NCC Group plc Annual Report 2022

Download our annual report and accounts for the year ended 31 May 2022

Creating value Strong platform for further growth

Annual report and accounts for the year ended 31 May 2022

NCC Group is a global cyber and software resilience business, operating across multiple sectors, geographies and technologies. As society’s dependence on the connected environment and associated technologies increases, we use our global expertise to enable organisations to assess, develop and manage their cyber resilience posture to confidently take advantage of the opportunities that sustain their business growth. Strong platform for further growth

Read more online: www.nccgroup.com

STRATEGIC REPORT 1 Highlights 2 At a glance 4

GOVERNANCE 74 Chair’s introduction to governance 77 Governance framework 78 Board of Directors 80 Executive Committee 82 B oard composition and division of responsibilities 93 Shareholder engagement 94 Audit Committee report 100 Nomination Committee report 103 C yber Security Committee report 106 R emuneration Committee report 128 Directors’ report 133 D irectors’ responsibilities statement

FINANCIAL STATEMENTS 135 Independent auditor’s report 143 C onsolidated income statement 143 Consolidated statement of comprehensive income/(loss) 144 Consolidated balance sheet 145 C onsolidated cash flow statement 147 C onsolidated statement of changes in equity 148 Company balance sheet 149 C ompany cash flow statement 150 C ompany statement of changes in equity 151 N otes to the Financial Statements ADDITIONAL INFORMATION 203 Glossary of terms – Alternative Performance Measures (APMs) 205 G lossary of terms – other terms

Our investment case Our strategic roadmap

5 6

Chair’s statement

8 Business review 12 Meet the CEO 13 Our continued Covid-19 response 14 Market outlook

16 Market dynamics 18 Business model 20 Market drivers 24 Stakeholder engagement 28 Strategy and KPIs 36 Sustainability

56 C hief Financial Officer’s review 64 P rincipal risks and uncertainties

207 Other information 208 Financial calendar

Highlights

GAAP measures

Revenue £314.8m

Operating profit 1 £34.7m

Basic EPS 1 7.4p

22

22

22

18

19

20

21

18

19

20

21

18

19

21

20

Alternative Performance Measures 1

Net (debt)/cash excluding lease liabilities 1 £(52.4)m

Adjusted operating profit 1 £48.1m

Adjusted EPS 1 10.8p

22

22

22

18

19

21

18

19

21

18

19

20

21

20

20

Footnotes 1 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 56 to 63 and 203 and 204 respectively.

Headlines

IPM integration substantially complete with the focus to increase revenue and profitability

Strong Assurance revenue growth, with H2 revenue growth momentum

Record revenue and profits as we continue to successfully execute our strategy

Gross margin increased to 42.1% due to the impact of the IPM acquisition, offset by overall Assurance margins and a decline in our existing Software Resilience business

Software Resilience revenue excluding IPM acquisition 1 declined by 1.4%, however returned to growth in H2

Net debt excluding lease liabilities increased to £52.4m mainly due to IPM acquisition

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

1

At a glance

What we do

NCC Group is a global cyber and software resilience business operating across multiple sectors, geographies and technologies. As society’s dependence on the connected environment and associated technologies increases, we use our global expertise to enable organisations to assess, manage and develop their cyber resilience posture to confidently take advantage of the opportunities that sustain their business growth. This includes:

Getting the basics of cyber hygiene correct

Knowing what and how to prioritise

Mitigating the scarcity of skilled resources needed to deliver quality improvement, change and operations

Getting ahead and responding to increasing compliance, regulatory and legislative burden

Quantifying cyber spend efficiency and return on investment

Our divisions Across our two divisions, we deliver solutions to match our customers’ goals, budgets and risk appetite, giving them peace of mind that their most important assets – their business, software and personal data – are safe and secure.

Assurance

Software Resilience

We demystify cyber for our customers, and ensure: • Our customers understand the cyber threats and vulnerabilities across their technology environments, supply chains, processes and products • Our customers maintain their licence to do business, having achieved their governance, compliance and accreditation objectives in a changing regulatory environment • Our customers’ resilience against ever-increasing cyber threats is materially improved because of implementing remediation plans and solutions • Our customers can reduce risk and achieve greater resilience for less investment • Our customers can outsource their cyber defence operations and increase their confidence in detecting and responding to cyber events

We protect the development, supply and use of business critical technology and software applications: • Our services ensure buyers are safeguarded from supplier failure, software vulnerabilities and unforeseen technology disruption • Our on-premise and cloud offering can demonstrate robust business continuity and risk mitigation, and suppliers benefit from enhanced credibility and intellectual property rights protection • Our escrow contract services secure the long-term availability of business critical software data and applications • Our verification services assure customers that the knowledge and guidance are readily available to manage, maintain or recreate an application from the original source, should it ever be needed • Our cloud Escrow-as-a-Service (EaaS) offering helps customers transition to the cloud securely, so they can adopt the latest technology with confidence

Read more on our markets on pages 14 to 17

Read more on our markets on pages 14 to 17

2

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

Where we operate

We operate as one global business, with in-country delivery tailored to local needs and cultures, as well as a powerful global delivery team to respond quickly to our customers’ challenges. We have a significant market presence in the UK, Europe and North America, and a growing footprint in Asia Pacific with offices in Australia, Japan and Singapore.

