solutions adapt to new development methodologies and increased application complexity. Security and risk management leaders must integrate AST into their application security programs.”* Increased deployment of web and cloud-based business applications has further propelled the market growth. “By 2019, more than 50 percent of enterprise DevOps initiatives will have incorporated application security testing for custom code, up from less than 10% in 2016.”**
“Software is at the heart of every company’s digital transformation. Therefore, it’s increasingly important for them to integrate security at the start of their development processes, so they can respond to market opportunities in a secure manner,” said Ayman Sayed, President and Chief Product Officer, CA Technologies. “This acquisition will unify CA’s Security and DevOps portfolios with a SaaS-based platform that seamlessly integrates security into the software development process. Looking holistically at our portfolio, now with Veracode and Automic, we have accelerated the growth profile of our broad set of solutions. We now expect that the size of our growing solutions within our Enterprise Solutions portfolio will eclipse the more mature part of the Enterprise Solutions portfolio in FY19.”
The ability to deliver Identity and Access Management, DevOps tools and automation capabilities with SaaS-based application security, allows CA to offer enterprises of all sizes a faster time-to-value from their software investments.
Digital transformation requires an integrated and agile approach to security. Code-vulnerability risk is mitigated and time spent identifying and fixing security issues in production is reduced when security testing is shifted earlier into the application development process. According to data from the National Institute of Standards and Technology, “it's 30x more expensive to fix a vulnerability during post-production than during the design, requirement identification and architecture stage.”
Named a leader in the Gartner Magic Quadrant for Application Security Testing***, Veracode’s solution enables automated, on-demand application security testing starting at the earliest phases of the development lifecycle to improve testing speed, address security concerns in production, and eliminate risk. In addition to dynamic application testing, the SaaS-based application security testing software and solutions also perform static testing to detect potential vulnerabilities in custom code, third party applications and open-source components.
“We provide over 1400 small and large enterprise customers the security they need to confidently innovate with the web and mobile applications they build, buy and assemble, as well as the components they integrate into their environments,” said Bob Brennan, CEO, Veracode. “By joining forces with CA Technologies, we will continue to better address growing security concerns, and enable them to accelerate delivery of secure software applications that can create new business value.”
Founded in 2006, Veracode has offices in Burlington, MA and London and has over 500 employees worldwide.
Expected Financial Impact
Assuming the transaction closes in early April, CA Technologies preliminary expectation is that the acquisition will:
- Add two to three percentage points of revenue, both as reported and in constant currency. As a result, fiscal year 2018 total revenue is expected to increase in the range of 1 percent to 3 percent as reported, or 2 percent to 4 percent in constant currency. At December 31, 2016 exchange rates, this translates to reported revenue of $4.06 billion to $4.14 billion.
- Impact GAAP and non-GAAP total company operating margins, such that fiscal year 2018 GAAP operating margins are expected to be in the range of 26 percent to 27 percent and non-GAAP operating margins are expected to be approximately 36 percent.
- Have a modestly adverse impact on GAAP and non-GAAP diluted earnings per share, and cash flow from operations, both as reported and in constant currency in fiscal year 2018 and fiscal year 2019.
- Be accretive to net income in fiscal year 2020.
The combination of acquisition-related expenses and purchase accounting adjustments, in addition to the structurally lower margin profile of the SaaS business model, is expected to impact CA’s fiscal year 2018 and fiscal year 2019 results.
*Gartner, Gartner, Inc., “Magic Quadrant for Application Security Testing,” Dionisio Zumerle, Ayal Tirosh, February 28, 2017.
**Gartner, DevSecOps: How to Seamlessly Integrate Security Into DevOps, Neil MacDonald and Ian Head, September 30, 2016.
***Gartner, Gartner, Inc., “Magic Quadrant for Application Security Testing,” Dionisio Zumerle, Ayal Tirosh, February 28, 2017.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Please see below for information regarding non-GAAP financial measures, the cautionary statement regarding forward-looking statements, and the reconciliation of projected GAAP metrics to projected non-GAAP metrics.
Non-GAAP Financial Measures
This news release includes certain financial measures that exclude the impact of certain items and, therefore, have not been calculated in accordance with U.S. generally accepted accounting principles (GAAP). Non-GAAP metrics for operating expenses, operating income, operating margin, income from continuing operations and diluted earnings per share exclude the following items: non-cash amortization of purchased software, internally developed software and other intangible assets; share-based compensation expense; charges relating to rebalancing initiatives that are large enough to require approval from CA’s (hereinafter, the “Company”) Board of Directors and certain other gains and losses, which include the gains and losses since inception of hedges that mature within the quarter, but exclude gains and losses of hedges that do not mature within the quarter. The Company presents constant currency information to provide a framework for assessing how the Company’s underlying businesses performed excluding the effect of foreign currency rate fluctuations. To present this information, current and comparative prior period results for entities reporting in currencies other than U.S. dollars are converted into U.S. dollars at the exchange rate in effect on the last day of the Company’s prior fiscal year (i.e., March 31, 2016). Constant currency excludes the impacts from the Company’s hedging program. These non-GAAP financial measures may be different from non-GAAP financial measures used by other companies. Non-GAAP financial measures should not be considered as a substitute for, or superior to, measures of financial performance prepared in accordance with GAAP. By excluding these items, non-GAAP financial measures facilitate management’s internal comparisons to the Company’s historical operating results and cash flows, to competitors’ operating results and cash flows, and to estimates made by securities analysts. Management uses these non-GAAP financial measures internally to evaluate its performance and they are key variables in determining management incentive compensation. The Company believes these non-GAAP financial measures are useful to investors in allowing for greater transparency of supplemental information used by management in its financial and operational decision-making. In addition, the Company has historically reported similar non-GAAP financial measures to its investors and believes that the inclusion of comparative numbers provides consistency in its financial reporting. Investors are encouraged to review the reconciliation of the non-GAAP financial measures used in this news release to their most directly comparable GAAP financial measures.
