NCC Group plc Annual Report 2021

Securing the future Peace of mind today and forever

Annual report and accounts for the year ended 31 May 2021

NCC Group is a global cyber and software resilience business operating across multiple sectors, geographies and technologies. As society’s dependence on the connected environment and the associated technologies increase, we use our global insights to help organisations assess, manage and develop their cyber resilience posture, enabling them to confidently take advantage of the opportunities that sustain their business growth. We exist to make the world safer and more secure

STRATEGIC REPORT 1 Highlights 2 At a glance 4

Our investment case Chair’s statement Our strategic roadmap

6 8

9 C hief Executive Officer’s review 14 Our continued Covid-19 response 16 Markets 18 Research at NCC Group 20 Business model 29 Strategy and KPIs 32 C hief Financial Officer’s review 40 P rincipal risks and uncertainties 49 Stakeholder engagement 53 Sustainability GOVERNANCE 70 Chair’s introduction to governance 73 Governance framework 74 Board of Directors 76 Executive Committee 78 B oard composition and division of responsibilities 87 Shareholder engagement 88 Audit Committee report 95 Nomination Committee report 98 C yber Security Committee report 100 R emuneration Committee report 119 Directors’ report 123 D irectors’ responsibilities statement FINANCIAL STATEMENTS 125 Independent auditor’s report 133 C onsolidated income statement 133 C onsolidated statement of comprehensive (loss)/income 134 Consolidated balance sheet 135 C onsolidated cash flow statement 136 C onsolidated statement of changes in equity 137 Company balance sheet 138 C ompany cash flow statement 139 C ompany statement of changes in equity 140 N otes to the Financial Statements ADDITIONAL INFORMATION 187 Glossary of terms – Alternative Performance Measures (APMs) 189 G lossary of terms – other terms

191 Other information 192 Financial calendar

Read more online: www.nccgroup.com

Highlights 1

GAAP measures

Revenue £270.5m

Operating profit 2,3 £17.3m

Basic EPS 2,3 3.6p

21

21

21

17

18

19

20

17

18

19

20 (restated) 3

17

18

19

20 (restated) 3

Alternative Performance Measures 2

Net cash/(debt) 2 £83.3m

Adjusted operating profit 2, 3 £39.2m

Adjusted EPS 2, 3 9.5p

21

21

21

17

18

19

20

17

18

19

20 (restated) 3

17

18

19

20 (restated) 3

Footnotes 1 References for the Group’s results are for continuing operations. 2 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. 3 S ee Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. The 2017 to 2019 figures above have not been restated. The following additional information and reconciliation is noted in relation to Adjusted operating profit due to the adoption of the IFRIC agenda decision: 2021 £m 2020 £m Change

39.2

Adjusted operating profit (as noted above)

30.7

27.7%

(3.0)

Proforma amortisation charge in respect of certain cloud-based software arrangements (see explanation below)

(1.4)

(114.3%)

36.2

Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements

29.3

23.5%

The proforma amortisation adjustment noted above represents an estimate of the amortisation that would have been recognised had the Group not changed its accounting policy in the current year following additional clarification on the accounting in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) arrangements in the IFRIC agenda decision issued in April 2021. The proforma amortisation charge is estimated based on cloud configuration and customisation costs charged to the income statement in the year of £5.1m (2020: £7.9m). The Directors consider that Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements is comparable to Adjusted operating profit previously reported.

Successful acquisition of IPM with strategic and financial importance

Strong trading performance despite the pandemic

Another year of excellent cash management

Our cyber and resilience markets continue to offer excellent long-term growth prospects

Exciting development and growth of key service lines for the future

Investing for the future

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

1

At a glance

What we do

NCC Group is a global cyber and software resilience business operating across multiple sectors, geographies and technologies. As society’s dependence on the connected environment and the associated technologies increase, we use our global insights to help organisations assess, manage and develop their cyber resilience posture, enabling them to confidently take advantage of the opportunities that sustain their business growth. This includes:

Getting the basics of cyber hygiene correct

Knowing what and how to prioritise

Coping with the scarcity of skilled resources needed to deliver quality improvement, change and operations

Responding to the increasing compliance, regulatory and legislative burden

Quantifying cyber spend efficiency and return on investment

Our divisions Across our two divisions, we deliver solutions that result in outcomes that match our customers’ goals, budgets and risk appetite, giving them peace of mind that their most important assets – their business, software and personal data – are safe and secure.

