By Jonathan Rowe, Research Analyst
Cyber breaches come in all shapes and sizes, and no organization is immune – including the United States military. On April 13th 2023, Jack Teixeira, a 21 year old Airman in the 102nd Intelligence Wing of the Massachusetts Air National Guard on Cape Cod, was arrested by the FBI at his parents’ home in Dighton, Massachusetts. Teixeira was charged with two crimes: violating the Espionage Act of 1917 by retaining and transmitting national defense information without authorization; and unauthorized removal of classified information. Specifically, Teixeira allegedly obtained classified information and uploaded it to an online Discord chat group known as “Thug Shaker Central” which is believed to have held 20-to-50 members.
This classified information was posted in the form of transcripts Teixeira read aloud, copied notes, and included screenshots of classified documents. These classified documents included highly sensitive details, such as the United States’ plans for potential scenarios in the Russian war on Ukraine, names of informants and spies, military strategy, and other data that US prosecutors allege would have been of “tremendous value to hostile nation states”. The leak is thought to be the most significant security breach in the United States since over 700,000 sensitive materials were published on WikiLeaks in 2010.
The Teixeira incident sparked an inside review of the military’s approach to cybersecurity. On December 11th, the Air Force disciplined 15 members of its ranks relating to the Teixeira incident. This discipline spanned from personnel being removed from their positions – including command positions – to non-judicial punishments. Furthermore, Air Force personnel close to Teixeira knew about up to four separate occasions of him exhibiting questionable behavior prior to the leaks, and a small number of people “intentionally failed to report the full details of these security concerns/incidents.”
Even before the Air Force’s disciplinary action was publicized in December, what quickly became apparent after the breach was that Teixeira, himself, had little need to possess access to classified information. Moreover, he essentially worked in the IT department of the National Guard, but not with or related to the sensitive information in the systems with which he worked. Although focused on IT issues, technically his role was as a member of cyber defense operations. This highlighted an overall security flaw in the US military, where it is commonplace for low-level personnel, including technology workers, to have access to classified information.
The incident prompted the Air Force to conduct “a security-focused stand down to reassess [its] security posture and procedures, validate the need to know for each person’s access, and emphasize to all Airmen and Guardians the responsibility [they] are entrusted with to safeguard this information and to enforce and improve our security requirements.”
The Teixeira incident and the Air Force’s subsequent review of its security requirements invokes the concept of zero-trust security that is growing in popularity across organizations of all sectors. Zero-trust security is the idea that companies need to be on guard for external cyberthreats, in addition to having robust internal security policies and arrangements. In large organizations like the Air Force, there are a plethora of people with potential access to sensitive information. With a zero-trust security stance, organizations consider how to assign and prioritize security clearance to their own employees; in organizations with a zero-trust security model, employees are granted access to critical information only on a need-to-know basis. While organizations generally trust their employees, they must operate under the assumption that they cannot trust their most important information with anyone and everyone within a company. Following the Jack Teixeira episode and the Air Force’s related internal review, it is likely that the Air Force will adopt a zero-trust security clearance model within its own ranks, ensuring that vital information does not fall into the wrong hands again in the future.
Founded in 2011 by former M.I.T. classmates Seth Birnbaum and Tomas Revesz, and headquartered in Cambridge, Massachusetts, EverQuote is a leading online insurance marketplace. EverQuote’s goal is to revolutionize the insurance shopping experience for consumers and modernize the way insurance providers reach customers. In doing so, the company intends to become the largest online store for insurance policies in the U.S.
Without any acquisitions, EverQuote has blossomed quickly, with a compound annual revenue growth rate of 32 percent over the last five years. Revenue has risen from $126 million in revenue in 2017, to $163 million in 2018, to $249 million last year. Unlike many VC-backed companies that have required multiple rounds of financing in the face of mounting losses, EverQuote was largely bootstrapped, with just $10 million of equity capital raised to fund the business before its IPO in June of 2018. In Q3 of 2019, the company generated its first non-GAAP operating profit, and has demonstrated consistent profitability in each of the last four quarters, with cash on the balance sheet rising steadily from $37 million at the end of Q2 last year, to $54 million this year.
Automotive insurance, EverQuote’s first addressable market, remains its largest, comprising over 80 percent of revenue. EverQuote’s online platform is facilitated by proprietary data and technology, which matches consumers with insurance options offered by carriers and independent agents tailored to their specific criteria. The criteria may include desired demographics, driving history, and the prospective policy holder’s driving track record.
