Readers should be aware that TMT Analytics has been engaged and paid by the company covered in this report for ongoing research coverage. Please refer to the final page of this report for the General Advice Warning, disclaimer and full disclosures.

Covata Ltd.

In the sweet spot of Cybersecurity spending Data security breaches happen to organizations of all sizes and in all industries, even to well-known IT companies that one would expect would be very well protected. In addition to human error and negligence, one of the key reasons organizations fall victim to data breaches is lack of a comprehensive approach to data-centric security.

The main problem with data security today is that organizations still source disparate security software tools from different suppliers in an attempt to achieve all-encompassing data security. Enter Data Security Platforms.

“Covata Secure” provides comprehensive Cyber-protection

Covata Limited (CVT) has largely completed a Data Security Platform (DSP), called Covata Secure, that aims to provide the many different elements of organizations’ Cybersecurity strategy in one, single platform, including data discovery, encryption, access management, and privacy compliance.

The platform has been built by CVT and was complemented by the recent acquisition of CipherPoint in the United States. We expect the company may make further acquisitions and OEM deals to round out its platform.

Very well-positioned in Government sector

The CipherPoint acquisition has also brought on several very high-profile US customers, including the US Army, the US Defense Advanced Research Projects Agency (DARPA), NASA and the US Department of Energy. Combined with CVT’s position with Australian Government agencies and the company’s presence on G-Cloud in the UK, we believe CVT is excellently placed in the Government vertical, a position which may be marketed in other countries as well.

Cybersecurity market is growing by 11% annually

CVT’s target market is expected to grow by 11% (compounded average growth rate) to a total of US$ 232BN by 2022. The US government is expected to remain a big spender on Cybersecurity, which puts CVT’s US branch in the sweet spot of Cybersecurity spending.

Starting coverage with a Speculative Buy rating

We start our coverage of CVT with a Speculative Buy recommendation based on its existing DSP offering and strong potential to benefit from Cybersecurity spending in its key markets, the US, UK and Australia.

ASX:CVT

Software & Services

Australia

Risk: High

Through its proprietary Data

Security Platform, Covata

Limited (ASX:CVT) provides

government and enterprise

customers a comprehensive

way to secure their sensitive

data.

Company report

LNU is a semiconductor

equipment company … bla

provide general advice only, and

does not purport to make any

recommendation that any

securities transaction is

appropriate to your particular

investment objectives, financial

situation or particular needs.

Prior to making any investment

Analyst: Marc Kennis

marc.kennis@tmt-analytics.com.au

+61 (0)4 3483 8134

Speculative Buy

Current price: A$ 0.049

2 November 2017

SUBSCRIBE TO OUR

RESEARCH HERE

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

$0.00

$0.05

$0.10

$0.15

Volume (1,000)

Share Price Covata Limited CVT.ASX

Number of shares (m) 536.1

Number of shares FD (m) 632.7

Market capitalisation (A$ m) 26.3

Free Float (%) 97%

12 month high/low A$ 0,142 / 0,028

Average daily volume (k) 844

1

Covata Limited

Data protection requires holistic approach to security

Security incidents at Oracle, the Department of Justice (DOJ), UK software provider Sage and more recently at Equifax, Deloitte, Verizon and Dun & Bradstreet illustrate that data security breaches happen not just to smaller, cash-strapped and less tech-savvy organizations. Well-funded and high priority organizations, like the DOJ, as well as technology companies such as Oracle, are being targeted and breached by cyber criminals and state-sponsored hackers, i.e. cyber spies. These incidents also demonstrate that it’s not always hackers wreaking havoc, but that plain old human error is often the cause of unwanted data exposures.

Firewall and traditional end point protection only goes so far

While firewalls and domain protection in general provide a certain level of protection from hackers, many intrusions by-pass these firewalls, e.g. by using login details of existing users or by capturing data when it’s on the move, i.e. from a secured server to users’ laptops, PC’s and mobile phones outside of the secured domain. Oftentimes, network endpoints are compromised and user devices are hacked, the latter to gain access to passwords that in turn allow access to servers containing critical information. In other words, only protecting the outer perimeter of an organization or its end points is not enough as implicit trust of the internal network is often misplaced.