Assurance

Software Resilience

We demystify cyber for our customers, and ensure: • Our customers understand the cyber threats and vulnerabilities across their technology environments, supply chains, processes and products • Our customers maintain their licence to do business, having achieved their governance, compliance and accreditation objectives in a changing regulatory environment • Our customers’ resilience against ever increasing cyber threats is materially improved because of implementing remediation plans and solutions • Our customers can reduce risk and achieve greater resilience for less investment • Our customers can outsource their cyber defence operations and increase their confidence in detecting and responding to cyber events

We protect the development, supply and use of business-critical technology and software applications: • Our services ensure buyers are safeguarded from supplier failure, software vulnerabilities and unforeseen technology disruption • Our on-premise and cloud offering can demonstrate robust business continuity and risk mitigation, and suppliers benefit from enhanced credibility and intellectual property rights protection • Our escrow contract services secure the long-term availability of business-critical software data and applications • Our verification services assure customers that the knowledge and guidance are readily available to manage, maintain or recreate an application from the original source, should it ever be needed • Our cloud Escrow-as-a-Service (EaaS) offering helps customers transition to the cloud securely, so they can adopt the latest technology with confidence

Read more on our markets on pages 16 and 17

Read more on our markets on pages 16 and 17

2

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

Where we operate

We operate as one global business, with in-country delivery tailored to local needs and cultures. We have a significant market presence in the UK, Europe and North America, and a rapidly growing footprint in Asia Pacific with offices in Australia, Japan and Singapore.

Key:

Our offices

Assurance revenue 73+24+3+0+M £233.9m

(2020: £226.2m) 65+35+M £36.6m (2020: £37.5m)

Group revenues

Software Resilience revenue

UK and Asia Pacific £127.9m (2020: £124.7m)

North America £90.0m (2020: £90.2m) Europe £52.6m (2020: £48.8m)

Global Professional Services £172.2m (2020: £166.2m) Global Managed Services £56.2m

Software Resilience contracts £24.0m (2020: £25.8m) Verification services £12.6m (2020: £11.7m)

(2020: £49.6m) Products £5.6m (2020: £10.4m)

Read more on our markets on pages 16 and 17

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

3

Our investment case

Our strong historical performance and enduring ability to succeed in a rapidly changing market are a result of four characteristics that will continue to fuel our growth now and in the future:

The global market for cyber professional and managed services offers phenomenal potential for growth, now and in the future. As investment in cyber resilience becomes essential to organisations’ licence to operate, NCC Group’s addressable market is expanding.

Cyber security market size, 2018–2025 (USD billion)

Capex light

Commitment to sustainability

18

19

20

21

22

23

24

25

Source: https://seekingalpha.com/article/4335822-check-point- software-market-misunderstands-subscription-growth.

Research driven

People centric

Our performance throughout the pandemic and beyond demonstrates our enduring and reliable business model in an agile market. We have grown revenue, gross margin and Adjusted operating profit 2 throughout a period of disruption. The performance of our key future service lines positions us to capture accelerating market growth. We have recurring high margin revenues and sustainable cash flows from our globally scalable Managed Detection and Response (MDR) and Software Resilience services, and a quality customer base. The acquisition of Iron Mountain’s Intellectual Property Management (IPM) business will be accretive to earnings per share (EPS). We expect revenue opportunities from offering a richer set of software verification and cloud and wider cyber resilience services to IPM’s extensive customer base over the medium term. +2.6% revenue growth +5.9% gross margin growth

2 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188.

4

Our commitment to sustainability is integral to how we do business. Our approach to sustainability is focused on the recognised elements of environment, social and governance (ESG). They’re brought to life with our framework, which enables us to focus our efforts on the activities that deliver the greatest value to our people, our customers, our shareholders and the world we all live in. We will continue to secure the future today and our sustainability agenda will play a strategic role to support conscious decision making as we begin to set targets that challenge us to continually improve in making the world safer and more secure for all.

We are research driven. Our greatest strength is our breadth and depth of world-class technical capabilities. We employ some of the most talented security consultants and researchers on the planet: every researcher on our team is also an active consultant. We consistently perform independent, cutting-edge security research that supports current and future specialist technical consulting capabilities and customer and consultant needs, and responds to world events. Through our agile methodologies, we have delivered six new solutions in response to market demand in the last year, including a next generation SaaS platform for digital escrow deposits and secured digital vault storage, data science-based analytical and machine learning approaches to threat detection, and our new data-driven cyber risk quantification and peer comparison offer.

3,400 research days

6 new customer-facing propositions

35 tool releases

Read more on pages 53 to 68

Read more on pages 18 and 19

We are people centric. Each day at NCC Group, our technologists and professionals wake up with one mission – to help make the world safer and more secure. Together they form a phenomenal knowledge network, collaborating, innovating and delivering value to our customers. We continue growing our technical people base year on year, even managing to increase our global headcount throughout the disruption of the global pandemic, because we invest in our colleagues’ wellbeing, career development and full potential. As we are taking advantage of remote and flexible delivery models, we have doubled our global resourcing days in 2020. This means that we truly put the best person on any job, all around the world. And we will seek to increase this even further as we grow our global talent pool and our colleagues’ skills and competencies and mature our global delivery model.