Cautionary Statement Regarding Forward-Looking Statements
Certain statements in this news release (such as statements containing the words "believes," "plans," "anticipates," "expects," "estimates," "targets" and similar expressions relating to the future) constitute "forward-looking statements" that are based upon the beliefs of, and assumptions made by, the Company's management, as well as information currently available to management. These forward-looking statements reflect the Company's current views with respect to future events and are subject to certain risks, uncertainties, and assumptions. A number of important factors could cause actual results or events to differ materially from those indicated by such forward-looking statements, including: the ability to consummate the Veracode acquisition; the risk that the conditions to the closing of the Veracode acquisition, including regulatory approvals, are not satisfied; potential adverse reactions or changes to customer, supplier, partner or employee relationships, including those resulting from the announcement or completion of the Veracode acquisition; uncertainties as to the timing of the Veracode acquisition; uncertainty of the expected financial performance of the Company following completion of the proposed Veracode acquisition; the ability to successfully integrate Veracode’s operations and employees in a timely manner; the ability to realize anticipated synergies, cost savings and operational efficiencies from the Veracode acquisition; the ability to achieve success in the Company’s business strategy by, among other things, ensuring that any new offerings address the needs of a rapidly changing market while not adversely affecting the demand for the Company’s traditional products or the Company’s profitability to an extent greater than anticipated, enabling the Company’s sales force to accelerate growth of sales to new customers and expand sales with existing customers, including sales outside of the Company’s renewal cycle and to a broadening set of purchasers outside of traditional information technology operations (with such growth and expansion at levels sufficient to offset any decline in revenue and/or sales in the Company’s Mainframe Solutions segment and in certain mature product lines in the Company’s Enterprise Solutions segment), effectively managing the strategic shift in the Company’s business model to develop more easily installed software, provide additional SaaS offerings and refocus the Company’s professional services and education engagements on those engagements that are connected to new product sales, without affecting the Company’s financial performance to an extent greater than anticipated, and effectively managing the Company’s pricing and other go-to-market strategies, as well as improving the Company’s brand, technology and innovation awareness in the marketplace; the failure to innovate or adapt to technological changes and introduce new software products and services in a timely manner; competition in product and service offerings and pricing; the ability of the Company’s products to remain compatible with ever-changing operating environments, platforms or third party products; global economic factors or political events beyond the Company’s control and other business and legal risks associated with non-U.S. operations; the failure to expand partner programs and sales of the Company’s solutions by the Company’s partners; the ability to retain and attract qualified professionals; general economic conditions and credit constraints, or unfavorable economic conditions in a particular region, business or industry sector; the ability to successfully integrate acquired companies and products into the Company’s existing business; risks associated with sales to government customers; breaches of the Company’s data center, network, as well as the Company’s software products, and the IT environments of the Company’s vendors and customers; the ability to adequately manage, evolve and protect the Company’s information systems, infrastructure and processes; the failure to renew license transactions on a satisfactory basis; fluctuations in foreign exchange rates; discovery of errors or omissions in the Company’s software products or documentation and potential product liability claims; the failure to protect the Company’s intellectual property rights and source code; access to software licensed from third parties; risks associated with the use of software from open source code sources; third-party claims of intellectual property infringement or royalty payments; fluctuations in the number, terms and duration of the Company’s license agreements, as well as the timing of orders from customers and channel partners; events or circumstances that would require the Company to record an impairment charge relating to the Company’s goodwill or capitalized software and other intangible assets balances; potential tax liabilities; changes in market conditions or the Company’s credit ratings; changes in generally accepted accounting principles; the failure to effectively execute the Company’s workforce reductions, workforce rebalancing and facilities consolidations; successful and secure outsourcing of various functions to third parties; and other factors described more fully in the Company’s filings with the Securities and Exchange Commission. Should one or more of these risks or uncertainties occur, or should the Company’s assumptions prove incorrect, actual results may vary materially from the forward-looking information described herein as believed, planned, anticipated, expected, estimated, targeted or similarly identified. The Company does not intend to update these forward-looking statements, except as otherwise required by law. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date hereof.