Mercury Systems Inc. (Update)
- Spruce Point finds evidence to suggest that Mercury Systems (Nasdaq: MRCY) could be one of the companies affected by the alleged Super Micro Computer, Inc. (Supermicro) hack, and can demonstrate recent actions taken by management to obscure the relationship. We believe the Street is structurally misunderstanding the magnitude of the revenue delays and cyber compliance costs that Mercury – a company presently without a Chief Information Security Officer (“CISO”) – will face going forward. Based on our expert calls, we expect that cybersecurity-related costs could mount to 10% of revenues. Given that management felt it necessary to hide its relationship with Supermicro, we believe that Mercury needs to disclose to investors the materiality of its exposure to Supermicro components, the financial impact of any product changes/recalls/replacements, and its plans to ensure the “security” of its mission-critical products on a go-forward basis.
Exposure Emanating From “Technology Partner” Supermicro
- On October 4th, Bloomberg published an in-depth article highlighting how China infiltrated 30 U.S. companies by inserting a tiny chip into Supermicro motherboards. Navy systems were mentioned specifically as an affected target. Mercury Systems and two of its recent acquisitions – Themis Computers ($175 million / Feb 2018) and Germane Systems ($45 million / July 2018) – each sells servers and other related IT equipment containing Supermicro motherboards to the Navy and other military branches.
- Providing secure and resilient solutions to prime and government customers is the essence of Mercury’s business. Mercury mentions the words “secure” and “security” over 100 times in its annual report.
- Mercury, Themis, and Germane all listed Supermicro as a “technology partner” on their respective websites until last week, when nearly all references to the relationship were abruptly and surreptitiously removed between October 8-9 without explanation.
- The existence of Supermicro motherboards in Mercury’s rugged servers presents difficult-to-quantify tail risks, but could force product recalls and expensive supply chain adjustments, among other costly actions. As a precedent example, the Navy placed restrictions on IBM’s BladeCenter server line in 2015 over supply chain security concerns, less than a year after Chinese IT hardware manufacturer Lenovo acquired IBM’s server business. (USNI Article)
- A recent GAO report entitled “DOD Just Beginning to Grapple with Scale of Vulnerabilities” highlighted how testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected. Based on conversations with industry experts, we believe that the requirements for winning government business will be (and are being) rewritten with an emphasis on cyber resilience and a much higher cybersecurity standard. We suspect that new contracts awards are likely to be delayed as a result
- Based on our research, Mercury appears ill-prepared to address these new requirements given its relative shortage of cybersecurity personnel, and the fact that both its long-time CIO and long-time CISO recently departed in August 2018. We estimate that Mercury could have to spend up to 10% of revenue on cyber-related costs going forward, or otherwise make a costly acquisition to comply with these new customer expectations.
- Mercury has quietly hinted at some of these concerns through subtle changes to its 10-K risk factors and safe harbor provisions, and through recent job postings in supply chain procurement and quality control.