We are capex light. Unlike other businesses in the technology space, we are an inherently asset-light business, limiting our capital expenditure and promoting our agility and flexibility to respond to changing circumstances. We have strengthened our Balance Sheet through disciplined cash management and reduced overheads which positions us to exploit further opportunities in the future. It has allowed us to invest up to £3m in cloud technology, artificial intelligence/machine learning advanced analytics, and our new remediation and security improvement offer.

88.2% cash conversion ratio 2

£34.6m free cash flow

8.1% growth in headcount

+49 net movement in technical specialists

Read more on page 50

Read more on pages 32 to 39

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

5

Chair’s statement

Securing the future

As at year end, net cash (excluding lease liabilities 2 ) amounted to £83.3m including net placing proceeds of £70.2m; adjusting for this has meant that underlying cash amounted to £12.6m compared to net debt of £4.2m 12 months ago. It is also worth noting that we have taken no government subsidies or loans (other than deferring tax payments that have now been fully repaid), nor have we made any colleagues redundant or furloughed them during the pandemic, demonstrating our objective of being a global hub for cyber talent. In Assurance, the North American and EU Assurance businesses grew by 6.5% and 5.9% respectively on a local currency basis. Our UK and APAC business increased 3.9%, supported by growth in MDR and the launch of our Remediation service. Our Global Software Resilience business declined by 2.4%, a result of execution challenges in a remote environment and capacity challenges in sales resourcing. However, we are proud to see that our cloud proposition (EaaS) continues to go from strength to strength, with orders having increased by 83% to £2.2m, providing a promising and exciting platform for the future.

Chris Stone Non-Executive Chair

Our business performance can be found in more detail on pages 9 to 13

Strategy and sustainable business model Our strategy, mission and vision remain unchanged, and continue to drive progress towards our medium-term objectives: • For our shareholders: • Double-digit revenue growth and margin improvement for Assurance • Return Software Resilience to sustainable growth • Disciplined cash generation • For our customers: • Use our unique data, capability and insight to help customers to meet their cyber resilience needs • For our people: • A global hub for cyber talent • An inclusive environment where everyone feels safe to be authentic and which is representative of the diversity of the world in which we live NCC Group’s research-driven, people-centric and capex-light business model enables us to remain at the forefront of the dynamic cyber industry.

Introduction At the end of a financial year which has seen continued disruption to economies and trading environments worldwide, it is pleasing to be able to report to all our stakeholders that NCC Group has continued to demonstrate its resilience in many ways. In particular, NCC Group has achieved year on year revenue growth and profitability despite the headwinds of a global pandemic. Along the way, we secured the Group’s largest acquisition to date, enjoyed strong growth in our most exciting propositions for the future and, had another year of strong cash management. Business performance Overall, the Group delivered revenue growth of 2.6% (2020: 5.2%), Adjusted EBITDA 2 of £52.5m (2020: £45.5m) and Adjusted operating profit 2 of £39.2m (2020: restated £30.7m 3 ). On a statutory basis, after the partial recognition of acquisition costs of £7.6m and cloud configuration and customisation costs associated with the Group’s transformation programme SGT (£5.1m, 2020: restated £7.9m 3 ), operating profit increased by 37% to £17.3m (2020: restated £12.6m 3 ) and profit before taxation increased 54% to £14.8m giving rise to a statutory EPS of 3.6p (2020: restated 2.3p 3 ) and Adjusted basic EPS 2 of 9.5p (2020: restated 7.2p 2 ) respectively. The Group delivered sustainable cash flows with cash conversion 2 of 88.2%, resulting in the Group becoming cash positive in November 2020 prior to the equity funding process for the IPM business US acquisition. Our colleagues have continued to show their commitment and resilience throughout the pandemic in delivering excellent service to our customers and pursuing our mission, vision and objectives relentlessly.

Further details on our strategy and value creation through our business model are provided on pages 29 to 31 and 20 and 21 respectively

During the year, we agreed the acquisition and associated funding for Intellectual Property Management (IPM), the Software Resilience division of Iron Mountain, and received shareholder approval on 1 June. It was therefore pleasing post year end that we completed the transaction, which will be accretive to profitability and provide further strong cash generation. It is also pleasing that the management team has commenced the integration programme, and this is on plan. The strength and flexibility of our Balance Sheet will allow us to pursue further organic and inorganic growth opportunities where they align with our strategic and financial objectives.