Key:

Our offices

Assurance revenue 73+23+4+0+M £258.5m

(2021: £233.9m) 67+33+M £56.3m (2021: £36.6m)

Group revenues

Software Resilience revenue

UK and Asia Pacific £140.0m (2021: £127.9m)

North America £120.9m (2021: £90.0m) Europe £53.9m (2021: £52.6m)

Global Professional Services £189.0m (2021: £172.2m) Global Managed Services £58.6m (2021: £56.2m) Products £10.9m (2021: £5.5m)

Software Resilience contracts £38.1m (2021: £24.0m) Verification services £18.2m (2021: £12.6m)

Read more on our markets on pages 14 to 17

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

3

Our investment case

Focused on our growth agenda, we are well positioned for further growth, regardless of any near-term volatility.

Building on the momentum in our global markets, we are confident in our ability to create long-term value for our customers, colleagues and shareholders.

Excellent growth prospects in the cyber market • The cyber challenges faced by organisations will continue to grow for the foreseeable future. They are too nuanced and complicated to be addressed by just installing technology; cyber services firms have a great future: assessing the current threats and resilience posture of organisations, delivering quantifiable improvement in resilience and outsourcing risk through managed services. • The runway for cyber security investment remains significant, moving towards becoming a larger, more recurring, perhaps even mandated, form of spend. Opinium research across more than 1,300 cyber security decision makers in APAC, Europe and North America confirms an expected 10.1% increase in global cyber budgets in 2023 and beyond. Expected 10.1% increase in global cyber security budgets in 2023 Momentum in profitable revenue growth • Weathering attrition and wage inflation, we demonstrate our ability to move rapidly to grow our core, capture new market opportunities and deliver scalable, non-linear growth that allows us to price for the value our customers see from working with us. 16.4% Revenue growth following the acquisition of IPM 42.1% Gross margin £34.7m Operating profit 2.1% Delivered day rate growth

World-leading capability in cyber • With four generations, from baby boomers to Gen Z, working side by side, our global headcount has grown by 24% in the last two years. We have over 700 consultants in our Professional Services business, and nearly 400 in our Managed Services business. • We are a respected hub for diverse cyber talent. Many of our alumni now work for remarkable organisations all around the world. • Our global resourcing means we match skills to demand anywhere in the world – giving us scalability and margin improvements amidst global competition for talent. 47% Global cross charged days increase Trusted by enviable customers globally • The trust and calibre of our customers – from technology giants on the US West Coast, to financial firms and government institutions in Europe – validate our track record in the global cyber market. Seven of our top ten customers in FY21 were also seven of our top ten customers in FY22 Real impact on the future of our industry and the shape of our markets • The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021 report celebrates our approach to research as a differentiator in the marketplace. This has included work on the security and privacy of vaccine passports, and the bluetooth keys for modern vehicles like Tesla. • Our strategic threat intelligence helps over 800 customers in 12 industry sectors, particularly finance, industrials and technology, to stay ahead of evolving threats like ransomware. 30% of our threat detection is based on our own research. • We are represented on the Open Source Security Foundation Governing Board, a member of the UK Department for Digital, Culture, Media and Sport Secure Connected Places External Advisory Group and part of a £11.6m consortium to offer security advice on a blueprint for secure Quantum Data Centres. • As a result of our evidence-based engagement, regulators across three continents looking after more than 2,000 financial institutions now recognise software, technology and data escrow agreements as a viable means of managing third party technology risk.

Stand-out cash generative ability £54.8m Net cash generated from operating activities

101.9% Cash conversion 1

NCC’s research capability has made demonstrable improvements in security beyond its direct work on client projects. ”

1 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 56 to 63 and 203 and 204 respectively.

4

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

Our strategic roadmap

Our connected society presents a world of opportunity It is essential for us all to proactively manage any risk to our safety and security. Our mission is to help organisations to do this by keeping their personal data, and the technology and devices they use, as well as the critical assets and software they rely on, safe and secure. It’s what drives our strategic roadmap:

Mission

Vision

To be the leading cyber resilience provider globally. Trusted to protect and secure our customers’ critical assets. Sought after for our complete people-led, technology-enabled cyber and software resilience solutions that enable our customers to thrive.

We exist to make the world safe and more secure.

Creating growth through transformation

We don’t stand still – we continually evolve and grow through our disciplined transformation programme. As our business grows, organically and through acquisition, we focus on creating value for our stakeholders, as one firm, focused on our mission and vision. Our five focus areas are:

Lead the market

Win business

Deliver excellence

Support growth

Develop our people

Read more on our strategy and KPIs on pages 28 to 35

Creating value for our customers

Cyber threats are pervasive, complicated and rapidly changing and there’s no such thing as a “silver bullet”. We help our customers navigate through the complexity of cyber risks. Through our global research capability, threat intelligence, technical expertise and full suite of services we guide customers through the risks to achieve cyber resilience.