Organizations require a second layer of protection - Data is the new end point

As a second line of defense, individual data files, either stored within the secured perimeter or in the cloud, increasingly need to be encrypted to prevent intruders gaining access to this data even if the perimeter is breached. Moreover, organizations are increasingly tending towards encrypting data that is sent or shared outside of the secured domain (Figure 1).

FIGURE 1: PROTECTION OF PERIMETERS AND INDIVIDUAL DATA BLOBS

Source: TMT Analytics

However, individually encrypted data files can also fall into the wrong hands and, given enough time and money, may still be compromised, e.g. through brute force which involves trying out many different passwords or by accessing security keys, enabling decryption of the secured data. Therefore, additional security measures are required, protecting data in a very granular way.

OrganizationSecured data on 3rd

party server

Secured data in transit

Secured data on

internal network

Cloud host

Individual user

Secured

perimeters

Secured perimeter

2

Covata Limited

Identity and Use Policy as a third security layer

In addition to perimeter protection and data encryption, organizations will need to add certain specific attributes to individual pieces of information and files. For instance, users should be able to specify who is allowed to open a file, at what time of day, for how long, if the data may be printed off and if the file may be forwarded to a third party. The owner of the data should also be able to withdraw individual user access to the data at any given time, for instance if data is believed to have been compromised.

This third layer of protection allows organizations to take a highly granular approach to data security and substantially reduces the chances of data falling into the wrong hands in a useable format.

Data Security Platforms offer comprehensive approach

As Figure 1 illustrates, it’s no longer sufficient for organizations to secure their outer IT perimeters. In case of a perimeter breach, their data needs to be secure inside that perimeter as well, and wherever else the data may reside for that matter, including third party cloud environments, on user devices and in transit from one storage location to another. Furthermore, organizations should to be able to remotely monitor and manage data access.

One-stop-shop for data security

Data Security Platforms (DSP) integrate a range of different data security functionalities that, today, still mostly require sourcing from many different suppliers.

These features and functionalities can include:

- Data discovery: which data is sensitive and should be secured?

- Data classification: which data should be secured?

- Access governance: who can access our data and what can they do with it?

- Email and file encryption.

- Threat detection: how do we know data has been compromised or is about to be compromised?

- Behavioural analytics: does anyone with access to our sensitive data show suspicious behaviour when handling this data?

- Monitoring and reporting: Increasing compliance requirements and audit trails necessitate monitoring and reporting capabilities.

The main problem with data security today is that organizations still mostly need to source individual security software (suites) from different suppliers in order to achieve such all-encompassing data security. Enter Data Security Platforms.

The transition to DSP’s has been recognized by Gartner as one of today’s main data security trends with an expected 40% of large enterprises expected to be replacing siloed security tools with comprehensive data-centric products by 2020, up from just 5% in 2017.

3

Covata Limited

Covata strategically shifting to become DSP provider Following CVT’s management change in January 2017, the company has redefined its strategy in order to align its product offering with the aforementioned industry trend towards more comprehensive data security offerings.

Building “Covata Secure” to capture DSP market opportunity

CVT is in the process of building Covata Secure (Figure 2), the company’s own DSP, using its existing data security product SafeShare and complementing this with targeted acquisitions. The company recently acquired US-based CipherPoint, which provides data-centric audit and protection solutions. We will elaborate on both below.

CVT’s aim is to be able to offer a comprehensive DSP, which will likely require additional capabilities in the areas of Data Loss Protection and Artificial Intelligence (AI).

FIGURE 2: BUILDING BLOCKS OF COVATA SECURE

Source: Covata

Current functionality includes data discovery, encryption and access management

CVT’s original secure file sharing product, SafeShare, secures data and allows remote monitoring and access control to this secured data. SafeShare is based on three pillars of data security, i.e. recipient identity, the use policy around that particular piece of secured data and the management of access keys for that data (Figure 3).