Further details on our recent acquisition are provided on page 12

6

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

Dividend We are recommending an unchanged final dividend of 3.15p (2020: 3.15p) per ordinary share, making a total for the year of 4.65p (2020: 4.65p), with our dividend policy continuing to remain under review. The final dividend will be paid on 12 November 2021, subject to approval at the AGM on 4 November 2021, to shareholders on the register at the close of business on 15 October 2021. The ex‑dividend date is 14 October 2021.

customers, an investor survey and shareholder engagement throughout the recent acquisition, and physical and mental wellbeing programmes for all our colleagues.

Further details on stakeholder engagement are provided on pages 49 to 52

Colleagues We will always be a people-centric business and our technical colleagues are at the core of our customer offer, supported by agile sales and back-office functions. Our colleagues have continued to show their commitment and resilience throughout the pandemic in delivering excellent service to our customers and pursuing our mission, vision and objectives relentlessly. We seek to provide meaningful and rewarding career paths for all our colleagues. Following our colleague engagement survey, we will continue to create a great place to work and focus on becoming the employer of choice in our markets. We are also embracing more flexible ways of working and intend to continue with that flexibility as we anticipate returning to a hybrid office/remote way of working. In addition, through our colleague resource groups that create conversations inherent to an inclusive culture, we continue making NCC Group an organisation where everybody feels safe to be their authentic selves.

Board composition There have been no changes to the Board during the year.

Further details on our Board composition are provided on pages 78 to 86

Board governance and effectiveness As Chair, I am responsible for providing leadership to ensure that the Board operates effectively in all aspects of its performance. We have an established and experienced Board, which actively oversees the Group’s strategic development, monitors the delivery of its business objectives and considers risks and mitigating actions. Our performance and decisions made during this global pandemic are testament to the Board’s effectiveness.

Further information on risk management and the key risk identification procedures is set out on pages 40 to 48

Further details on this are provided on page 50

During the year, we have been further embedding the requirements of the UK Corporate Governance Code 2018 (the ‘Code’), particularly the renewed focus on identifying and engaging with all our stakeholders in a remote world. During the year we complied with all other aspects of the Code with the exceptions that our CEO and CFO pensions were not in alignment with our general colleague population, we do not have post-employment shareholding guidelines and we did not engage with the workforce to explain how executive remuneration aligns with the wider Company pay policy. The first of these three areas of non- compliance will be resolved following our 2021 AGM and subject to shareholder approval of our new Directors’ Remuneration Policy. We recognise that we still have much progress to make in terms of improving the diversity of the Board and our Executive Team (and indeed our workforce as a whole). With that in mind, during the year we have made the commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. Although this is best practice for FTSE 350 companies, we will commit to this target regardless of which share index we are in. Please see the Corporate Governance Statement starting on page 70 for further information Executive management composition It has been a delight to welcome Inge Bryan as Managing Director for NCC Group’s European Assurance operations, who joined us after a remarkable career in cyber and security. Inge previously held roles with the Dutch National Police and the General Intelligence and Security Service of the Netherlands and served as Home Affairs Counsellor in the Royal Netherlands Embassy in Paris. Before she joined NCC Group Inge was part of the cyber security leadership team with Deloitte Risk Advisory, securing the critical infrastructure of the Netherlands, including central government. In 2019 she was listed in the top 100 most influential women in the Netherlands and one of the 50 most inspiring women in tech.

On behalf of the Board, I therefore offer our sincere thanks and appreciation to all of the Group’s colleagues for their continued resilience and professionalism in delivering this performance. As a Board, we also welcome our new colleagues from the IPM business as we look to the future with enduring confidence. Sustainability NCC Group recognises the importance of an environment, social and governance (ESG) framework that underpins our operations as a key indicator of the Group’s sustainability and ethical impact. The Group has developed an ESG framework which continues to evolve. Examples of progress to date include the ongoing review of key policies and maintaining our corporate governance and decision-making structures through the “move to remote” during the pandemic. In addition, we continue to foster partnerships that support the development of future diverse cyber talent and we encourage engagement from colleagues and our external stakeholders around our four focus areas of gender, LGBTQIA+, race and ethnicity and neurodiversity.

Further details on sustainability are provided on pages 53 to 68

Outlook • For the current financial year (FY22), the Board expects higher revenue growth partially offset by increased global costs from inflationary pressures as well as a resumption in travel and office usage • Our medium-term objectives continue to be double-digit revenue growth in Assurance and sustainable revenue growth in Software Resilience • We are recommending an unchanged final dividend of 3.15p (2020: 3.15p) per ordinary share

Chris Stone Non-Executive Chair 14 September 2021

Further details on our executive management composition are provided on pages 76 and 77 Stakeholder engagement

2 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. 3 S ee Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021.