Assess the cyber risk

Develop their cyber maturity

Manage their cyber operation

Read more on our business model on pages 18 and 19

Our Code of Ethics and values

We are guided by our Code of Ethics – treating everyone and everything with respect. We have a set of values and behaviours, which help us make decisions without the need for a comprehensive instruction manual:

We work together

We are brilliantly creative

We embrace difference We take responsibility

Read more on our culture on pages 47 to 49

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

5

Chair’s statement

Strong platform for further growth

Introduction I am pleased to report another year of strong progress in which NCC Group capitalised on accelerating demand throughout the year to achieve record revenue and profits. NCC Group’s vision is to be the leading cyber resilience provider globally, and we have put in place the fundamentals that enable our Group to achieve this vision. We have enhanced our delivery capabilities, attracted brilliant people at scale and embedded an inclusive culture across the Group, all enabling the strong growth delivered in the year. Assurance’s successful year was driven by our performance in the US and UK, supported by Software Resilience’s return to growth in the second half, as compared to the prior year second half. The integration of IPM is substantially complete and the business has already made a positive contribution to the Software Resilience division’s performance, with a healthy pipeline heading into the new financial year. With our strong platform established and continued momentum in the market our newly appointed CEO Mike Maddison has joined the Group at an exciting time. Mike brings a tremendous amount of energy, experience and industry insight to the CEO role and we look forward to seeing the Group deliver the next phase of growth under his leadership. The cyber security market is only travelling in one direction, and we believe we are well positioned to capture the opportunities that this creates, making the world safer and more secure. See Q&A with Mike Maddison on page 12 Business performance Overall, following the acquisition of IPM, the Group delivered revenue growth of 16.4% (2021: 2.6%), growth in Adjusted EBITDA 1 of 12.8% to £59.2m (2021: £52.5m) and Adjusted operating profit 1 growth of 22.7% to £48.1m (2021: £39.2m). On a statutory basis, operating profit increased by 100.6% to £34.7m (2021: £17.3m) and profit before taxation increased 109.5% to £31.0m (2021: £14.8m), giving rise to a statutory EPS of 7.4p (2021: 3.6p) and Adjusted basic EPS 1 of 10.8p (2021: 9.5p) respectively. At 31 May 2022, our cash conversion 1 was 101.9% (2021: 88.2%). Net debt 1 amounted to £85.0m (2021: net cash of £48.9m). Net debt (excluding lease liabilities) 1 amounted to £52.4m (2021: net cash £83.3m). Total borrowings (including lease liabilities) offset by cash and cash equivalents amounted to £85.0m (2021: net cash £48.9m). Our business performance can be found in more detail on pages 8 to 11 Strategy and sustainable business model Our strategy, mission and vision remain unchanged, and as we continue to successfully execute our strategy, our global delivery model, strong customer relationships and insight-led development of our resilience propositions create the strong platform for the next phase of NCC Group’s growth. Further details on our strategy and business model are provided on pages 28 to 35 and 18 and 19 respectively

The cyber security market is only travelling in one direction, and we believe we are well positioned to capture the opportunities that this creates, making the world safer and more secure. ”

Chris Stone Non-Executive Chair

2021/22 key activities • Focusing on double-digit sustainable sales growth • Managing the successful IPM integration • Improving the diversity around our Board table and in the executive team and completing successful searches for a new CEO and independent Non-Executive Directors • Continuing focus on relevant stakeholder engagement • Evolving our sustainability agenda 2022/23 priorities • Continued revenue growth through strong customer relationships, evolving resilience propositions and increased delivered day rates • Finalisation of the full operational review of the combined Software Resilience division to create additional Group contribution from FY24 • Return to face-to-face and hybrid alongside virtual ways of working

6

• Launching our Customer Insight Space programme to provide monthly pragmatic cyber advice for senior executives • Shareholder engagement throughout the IPM acquisition and change in CEO • Effective engagement with Members of Parliament and Peers on the Computer Misuse Act Further details on stakeholder engagement are provided on pages 24 to 27 Colleagues We are a people-centric business and our technical colleagues are at the core of our customer offer, supported by agile sales and professional functions. We seek to provide meaningful and rewarding career paths for all our colleagues. Following our colleague engagement survey, we will continue to create a great place to work and focus on becoming the employer of choice in our markets. We are also embracing more flexible ways of working and intend to continue with that flexibility as we anticipate returning to a hybrid office/remote way of working. In addition, through our colleague resource groups we create conversations inherent to an inclusive culture, and focus on making NCC Group an organisation where everybody feels safe to be their authentic selves. Further details on this are provided on pages 47 to 54 On behalf of the Board, I therefore offer our sincere thanks and appreciation to all colleagues for their continued commitment and professionalism in delivering this performance. Sustainability NCC Group recognises the importance of an environmental, social and governance (ESG) framework that underpins our operations as a key indicator of the Group’s sustainability and ethical impact. The Group has developed an ESG framework, which continues to evolve, and has been reflected in our 2022 Sustainalytics rating moving from the Medium Risk category to the Low Risk category, compared to the 2021 rating. We have also partnered with Planet Mark this year to map NCC Group’s net zero by 2050 journey and certify our carbon footprint. In addition to this, we are reporting for the first time against the Task Force on Climate-Related Financial Disclosures (TCFD) framework, and laid the foundations for launching our first green car salary sacrifice scheme for all UK colleagues in this new financial year. We have continued to invest in our colleague resource groups and to expand our sponsorship activities to support making a career in cyber accessible for all. Further details on sustainability are provided on pages 36 to 55 Outlook • We have made a positive start to the year and are confident in meeting management expectations for the full year. • CEO strategy update to be unveiled at half year results. • Unchanged final dividend of 3.15p (2021: 3.15p) per ordinary share.