FIGURE 3: SAFESHARE’S 3 PILLARS OF SECURITY

Source: Covata

4

Covata Limited

SafeShare lets organizations and users set very specific use policies per file

In the Enterprise File Synchronization and Sharing (EFSS) space, CVT is competing with some well know names, such as Dropbox and Box. Additionally, companies with a file sharing heritage or Venture Capital backing, such as Citrix, Egnyte and Syncplicity, offer file sharing applications comparable to SafeShare.

However, competing products are typically only available in cloud-based solutions, not on-premise, i.e. within the organization’s own, on-premise, IT environment. Additionally, they are typically less feature rich than CVT’s SafeShare.

Unlike solutions such as Box and Dropbox, SafeShare lets users and IT departments set very specific sharing criteria per file or groups of files. For instance, when sharing a file, a user can specify who is allowed to open the file, at what time of day, for how long the file may be used, if it may be forwarded, if a print screen can be made or if the file can be printed (hard copy).

Additionally, organizations can set geographical restrictions on files, e.g. not allowing files to be opened in certain countries, which can be useful in government intelligence situations or in cases where companies outsource manufacturing overseas and would like to limit the risk of IP infringement. Furthermore, access to files can be revoked remotely if a breach of data sovereignty is suspected or detected.

In addition to the ability to set very specific use policies, SafeShare also provides organizations with a clear audit trail per file, which is not only essential in light of increasingly tight regulation, like Sarbanes-Oxley in the US, but also helps to prevent potential future data breaches.

CipherPoint acquisition adds Data Discovery and Compliance to the offering

In August 2017, CVT acquired US-based CipherPoint, a provider of data-centric audit and protection solutions. CipherPoint will allow CVT to add data discovery and user activity logging to Covata Secure’s suite of functionalities.

Data discovery enables organizations to search and locate sensitive information, which can subsequently be encrypted. Access permissions can then be managed centrally.

Logging of user access requests is also a new, compliance-related, feature for Covata Secure. From a liability point of view, being able to log all data access requests, granted and denied, is becoming increasingly important for organizations.

Integration into OneDrive, SharePoint and Google Drive now available for SafeShare

CipherPoint already provides its customers with broad integration of its products into Azure, Microsoft’s Cloud computing platform. In practice, this means users can easily access and use CipherPoint’s functionality when working with SharePoint, Office 365 and on OneDrive, for example. CipherPoint also provides integration with Google Drive, Google’s equivalent of OneDrive.

CVT will be looking to use CipherPoint’s data security API (Application Programming Interface) to facilitate integration of SafeShare into Microsoft Azure as well.

SafeShare adheres to the highest standards of data encryption. While the 256-bit FIPS 197-certified encryption protocol is similar to encryption protocols used by other data security firms, CVT’s added layer of use policy based on individuals’ authorization and security clearance within an organization set SafeShare apart from more mundane file sharing solutions.

5

Covata Limited

FIGURE 4: SAFESHARE INTEGRATION IN MS WORD

+

Source: Covata, Microsoft

Additional building blocks required to round out the Platform

While the CipherPoint acquisition adds several key functionalities to Covata Secure, we expect the company will want to add expand Covata Secure with certain “must have” features.

Data Loss Protection and Artificial Intelligence for data classification

One such feature is Data Loss Protection (DLP), which can detect and prevent potential data breaches and data transmissions while this data is being used, in transit or at rest, i.e. when stored. DLP functionality helps monitor and detect sensitive data and can block breaches or unauthorized transmissions of this data.

In case of an actual or suspected breach, or unauthorized exfiltration of data, DLP tools can also apply a data security policy on-the-fly, for instance classifying, tagging, encrypting and relocating data if required.

In order to facilitate on-the-fly applications of data security policies, DSP’s increasingly rely on Artificial Intelligence (AI), rather than humans, to determine if data is (about to be) compromised. We expect CVT will want to expand its expertise in this domain as well, most likely through a targeted acquisition.

6

Covata Limited

EU’s General Data Protection Regulation coming in 2018 New and far-reaching regulation in the EU will come into effect from mid-2018. The EU’s General Data Protection Regulation (GDPR), which will replace the EU’s twenty-two-year-old Data Protection Directive, affects data retention and privacy from six different angles:

1. The right to be forgotten; similar to how Google is required to delete specific, personal information from its caches if the relevant person requests this, the right to be forgotten applies to an individual’s specific data as well. In other words, organizations retaining data will need policies in place to remove user specific data.