Successful stakeholder engagement is a key area of focus for NCC Group, especially during these remote and challenging times. During the year, we have engaged with our customers, our colleagues, our network and our shareholders. Certain highlights include the CyberUp Campaign, our “working together” approach with our

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

7

Our strategic roadmap

Our connected society presents a world of opportunity It is essential for us all to proactively manage any risk to our safety and security. As you go about your daily routines you can be safe in the knowledge that we are passionate about keeping you and your personal data, the technology and devices you use, and the critical assets and software your business relies on safe and secure. It is our mission and is what drives our strategic roadmap...

Mission

Vision

To be the leading cyber resilience provider globally. Trusted to protect and secure our customers’ critical assets. Sought after for our complete people-led, technology-enabled cyber and software resilience solutions that enable our customers to thrive.

We exist to make the world safer and more secure.

Delivering our vision through our Securing Growth Together transformation programme

We continue to transform our business. Our vehicle for transforming the firm and achieving our vision is the Securing Growth Together programme, which is about connecting our global firm and creating stronger relationships with our customers. The programme is run through five workstreams:

Lead the market

Win business

Deliver excellence

Support growth

Develop our people

Read more in our Chief Financial Officer’s Review on pages 32 to 39

Delivering value to our customers

Cyber threats are pervasive, complicated and rapidly changing and there’s no such thing as a “silver bullet”. We help our customers navigate through the complexity of cyber risks. Through our global research capability, technical expertise and full suite of services we can guide customers through the risks to achieve cyber resilience.

Assess cyber risk

Develop cyber maturity

Manage cyber operation

Read more in our business model on pages 20 and 21

Our Code of Ethics and values

NCC Group is a distinctive place to work where we are guided by our Code of Ethics – treat everyone and everything with respect. Our common values help us to make decisions without the need for a comprehensive instruction manual:

We work together

We are brilliantly creative

We embrace difference

Read more on our sustainability on pages 53 to 68

8

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

Chief Executive Officer’s review

Resilience is the key

Resilience is the key Covid-19, supply chain shocks and rampant ransomware attacks have reminded us all how difficult it is to predict the future and thus of the importance of resilience against unknown risks. We are proud of our own resilience through the past 12 months, demonstrating our ability to deliver great work, to hire more talent and to grow even through the most extreme of shocks. Our resilience starts with our people and I would like to pay tribute to the remarkable skills and commitment of my colleagues. They are at the heart of our success. Last financial year we hired over 200 front-line technical specialists, increasing our global net headcount by 8.1%. It is remarkable to think that many of them have not been into an office or met their colleagues. Happily, the feedback from surveys we have conducted indicates that the work we have done to onboard colleagues in the remote environment has been valued. Overall, the global voluntary attrition rate remained constant at c.15% and our technical attrition increased to 17.0% (2020: 14.4%). We identify two particular influences on this attrition increase. First, the advent of remote working drove significant labour mobility in the United States as it became possible to work for the largest and most exciting technology companies without having to move to the Bay Area. Second, while attrition was much lower in the UK and Europe through the first half, as the world began to open up we saw people leave to change lifestyle or gain variety after being locked down in the same place for an extended period of time. However, once again demonstrating our own resilience, the global operating and resourcing model that we developed mitigated the impact of this higher attrition, enabling us to deliver revenue in North America using resources spread elsewhere across the globe. Everyone is welcome There are not enough cyber skills in the world to meet today’s challenges. We see ourselves as playing a significant role in the attraction and training of new talent, having one of the cyber industry’s most effective training programmes. As we strive to bring more people into the world of cyber and to make the population of cyber specialists representative of the societies in which they live and work, we continue to focus on inclusion and improving the diversity of our teams. In particular: • We are embracing more flexible ways of working – and intend to continue with that flexibility as we explore new ways of working • Our four colleague resource groups – Gender, Race and Ethnicity, LGBTQIA+ and Neurodiversity – have catalysed conversations on topics as diverse as menopause, systemic racism, transvestism and autism, as we strive to raise awareness, create understanding and respect each other to make NCC Group an inclusive place for everyone • Our teams have worked hard to provide mutual support with a particular focus on mental health and wellbeing. We have 61 trained Mental Health First Aiders. Over 100 of our people managers have received training in mental health awareness, and a full wellbeing programme for colleagues is supplemented by employee assistance programmes in our local geographies. All of these efforts continue to help our teams through these difficult times and will provide a legacy of ongoing benefit in the future