Dividend We are recommending an unchanged final dividend of 3.15p (2021: 3.15p) per ordinary share, making a total for the year of 4.65p (2021: 4.65p). The final dividend of approximately £9.8m will be paid on 11 November 2022, to shareholders on the register at the close of business on 14 October 2022. The ex-dividend date is 13 October 2022. Board governance and effectiveness As Chair, I am responsible for providing leadership to ensure the Board operates effectively in all aspects of its performance. We have established an experienced Board, which actively oversees the Group’s strategic development, monitors the delivery of its business objectives and considers risks and mitigating actions. Our performance and decisions made during the year are testament to the Board’s effectiveness. Further information on risk management and the key risk identification procedures is set out on pages 64 to 72 Board and executive management composition During the year, we made strides to improve the diversity around our Board table and in the executive management team and completed successful searches for a new CEO and independent Non-Executive Directors. • On 1 January 2022, Julie Chakraverty was appointed as a new independent Non-Executive Director and became a member of NCC Group’s Audit, Cyber Security, Nomination and Remuneration Committees. • On 27 January 2022, Jonathan Brooks, our independent Non-Executive Director, retired and stepped down from the Board, with Jennifer Duvalier taking on the role of Chair of the Remuneration Committee and, in turn, Julie Chakraverty taking on the role of designated Non-Executive Director to lead the Board’s colleague engagement programme (taking over from Jennifer). • On 17 June 2022, Adam Palser, Chief Executive Officer, stepped down from the Board and Mike Maddison joined us on 7 July 2022 as our new Chief Executive Officer. I assumed the role of Executive Chair for this three week period, before reverting back to my usual role of Non-Executive Chair. • On 1 September 2022, Lynn Fordham was appointed as a new independent Non-Executive Director and became a member of NCC Group’s Audit, Cyber Security, Nomination and Remuneration Committees. Further details on our Board composition are provided on pages 82 to 92 Further details on our executive management composition are provided on pages 80 and 81 Stakeholder engagement Successful stakeholder engagement is a key area of focus for NCC Group. During the year, we have engaged with our customers, our colleagues, our industry network and our shareholders. Certain highlights include: • New monthly team briefings as a way of consistently sharing information with our colleagues and connecting them to what is happening across our global business • Design and launch of a new global Giving Back programme that enables colleagues to match fund and take a day’s paid leave to volunteer for local good causes

Chris Stone Non-Executive Chair 6 September 2022

1 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 56 to 63 and 203 and 204 respectively.

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

7

Business review

Strong momentum

A strong performance built on investment in talent The year started slowly. Different markets exited the pandemic at different rates and times. There was still a sense of uncertainty from customers around the world, which saw many project delays during the first quarter. But this position reversed throughout the year, and we accelerated our delivery in tandem with demand peaking in the final quarter. We were able to capitalise on this increased demand because we had brought more talented colleagues into the business ahead of the bounce back – a deliberate decision based on the belief that cyber security spend would significantly increase once the world returned to some level of normality. The digital risk has only increased, ransomware is endemic, and we’ve seen a shift in mindset, driven by regulations and also the emerging ESG agenda, that cyber resilience is not optional but essential for sustainable and responsible business growth. It was simply a matter of time. Over 12 months we welcomed c.1,000 new people into the business. While our technical attrition rate remains at a level typical of our industry at c.21%, our global technical team grew by 271. The fight for talent has been incredibly fierce, but we have been able to attract brilliant people at scale. This shows the strength of our employer brand and the steps we’ve taken to improve the colleague experience. But this wasn’t simply about taking talent from the competition. We understand and embrace our role and position in the cyber security industry. We are a creator of talent. Our mission is to make the world safer and more secure, and part of that means helping to solve the cyber skills shortage. It’s why we continue to develop talent from the ground up and bring people into the industry from different walks of life and backgrounds and with different skill sets. This approach not only grows the overall cyber talent pool but ensures our team better reflects the diversity of all our global communities. Our impact on talent in the industry can be seen through our NCC Group alumni. We are proud that they hold cyber security roles in leading businesses across the globe. And this year we launched our Alumni Network to maintain those connections and ensure an ongoing dialogue with those we are proud to have developed and supported in their cyber careers.