2. Privacy by design; data holders will be required to implement appropriate technical and organizational measures to protect personal data against unlawful processing, which is a new requirement. From the outset of any product or process development, companies will need to design compliant policies, procedures and systems using “state of the art” technology, i.e. the most up-to-date technology needs to be used for this purpose.

3. Risk and impact assessment; this element of the GDPR requires data controllers to conduct a data protection impact assessment for high-risk processing activities, which may result in the requirement for stronger encryption, pseudonymizing or anonymization of data. Data holders and processors will need to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

4. Data breaches; under the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

This is a much broader definition than the US definition. A breach must be reported to the supervisory authority within 72 hours after the data holder has become aware of it, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons.

5. Consent to process a user’s data; the GDPR requires consent to be expressed by a statement or by a clear affirmative action for each data processing operation. Consequently, silence, pre-ticked boxes or inactivity on the part of data owners will not be sufficient for data processors. Furthermore, withdrawing consent must be made as easy as it is to give consent. i.e. a consent withdrawal application should be readily available for data owners.

6. Data portability; data owners will have the right to data portability, which aims to increase the data owners’ choice of online services. This may mean that the data controller could be required to transmit the data directly to a competitor.

Because the GDPR is EU regulation, it affects any company active in the EU, e.g. with local offices and facilities, selling into the EU and processing EU data owners’ information. In other words, the GDPR is quite far-reaching and affects companies not headquartered in the EU as well. Furthermore, fines for non-compliance can be very high, i.e. up to 4% of a company’s global revenues with a maximum of EUR 20M.

In our view, these six elements of the new EU legislation will have a profound impact on many organizations, given the current state of data security, unclarity around data ownership and weak or missing privacy policies.

7

Covata Limited

CipherPoint recently launched GDPR compliance solutions

CipherPoint’s GDPR offering includes Data Discovery, Encryption & Key Management, Permissions Management and Logging & Audit, which helps customers address the compliance issues around the upcoming GDPR. We expect CVT will be able to add this solution to its own offering relatively easily, resulting in an additional potential revenue stream.

CipherPoint also brings several high-profile clients to the table

Apart from the added functionality that CVT is getting on board through the CipherPoint acquisition, the deal also brings CVT several high-profile clients, including the US Army, the US Defense Advanced Research Projects Agency (DARPA), NASA, the US Department of Energy as well as Arthur J. Gallagher, a global insurance broker and risk management firm.

Each of these US clients individually would provide major validation for CipherPoint’s technology. Combined with CVT’s Australian government client base we believe this client portfolio will help CVT tremendously in opening doors in the Government vertical in other countries as well.

8

Covata Limited

Addressable market growing by 11% CAGR The Cybersecurity market, which includes solutions such as encryption, DLP, unified threat management, antivirus/anti-malware, firewalls, intrusion detection and prevention, disaster recovery and DDOS mitigation, is expected to exhibit healthy growth in the next five years.

The market size is expected to grow from an estimated US$ 138 BN in 2017 to US$ 232 BN by 2022 according to MarketandMarkets (Figure 5), which represents a CAGR of 11%.

FIGURE 5: GLOBAL CYBERSECURITY SPENDING (US$ BN)

Source: MarketsAndMarkets, Statista, TMT Analytics

Given the sensitive nature of these sectors key growth sectors include Aerospace, Defense and Government. In the case of Government, we also believe a catch-up effect will contribute to spending in this sector. Telecom, Banking and Financial Services are other sectors that are driving global Cybersecurity spending.

Covata in the Sweet Spot of Cybersecurity spending

The United States are expected to remain one of the top spending countries when it comes to Cybersecurity, with the US federal government alone having spent US$ 28 BN on Cybersecurity in 2016.

UK government spending on Cybersecurity is low, but increasing

By contrast, UK government spending on Cybersecurity is expected to amount to just GBP 1.1BN (US$ 1.5BN) in 2017, although the government has pledged to spend an additional US$ 2.3BN over the next four years to shore up its overall Cybersecurity.