Adam Palser Chief Executive Officer

Our resilience starts with our people and I would like to pay tribute to the remarkable skills and commitment of my colleagues. They are at the heart of our success. Which pandemic will you still be worrying more about next year? Pandemics start somewhere else and affect other people – until very suddenly they are on your doorstep and inside your business, forcing you to re-evaluate how you live and how you work. Our 2021 financial year was a tale of two pandemics, one biological and the other digital. The ensuing tug-of-war between these pandemics defined our markets: • Covid-19 rippled across our geographic operating territories at different speeds and intensities provoking different responses from governments. We saw demand from customers ebb and flow depending on whether their industry was opening up or being placed under more restrictions • Simultaneously, the rapid uptake of remote working drove increased cyber risk, which was exploited by “bad actors” including organised crime and state-sponsored groups. Ransomware, in particular, has now become so prevalent that no organisation can afford to ignore the risk it presents

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

9

Chief Executive Officer’s review continued

Sustainable growth for all of our stakeholders Every day we work for customers in pursuit of our mission: to make the world a safer and more secure place. This mission and the focus on our people are at the heart of our value proposition and how we do business. More broadly, our sustainability approach is focused on the recognised elements of environment, social and governance and our progress is outlined below: • Environment – Building on the new and successful ways of working created by the pandemic we are engaging in conversation with our customers to explore how we can work together to reduce the impact on the environment. In addition, as our office environments come back to life, we are investing in education programmes to reduce our physical impact – from flexible working and preventing unnecessary printing, to recycling. We have also developed our new working policies and therefore will continue to review our physical office requirements to ensure we only use what we need • Social – We continue to foster partnerships that support the development of future diverse cyber talent and encourage colleagues to give back to their local communities through schools, universities and charity partnerships, and the piloting of a giving back day in the UK. In addition, we continue to invest in developing not only our mental health first aid network and resources, but we are now looking to implement our broader wellbeing strategy, partnering again with This Can Happen. Through NCC Conversations we continue to encourage engagement from colleagues and our external stakeholders around our four focus areas of gender, LGBTQIA+, race and ethnicity and neurodiversity, adding accessibility in this coming year. These conversations alongside our performance management programme and career framework development help drive our performance culture, creating an environment where everyone is welcome and can be successful • Governance – We continue to strengthen our governance structures. We assess and consciously decide to work with customers who align with our own values and Code of Ethics. We are currently strengthening our Supplier Code of Conduct to ensure that we enter any supplier or partner relationship with a mutual understanding of each other’s code of ethics and general business policies. In addition, we remain committed to considering the interests of all our stakeholders when making decisions on the Group’s future strategy and priorities

Year on year growth led by Assurance Against this backdrop, Group revenues increased by 2.6% (2020: 5.2%). On a constant currency basis 2 , Group revenues increased by 3.6%. In our Assurance business, the North American and EU Assurance businesses grew by 6.5% and 5.9% respectively on a local currency basis 2 . Our UK and APAC region increased 3.9%, including a notable 9.6% in the second half as industries began to look forward to the easing of restrictions. In our Software Resilience division, we were delighted by the 83% increase in Escrow-as-a-Service orders which herald great promise for the future, but disappointed by an overall revenue decline of 2.4%. Attracting sufficient sales resource, retaining sales colleagues, delivering on-site work and maintaining sales momentum have all been more difficult in a fully remote working environment and we anticipate improvements in all of these factors in the next 12 months as we work to return Software Resilience to sustainable growth. Gross profit increased by 5.9% to £110.6m (2020: £104.4m) with gross margin percentage increasing to 40.9% (2020: 39.6%). The margin increase was significantly driven by the flourishing of our global resourcing engine where skilled resources from every part of our Group can now be deployed on high value engagements, smoothing out peaks and troughs of demand or skill shortages. The gross margin was, however, offset by a c.£2m provision taken in relation to existing long-term European contracts as a result of pandemic disruption, cost increases and project management challenges. Operating profit increased by 37.3% to £17.3m (2020: restated £12.6m 3 ) after the inclusion of transaction costs of £7.6m in relation to the $220m acquisition of Intellectual Property Management (IPM), the Software Resilience division of Iron Mountain and cloud configuration and customisation costs associated with the Group’s SGT transformation programme (£5.1m, 2020: restated £7.9m 3 ). The Group manages its performance internally at an Adjusted operating profit 2, 3 level, with Adjusted operating profit 2, 3 increasing by 27.7% to £39.2m albeit with the benefit of a temporary reduction in travel and office usage costs of c.£3m. This information is disclosed below and reconciled to statutory operating profit. During the year, the Group has incurred £12.7m of Individually Significant Items (ISIs) (2020: restated £7.9m 3 ). These items relate to the acquisition of the IPM business (£7.6m) and cloud configuration and customisation costs associated with the Group’s SGT transformation programme (£5.1m, 2020: restated £7.9m 3 ).