This was a year of continued progress for our delivery capabilities, our culture, our commitment to sustainability and our ability to attract, develop and retain the best talent from across the globe. In doing so, creating greater value for our customers – from embracing cloud transformation to improving their overall security posture, we are operating at various points of the customers’ value chains, from design to end users. It was a year where the decisions previously taken by the business showed their value. Those decisions centring around a global delivery model, investment in systems, continued development of our resilience propositions and the acquisition of IPM enabled the Group to deliver strong revenue growth of 17.9% at constant currency 1 (16.4% at actual rates) and 10.3% at constant currency 1 on an organic basis (revenue excluding IPM acquisition) (+8.9% actual rates), with a strong platform for continued double-digit revenue growth in FY23. While there remain challenges to overcome, the Group has never been better positioned to realise its vision – to be the leading cyber resilience provider globally. We have created strong foundations and momentum, evidenced by the c.15% growth we saw in the second half of the financial year for Assurance and c.2% growth for Software Resilience. This propelled us forward and we enter this next phase of NCC Group’s growth story with our new CEO, Mike Maddison. We are excited for the future of NCC Group.

1 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 56 to 63 and 203 and 204 respectively. 2 T he EU region includes our Dutch and Danish business. During FY23, the Danish business will be reported and managed under the UK and APAC division.

8

Responding to customer need We continued to refine our services based on customer need, contributing to a successful year in our Assurance division – particularly in North America and the UK, with total Assurance revenue growth of +12.1% at constant currency 1 (+10.5% at actual rates). Our decision to create a global professional services function, with investment in our systems to enable collaboration, has meant customers can access our expertise more readily, utilising our global talent base over and above just the team in their market. Global cross charged days increased 47%. This has been transformational, both in terms of customer experience and our capacity to handle increased customer demand rapidly. It is a prime example of our growing capability to truly operate as one global firm – to the benefit of our customers. In managed services, our newest offering using Microsoft Extended Detection and Response (XDR) has shown significant promise. We have the ability to quickly and simply offer 24/7 managed detection and response (MDR) to businesses with a Microsoft infrastructure – no matter where they are in the world. This has, in a sense, democratised MDR and made it a more natural purchasing decision. With so much of the market still untapped there is opportunity to scale further. In addition, NCC’s Microsoft Cloud Business has shown growth over the last twelve months, resulting in significant Azure Consumed Revenue (ACR) being driven back to Microsoft. This ongoing partnership goes from strength to strength, with NCC also embedded in the Microsoft Intelligent Security Association, and with a nomination for the Microsoft MSSP Program. NCC is now recognised as one of Microsoft UK’s fastest growing Cloud Security Partners and we are looking forward to extending that into Europe, North America & Asia-Pacific. In our Software Resilience division, the acquisition of IPM at the start of the financial year led to increased scale. The integration is substantially complete, and our new colleagues have added to the brilliant talent already present in the team. We have seen appetite from the IPM client base for our Escrow-as-a-Service (EaaS) cloud escrow proposition, with a healthy pipeline moving into FY23. Financial performance summary Group revenues increased by 17.9% on a constant currency basis 1 and at 16.4% (2021: 2.6%) at actual rates. Group revenues excluding the recent IPM acquisition 1 increased by 10.3% on a constancy currency basis 1 , 8.9% at actual rates. In our Assurance business, the North American and UK and APAC Assurance businesses grew on a constant currency basis 1 by 14.6% and 11.8% respectively (13.8% and 11.6% at actual rates) and our EU region 2 increased 8.0% on a constant currency basis 1 (2.7% at actual rates). Global Professional Services grew by 11.0% to £189.0m on a constant currency basis 1 (9.8% at actual rates) with delivered day rates increasing by 2.1% (H2 delivered day rates increased by 3.5%). Global Managed Services (GMS) grew by 6.7% to £58.6m on a constant currency basis 1 (4.3% at actual rates).

Within GMS, our new XDR service global sales orders for the forthcoming years increased twelvefold to £11.6m. The Group has received continued strong sales orders since the year end providing confidence in our future growth strategy. Remediation services are generating market traction, with 2022 revenues of £4.5m compared to £2.1m in 2021. In our Software Resilience division, we completed in June 2021 the acquisition of IPM, which contributed £20.2m to revenue, delivering an overall growth in the division of 55.1% on a constant currency 1 basis (53.8% at actual rates). Our overall Software Resilience division results excluding IPM showed a decline in revenues for the first half of 3.3% on a constant currency 1 basis (4.9% at actual rates); however, as expected our second half revenue increased by 2.2% on a constant currency 1 basis (2.2% at actual rates) resulting in an overall decline of 1.4% for the year. Our Escrow-as-a-Service (EaaS), our cloud escrow proposition, generated sale orders of £3.4m, an increase of 64% compared to the same period last year. Gross profit increased by 19.9% to £132.6m (2021: £110.6m) with gross margin percentage increasing to 42.1% (2021: 40.9%). The margin increase was due to the impact of the IPM acquisition, offset by overall Assurance margins declining by 0.4% pts as we focused on sales growth and a decline in our existing Software Resilience business by 3.2% pts following recent investment to return it to sustainable growth. Turning to our statutory operating profit and taking into account all adjusting items (£13.4m), the Group has recognised an overall operating profit of £34.7m. However, as the Group manages its performance internally at an Adjusted operating profit 1 level, Adjusted operating profit 1 increased by 22.7% to £48.1m (2021: £39.2m). Profit before taxation increased 109.5% to £31.0m (2021: £14.8m) and profit for the year increased 130.0% to £23.0m giving rise to a basic EPS of 7.4p (2021: 3.6p); Adjusted basic EPS amounts to 10.8p (2021: 9.5p). At 31 May 2022, our cash conversion 1 was 101.9% (2021: 88.2%). Net debt 1 amounts to £85.0m (2021: net cash of £48.9m). Net debt excluding lease liabilities 1 amounts to £52.4m (2021: net cash £83.3m). Total borrowings (including lease liabilities) offset by cash and cash equivalents amounts to £85.0m (2021: net cash £48.9m).