EverQuote has invested heavily in data science, including machine learning, as well online advertising to efficiently match buyers and sellers of insurance policies. The company’s data assets include over two billion consumer-submitted data points that have come from 65 million quote requests, and 178 billion ad impressions, which have been acquired through its more than $650 million in advertising spending since inception. Over time, the company intends to fully automate the bidding process across most of its traffic sources, and is also working to achieve deeper integration with its insurance partners.
EverQuote boasts an expansive network of more than 100 insurance carriers, including the twenty largest property and casualty carriers in the United States, as defined by premium volume. In addition, the company partners with more than 8,000 insurance agencies. EverQuote’s leading partners include Progressive Casualty Insurance Company (which accounted for roughly 20 percent of revenue in 2018 and 2019) as well as StateFarm, Farmers, Esurance, Liberty Mutual, and Nationwide.
EverQuote gives consumers a single point of reference for insurance shopping. While EverQuote’s service is free for consumers, the company generates revenue through the sale of consumer referrals to insurance providers. According to EverQuote’s 2019 consumer survey, customers reported an average annual premium savings of $610 for insurance policies purchased through its marketplace.
EvreQuote has created a self-sustaining business model, having achieved EBITDA profitability and free cash flow generation in each of the last four quarters, although its progress is not reflected in the Street Consensus, which measures GAAP profitability. As an “asset light” business, like Google and Facebook, EverQuote generates more than $1 million in revenue per employee, and over half of its 300 employees are analysts, data scientists, and engineers. The company’s balance sheet is solid, even after the recent Crosspointe acquisition, as it will likely have more than $40 million in cash and no debt at the end of the current quarter.
A new accounting standard relating to sales expense recognition is likely to create controversy in the world of software earnings quality, particularly given the recent trend toward multi-year contracts associated with software subscriptions.
ASC 606, jointly issued by the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) on May 28, 2014, provides guidance for revenue recognition as well as the accounting for certain sales expenses. The rule allows companies with revenue contracts extending beyond a single year to capitalize and then amortize the incremental cost of the contract acquisition over the life of the contract. Therefore, certain sales commissions can be deferred, even though the commission is paid at the time the contract is approved. This is significant for any software company whose average contract length is more than a year, for it allows the company to defer a certain portion of its sales commissions, reduce its reported sales expense, and boost earnings in the process.
Though FASB and the IASB originally envisioned adoption of the guidelines to occur after December 15, 2016, or, for practical purposes, during the first calendar quarter of 2017, an update provided by FASB last summer deferred the effective start date for one year for public entities reporting under US GAAP. Thus, companies are not required to comply until the first calendar quarter of 2018.
ASC 606, if adopted, will have a significant impact on companies which pay out the bulk of their sales commissions in a particular quarter as part of a yearly incentive structure. For companies with multi-year contracts the reduction in sales expense could be significant in the year-end quarter. It will therefore be important to evaluate the earnings performance of a company as if the accounting guideline had been implemented in the prior year, in order to ensure an apples to apples earnings comparison, and to determine whether a company’s reported earnings may have been artificially stimulated as a result of adopting ASC 606.
Proponents of ASC 606 assert that the capitalization and subsequent amortization of sales expense better matches a company’s ratable revenue recognition pattern for subscriptions. We believe that ASC 606 distorts the P&L by systematically under-reporting expenses incurred by a company at the time of payment. Another argument in favor of capitalizing commissions is that sales expense represents an incremental cost associated with a sale. Yet, so are marketing and promotional costs, as well as R&D expenses, since market awareness and the addition of new product features can directly impact the purchase decision.
In terms of historical precedent, one recalls the enactment of FASB 86, an accounting edict proclaimed in August of 1985, which enables companies to capitalize –rather than expense— certain software development activities between the point of establishing commercial feasibility and “completion” of the product. Upon review of the ruling, Francis (Frank) J. Gaudette, the late great CFO of Microsoft, who helped orchestrate the company’s IPO in 1986, refused to recognize as legitimate any interval between feasibility and product completion, with the view that research and development costs should be expensed entirely in the period in which they are incurred.
By taking a hardline stance against capitalization of R&D under any circumstance Gaudette set a precedent among software companies with conservative accounting practices, whose earnings multiples—like Microsoft’s—have been rewarded over time. As ASC 606 comes into effect, and a spotlight shines on the sales and marketing expense line of subscription software companies, one should take with a certain grain of salt the considerable operating margin improvement that some companies will claim as a result of adopting the new guideline.