2021

2020 (restated) 3

Software Resilience £m

Central and head office £m

Software Resilience £m

Central and head office £m

Assurance £m

Group £m

Assurance £m

Group £m

Revenue

233.9

36.6

– 270.5 – (159.9) – 110.6 – 40.9%

226.2

37.5

263.7

(149.5)

(10.4)

Cost of sales

(149.3)

(10.0)

– (159.3)

Gross profit

84.4

26.2

76.9

27.5

104.4

36.1% 71.6%

Gross margin %

34.0% 73.3%

– 39.6%

General administration expenses allocated

(45.4)

(9.5)

(3.2)

(58.1)

(43.9)

(10.0)

(5.0)

(58.9)

39.0

16.7

(3.2) (3.2) (6.4)

52.5

Adjusted EBITDA 2

33.0

17.5

(5.0) (3.5) (8.5) (7.9) (8.8) (1.4)

45.5

(9.4)

(0.7)

(13.3)

Depreciation and amortisation Adjusted operating profit 2, 3 Individually Significant Items Amortisation of acquired intangibles

(10.7)

(0.6)

(14.8)

29.6

16.0

39.2

22.3

16.9

30.7

– – –

– – –

(12.7)

(12.7)

– – –

– – –

(7.9) (8.8) (1.4)

(6.4) (2.8)

(6.4) (2.8)

Share-based payments

Operating profit

29.6

16.0

(28.3)

17.3

22.3

16.9

(26.6)

12.6

10

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

In this context, we cherish our research-driven, people-centric and capex-light business model that enables us to stay at the leading edge of the dynamic cyber resilience market and create profitable, cash generative growth. Every year we enable talented individuals from our global teams to research the latest technologies, discover new system vulnerabilities and develop skills. In turn: • The subsequent education of our customers and monetisation of our knowledge allow NCC Group to maintain its world-leading position in this ever-evolving market • The opportunity to work with some of the best minds in the industry and to conduct research is part of our rounded colleague value proposition for technical specialists Although the pandemic has impacted all our colleagues and customers around the world, our business has demonstrated its resilience and remains committed to securing the future for all. of essential services they rely on in their daily lives • The threat is growing. Ransomware has now become endemic • Regulatory and legislative requirements are increasing. In response to all of the above, organisations have to comply with a growing set of mandated requirements if they wish to enter or continue operating in their respective markets. This includes proposed legislation by the UK government for consumer IoT manufacturers, US President Biden implementing software supply chain security measures by Executive Order, and global financial regulators updating their rules and guidance on technology, third party technology and cloud outsourcing arrangements The four secular growth drivers of resilience demands (as we refer to them) continue to strengthen: • The connected environment is growing. Every year, more devices are connected to the internet to share data or offer up the possibility of remote access, and the interdependencies between organisations across geographical boundaries increase in complexity too • Society’s reliance on the connected environment is greater than ever. The world is undergoing a digital transformation, accelerated by the pandemic. Our economies and wellbeing have never been more dependent on the safe and secure flow of data, and the continued resilience

Long-term market prospects are excellent

Development of the connected environment

Society’s dependence on the connected environment

Agility and pace

of the threat

Regulatory environment

For further detail, please refer to the Chief Financial Officer’s review and Note 34 to the consolidated Financial Statements. Profit before taxation increased 54.2% to £14.8m (2020: restated £9.6m 3 ) and profit for the year increased 56.3% to £10.0m (2020: restated £6.4m 3 ) giving rise to a basic EPS of 3.6p (2020: restated 2.3p 3 ). Adjusted basic EPS 2 amounts to 9.5p (2020: restated 7.6p 3 ). In 2021, our cash conversion 2 was 88.2% (2020: restated 102.9% 3 ). Net cash/(debt) (including lease liabilities) 2 amounts to £48.9m (2020: net debt £42.4m). A sustainable business model in a dynamic environment We are fortunate to work in a sector of growing opportunity. Naturally, this opportunity attracts significant investment from many organisations leading to healthy competition for customers and talent.

2 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. 3 S ee Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. The following additional information and reconciliation is noted in relation to Adjusted operating profit due to the adoption of the IFRIC agenda decision: 2021 £m 2020 £m Change

39.2

Adjusted operating profit (as noted above)

30.7

27.7%

(3.0)

Proforma amortisation charge in respect of certain cloud-based software arrangements (see explanation below)

(1.4)

(114.3%)

36.2

Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements

29.3

23.5%

The proforma amortisation adjustment noted above represents an estimate of the amortisation that would have been recognised had the Group not changed its accounting policy in the current year following additional clarification on the accounting in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) arrangements in the IFRIC agenda decision issued in April 2021. The proforma amortisation charge is estimated based on cloud configuration and customisation costs charged to the income statement in the year of £5.1m (2020: £7.9m). The Directors consider that Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements is comparable to Adjusted operating profit previously reported.