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

9

Business review continued

Financial performance summary continued Following the acquisition of IPM, goodwill and intangible assets were recognised amounting to £68.6m and £92.6m respectively. Management is required to recognise all assets and liabilities at fair value, giving rise to a fair value adjustment on the level of deferred revenue acquired of £12.1m. This has resulted in a downward adjustment to the book value of IPM’s deferred revenues reflecting the fair value of service still to be delivered. If the fair value adjustment had not applied, revenue would be £4.4m higher for the 12 months ended 31 May 2022. On this basis, management has set out below unaudited proforma information to show the consequential impact on the Group results for the year ended 31 May 2022. This unaudited proforma information will not be applicable for 2023 and forthcoming financial years. It is consistent with the way that financial performance is measured by management and reported to the Board, the basis of financial measures for senior management’s compensation schemes and financial covenants. We consider these proforma measures reflect the potential revenue performance of the Group once a full 12 month period has been completed post acquisition and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential revenue performance. In the future periods there would also be some associated costs and therefore impact on future gross margin and other metrics. However, since statutory measures can differ significantly from the proforma measures we encourage you to consider these figures together with statutory reporting measures noted. This information is disclosed below and reconciled to profit after taxation:

2022

2022 unaudited proforma 4

2021

Central and head office £m

Software Resilience revenue adjustment £m

Central and head office £m

Group unaudited proforma £m

Software Resilience £m

Software Resilience £m

Assurance £m

Group £m

Assurance £m

Group £m

Revenue

258.5 56.3

– 314.8 – (182.2)

4.4

319.2

233.9 36.6

– 270.5 – (159.9)

(166.2)

(16.0)

– (182.2)

Cost of sales

(149.5)

(10.4)

Gross profit

92.3 40.3

– 132.6

4.4

137.0

84.4 26.2

– 110.6

35.7% 71.6% – 42.1% 100.0% 42.9%

Gross margin %

36.1% 71.6% – 40.9%

(53.2)

(17.5)

(2.7)

(73.4)

(73.4)

Administrative expenses 2

(45.4)

(9.5)

(3.2)

(58.1)

39.1 22.8 (2.7)

59.2

4.4

63.6

Adjusted EBITDA 1

39.0 16.7 (3.2)

52.5

(7.2)

(0.8)

(3.1)

(11.1)

(11.1)

Depreciation and amortisation 3 Adjusted operating profit 1 Adjusted operating margin % Individually Significant Items

(9.4)

(0.7)

(3.2)

(13.3)

31.9 22.0 (5.8)

48.1

4.4

52.5

29.6 16.0 (6.4)

39.2

12.3% 39.1% n/a 15.3% 100.0% 16.4%

12.7% 43.7% n/a 14.5%

– (0.9)

(0.9)

(0.9)

– (7.6)

(5.1)

(12.7)

Amortisation of acquired intangibles Share-based payments

(0.9) (2.1)

(4.8) (0.3)

(2.9) (1.5)

(8.6) (3.9)

– –

(8.6) (3.9)

(1.3) (1.5)

– (5.1)

(6.4) (2.8)

(0.1)

(1.2)

Operating profit/(loss)

28.9 16.0 (10.2)

34.7

4.4

39.1

26.8

8.3 (17.8)

17.3

11.2% 28.5% n/a 11.0% 100.0% 12.2%

Operating margin %

11.5% 22.7% n/a 6.4%

(3.7)

(3.7)

Finance costs

(2.5)

Profit before taxation

31.0

4.4

35.4

14.8

(8.0)

(1.1)

(9.1)

Taxation

(4.8)

Profit after taxation

23.0

3.3

26.3

10.0

EPS Basic EPS

7.4p

1.1p

8.5p

3.6p 9.5p

10.8p

1.1p 11.9p

Adjusted EPS

Footnotes 1 S ee Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms. 2 Administrative expenses excluding depreciation and amortisation, Individually Significant Items, amortisation of acquired intangibles and share-based payments. 3 Depreciation and amortisation excludes amortisation of acquired intangibles. 4 This represents unaudited proforma results. Securing Growth Together (SGT) Over the last three years the business has implemented the SGT programme which has now finished and has provided the foundations for future growth and the systems to allow timely information and control. As previously noted, the programme incurred cost overruns and the Group is now focused on the next phase of system optimisation to support future revenue growth and profitability.

10

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

Helping build a more sustainable world Sustainability moved higher up our agenda with Executive responsibility appointed at the start of the financial year. It is fundamental to our mission of making the world safer and more secure. We have continued to follow the recognised framework of ESG, and this year made material progress in each area. Environmental: We partnered with Planet Mark this year and are driving forward a top-down engagement programme to map NCC Group’s net zero by 2050 journey. In addition to this, we’re reporting for the first time against the Task Force on Climate-Related Financial Disclosures (TCFD) framework, and we laid the foundations for launching our first green car salary sacrifice scheme for all UK colleagues in FY23. Social: We’ve continued to invest in our colleague resource groups, with two new groups being formed to support accessibility and giving something back. And we’ve continued to expand our sponsorship activities to support making a career in cyber accessible for all. Governance: While our focus has been reporting against TCFD for our own business, we have been, through our public affairs team, looking ahead at cyber resilience related regulations that may impact our customers, and looking at our how we design solutions to meet those future needs. Recognition of our efforts in this executive-led focus was reflected in our 2022 Sustainalytics rating moving from the Medium Risk category to the Low Risk category, compared to the 2021 rating.

Sustainable growth through investment in resilience This was a year that brought into sharp focus why resilience is, and will continue to be, so central to our organisation. For our customers, it’s driven by the macro environment. Investing in cyber resilience is the only way to adapt to society’s increasing dependence on a complex connected environment. The threat landscape has never been more challenging. But we have continued to refine our offer to provide organisations around the world with a level of resilience that helps them face that threat and move forward with confidence. This was a year that really showed the significant value of having built a resilient team: a team that has successfully adapted to a constantly changing external environment; a team that has reacted admirably to significant change over this financial year – and in previous years – as we put the fundamentals in place to enable NCC Group to achieve its vision; and a team that is more inclusive, open and diverse than ever before, and therefore better able to handle the challenges we face each day. We are not complacent about the work still to do on all fronts; however, we are confident that with our track record and focus on resilience, we provide the platform for continued sustainable growth to create value for all our stakeholders.

Chris Stone Non-Executive Chair 6 September 2022

11

Chief Executive Officer’s review continued Meet the CEO

Mike Maddison joined NCC Group as CEO on 7 July 2022, taking over from Adam Palser, who stepped down on 17 June 2022 after four and a half years at the helm. As Mike prepares to lead NCC Group on this next phase, in this Q&A we find out a bit more about Mike and his ambition for the future. Q A & with Mike Maddison Q What first attracted you to NCC Group? NCC Group has a long pedigree of technical excellence. For me it is a real jewel in the crown of the global technology industry. Cyber resilience is the defining risk of the digital age and NCC Group is well placed to play a pivotal role to help clients, whether in the private or public sector, to navigate that risk and help them capitalise on the opportunities of the digital world. The attraction for me was therefore to work with colleagues to deliver amazing outcomes for our clients. Q What are your priorities as you settle into your new role? My initial priorities are to engage with colleagues to learn about the business. I am also very keen to listen to our clients to understand their needs and expectations so we can build on the excellent reputation the Company has and develop strategies to build capability to deliver sustainable growth in the market. Q What are you most excited about for the year ahead? It’s incredibly difficult to pick out a few things I am most excited about. I am expecting the year to go incredibly quickly as I get to meet teams across the business operating in diverse markets for a huge variety of clients. Despite knowing the cyber resilience industry I am very much looking forward to getting to see the sort of work we are doing in the market as I am sure that will be a revelation.

Q What lessons do you think organisations can learn from the pandemic? The pandemic has accelerated the digital transformation agenda in both the public and private sector. The use of technology is moving at an ever-increasing pace and one of the implications of this is the profile of cyber risks. This digital risk is consistently seen as one of the top risks by corporate CEOs and governments and that is a significant opportunity for NCC Group. I think it is also important to reflect on the change the pandemic brought to our ways of working, the role of the office and indeed the expectations from our clients on how they are supported and how work is delivered. Finally, I would say the pandemic was difficult for many of us and brought into sharp relief the need for balance in our lives and the importance of wellbeing. Q How would you describe your leadership style? It’s always difficult to boil leadership down into a short summary. I would say by nature and background I believe fundamentally in teamwork and collaboration. I really enjoy whiteboarding problems and coming up with the answer. Personal interactions and relationships are incredibly important to me. Q What do you do to invest in your own wellbeing in what is a demanding job? I make a conscious effort to break from work and spend time with my family. I have two grown-up children who are working away so finding those opportunities for us all to come together to have quality time is incredibly important. I find this helps me recharge and get some perspective. It’s a cliché but it is all too easy to get caught up in the day to day and not be able to see the wood for the trees.