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

11

Chief Executive Officer’s review continued

Creating value through the execution of our strategy Over the past three years – and even through the disruption caused by Covid-19 – our confidence in the direction of our Company has grown. Our mission, vision and values have remained the same and we have created value through the relentless execution of our transformation programme, “Securing Growth Together”. Our mission is to make the world safer and more secure. Our vision is to be the leading cyber resilience provider globally, trusted to protect and secure our customers’ critical assets and sought after for our complete people-led, technology-enabled cyber resilience solutions that enable our customers to thrive. Our values are work together, be brilliantly creative and embrace difference. Our medium-term objectives are: • For our shareholders: • Medium-term target of double-digit revenue growth and margin improvement for Assurance • Return Software Resilience to sustainable growth • Disciplined cash generation • For our customers: • Use our unique data, capability and insight to help customers to meet their cyber resilience needs • For our people: • A global hub for cyber talent • An inclusive environment where everyone feels safe to be authentic and which is representative of the diversity of the world in which we live As noted at our interim results, we are now building on the strong initial foundations of our Securing Growth Together programme and have moved to the next phase of becoming the complete provider of global cyber resilience solutions, particularly by: • Broadening our portfolio (adding services and solutions across the cyber lifecycle) • Improving how we go to market globally (becoming easier to engage with and buy from) At our interim results, we announced the investment of £3m into propositions that we consider critical for the future and for realising our ambition to become a complete provider of cyber resilience services, acting as a one-stop shop to meet our customers’ demand for evidence-based solutions that offer them peace of mind.

The table below describes these propositions and highlights our progress in FY21: Proposition Progress Escrow-as-a-Service (EaaS), our cloud escrow proposition

• 83% increase in EaaS orders to £2.2m • Weighted year end EaaS pipeline at £1.1m • Notable FY21 wins include Sky, Carrefour, Christie’s, Deutsche Bank, Standard Chartered and Barclays • MDR revenue growth of 14.3% • Sales orders growth of 15.8% to £71.8m • Launched at the end of the financial year

Global Managed Services (GMS)

New MDR service based on Microsoft’s Azure Sentinel platform New Remediation service to develop clients’ resilience

• Global rollout after successful UK launch (revenues of £2.1m with current pipeline of c.£3m)

We will invest further in FY22 and beyond to build on these successes.

Acquisition of IPM business

The most significant investment of the year was our recent acquisition of the IPM business, which marked an exciting culmination of our financial year. We obtained shareholder approval on 1 June and completed the transaction on 7 June for $220m, subject to a normalised working capital adjustment during FY22. On this basis, the results of the IPM business will be consolidated from 1 June 2021. The acquisition was funded through an equity placing (£70.2m) in May combined with a new three year $70m term loan, existing cash balances and our revolving credit facility. The acquisition aligns with the Group’s existing strategy and will: • Scale up the Group’s core business to create a global business and platform for further growth • Generate revenue synergies through allowing the enlarged division to offer NCC Group’s broader suite of established verification services as well as the newer Escrow-as-a- Service (EaaS) cloud offering to the IPM business’ existing customer base • Present an exciting new opportunity to sell NCC Group’s cyber security services from its Assurance division into the IPM business’ broad and blue-chip customer base in the medium term • Be accretive to earnings per share from completion, even without factoring in revenue synergies • Result in greater strategic strength for the future Financially and, prior to our ownership, the business generated revenues of c.£23m and operating profit of c.£15m for the 12 months ended 31 December 2020, with cash conversion of c.90%. It is expected that for NCC Group’s FY22 financial year, the business will incur c.£2.5m of one-off integration costs. From an integration perspective, integration is on plan with all workstreams (People, Customers, Operations, Finance and IT) making good progress against objectives. The business is also supported by TSA and MSA arrangements. From a personal perspective, it has been a pleasure to welcome our new colleagues from the IPM business. I look forward with confidence to the future as we transform our Software Resilience business into a growing, high margin global leader.

12

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

Page i Page ii Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147 Page 148 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 157 Page 158 Page 159 Page 160 Page 161 Page 162 Page 163 Page 164 Page 165 Page 166 Page 167 Page 168 Page 169 Page 170 Page 171 Page 172 Page 173 Page 174 Page 175 Page 176 Page 177 Page 178 Page 179 Page 180 Page 181 Page 182 Page 183 Page 184 Page 185 Page 186 Page 187 Page 188 Page 189 Page 190 Page 191 Page 192 Page 193 Page 194

www.nccgroupplc.com

Made with FlippingBook Converter PDF to HTML5