12

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

Our continued Covid-19 response

Secure growth in the pandemic

Anticipate

Be resilient

Our priorities since the start of the pandemic are colleague welfare and customer safety and we have successfully managed our business through another year of uncertainty. We have two clear objectives that guide our actions: • Maintain a strong balance

Objective Plan for different outcomes and track KPIs to inform our decision making How we responded • Scenario planning • Contingency plans with different levels of response • Data-led insights from our new systems • Regular communication

Objective Ensure the safety of our colleagues and customers, and maintain continuous operations How we responded • Global systems to ensure colleagues delivering customer work were supported to do so remotely • Managed safe return to offices and provision for critical need operations on site where it was safe and permitted to do so • Provided colleagues with wellbeing and mental health resources to support longer-term remote working

sheet to ensure we can seize opportunities to secure future growth

• Maintain the capacity and capability to meet future demand We work towards these objectives using five strategic pillars:

Stay profitable

Exploit any downtime

Prepare for the bounce back

Objective Proactively sell remote services, and careful control of costs and cash

Objective Strengthen the firm every day through research and development How we responded • Invested 4,841 days on technical security research, which contributed significantly to conference presentations, vulnerability advisories, research papers, blog posts and open‑source tools being released • Launch of our new innovation delivery centre, which is focused on bringing future cyber and software resilience solutions to market, quickly and efficiently

Objective Preserve capability and capacity to invest selectively for the future How we responded • Acquisition of IPM Software Resilience business, to provide increased scale • Acquisition of critical computer system safety advisory business, Adelard, to provide enhanced capability into the operational technology and industrial control systems space • Extended our Next Generation Talent programme into North America • Increased investment into our Remediation and Microsoft XDR service offerings with the appointments of new Commercial Directors for each proposition

How we responded • The majority of our services can be delivered remotely

• Provided advice and guidance to customers with practical solutions to protect their operations • Continued to invest in our service offerings to support short-term and longer-term needs in preparing for the emerging future

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

13

Market outlook

Market outlook

It’s easy to see why NCC Group’s cyber security consulting and software resilience solutions should find plenty of opportunities to mitigate the risks of global businesses. ”

Damindu Jayaweera Head of Technology Research at Peel Hunt

Recent years have brought about disruption on a scale that felt greater than those of the 1970s. For example, at the start of the Covid-19 pandemic, Microsoft CEO Satya Nadella talked about how “we have seen two years’ worth of digital transformation in two months.” While the initial boost will create a difficult comparator for delivering growth this year, the pandemic-induced “new normal” for technology investment, including that related to cyber security, is unlikely to go back to pre-pandemic levels. For example, quarterly cloud services spend grew by c.$14bn in the two years to 1Q20. It then went on to grow by $25bn in the two subsequent years to 1Q22. With significant digital gaps still weighing on user, colleague and citizen experiences across public and private sectors, we think the runway for technology, including cyber security, investment remains significant. As an example, cyber security modus operandi in the private sector, we believe, lags that of the public sector. Techniques and technologies that can overcome this gap, for example machine learning powered attack simulations, remain firmly in the “peak of inflated expectations” phase of the “hype-curve”. Over the coming periods, such techniques and technologies will move to the “plateau of productivity”, providing growth tailwinds to the companies that are involved in the domain. Cyber security spend will move towards becoming a larger, more recurring, perhaps even mandated, form of spend. While long-term opportunities are unperturbed, the fall-out from near-term disruptors like inflation presents more nuanced opportunities. This year, monetary policy pivoted from thinking of inflation as “transitory” to something that needs containment. This was all too late for containing some asset bubbles like those in the cryptocurrency world and unrest seen in places like Sri Lanka. Arguably this is also too late to contain some of the rampant wage inflation we are seeing in the technology sector.

History, as they say, rhymes. The 1970s, for example, are remembered for disruptive events. Yet, the rise of “progressivism” in the West that shifted the status quo, rampant inflation that triggered a deep recession and events that redrew the geopolitical landscape did not get in the way of the economic and technological progress of that decade. In fact, innovations across video games (e.g. Atari Pong), communication (e.g. ARPANET email and Motorola cell phone), storage (e.g. IBM floppy disk), content distribution (e.g. Philips VCR and Sony Walkman) and computing (e.g. Apple computer) during the 1970s are still powering the structural growth trajectories that we see today. If we assume the S&P 500 Index is a reflection of economic progress, the chart below should remind us why great companies like NCC Group should remain focused on their growth agenda, whatever the near-term volatility is.

Chart 1: Rise of the S&P 500 Index over the long term through geopolitical shocks Source: Peel Hunt

S&P 500 Index levels

Russia invades Crimea

6,400

London bombings

Arab Spring

3,200

Second Gulf War

1,600

First Gulf War

Brexit

800

Iran-Contra affair

9/11

US–China trade war

400

Orange Revolution – Ukraine

Iran hostage crisis

200

Iraq invades Kuwait

100

50

1975

1980

1985

1990

1995

2000

2005

2010

2015

2020

14

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

Page i Page ii Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147 Page 148 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 157 Page 158 Page 159 Page 160 Page 161 Page 162 Page 163 Page 164 Page 165 Page 166 Page 167 Page 168 Page 169 Page 170 Page 171 Page 172 Page 173 Page 174 Page 175 Page 176 Page 177 Page 178 Page 179 Page 180 Page 181 Page 182 Page 183 Page 184 Page 185 Page 186 Page 187 Page 188 Page 189 Page 190 Page 191 Page 192 Page 193 Page 194 Page 195 Page 196 Page 197 Page 198

Made with FlippingBook Online newsletter maker