CVT’s SafeShare has been listed on G-Cloud for several years. G-Cloud is the UK government’s centralized procurement platform through which all UK government bodies can procure pre-approved IT solutions, including Cybersecurity tools such as SafeShare. Therefore, CVT could potentially benefit from this uptick in government spending on Cybersecurity, while this presence on G-Cloud also provides credibility to SafeShare.

0

50

100

150

200

250

2016A 2017F 2018F 2019F 2020F 2021F 2022F

Seen in this light, we believe CVT’s acquisition of CipherPoint puts the company in the sweet spot of Cybersecurity spending, given CipherPoint’s high-profile US government customers.

9

Covata Limited

Data Security Platform sales strategy

Selling direct and through channel partners

CVT sells its DSP offering directly to customers as well as through channel partners, such as Telecom providers and IT partners, including Microsoft (Figure 6). These partners have an existing enterprise client base that CVT can leverage off. Telecom providers globally are increasingly moving towards a service offering that includes a range of IT services. Therefore, the benefit of selling Cybersecurity services is the added functionality they can now offer their enterprise customers, especially with data security concerns having become so pronounced in recent years.

Agreements in place with several Telecom channel partners

CVT’s key Telecom partners include T-Systems in Europe and Macquarie Telecom in Australia. Macquarie Telecom provides CVT with access to different levels of the Australian government and recently renewed its agreement with CVT for three more years at increased user fees.

FIGURE 6: COVATA DATA SECURITY PLATFORM BUSINESS MODEL

Source: CVT, TMT Analytics

In addition to these channel partners, CVT has been working with NSC Global, a technology services and infrastructure provider, to expand the number of Telecom channel partners. NSC also provides a number of services to Telecom channel partners, including billing and support around SafeShare, on behalf of CVT.

CVT could team up with a range of other channel partners

Going forward, we believe Covata Secure may also be deployed through other types of channel partners, such as Managed Service Providers (MSP), IT integrators, accountancy firms and other types of resellers of Cybersecurity products.

10

Covata Limited

Flexible business model to accommodate diverse needs CVT has the flexibility to deploy its DSP in the public cloud, private cloud or on-premise, depending on customer preferences and sensitivity of the data involved. Consequently, the company can charge for its services on a subscription basis, i.e. in a typical SaaS (Software-as-a-Service) model with monthly recurring revenues based on the number of users, as well as on a fixed monthly cost per server/rack or can charge a lump sum per customer.

Conclusion Following the restructure of its commercial strategy and the expansion of its sales offering through the acquisition of CipherPoint, we believe CVT is in a very strong position to successfully monetize its Data Security Platform.

The Cybersecurity market is growing at 11% on average per year with CVT positioned in the sweet spot of government spending in the US.

We expect the company will make a few bolt-on acquisitions to round out its DSP platform from a technical perspective. However, as was the case with CipherPoint, such acquisitions could also bring new customers onto CVT’s books.

We start our research coverage of CVT with a Speculative Buy recommendation.

Near term share price catalysts / Key Performance Indicators - Announcements around the conversion of the current sales pipeline of Enterprise and

Government prospects into paying customers.

- Additional channel partners, such as MSP’s, financial services companies, IT integrators etc.

- Acquisition of additional DSP elements, such as Data Loss Protection and Artificial Intelligence for data classification, to round out the product offering.

- Fast and successful integration of CipherPoint into CVT’s organisation, a.o. reflected in revenue growth and cross sell.

11

Covata Limited

SWOT Analysis Strengths

- CVT’s Data Security Platform provides a holistic approach to data security as opposed to the fragmented approach that many sector peers offer.

- Unlike peers such as Box and Dropbox, the company is purely focused on the corporate and government markets, not the price sensitive, freemium, consumer market.

- The ability of UK government agencies and departments to directly reach out to CVT due to the company’s qualification on G-Cloud (rather than having to go through an authorized vendor of IT products and services) may expedite commercial roll out of SafeShare among these government agencies and departments.

Weaknesses

- With a current operational cash burn of approximately A$ 1.5m per quarter, CVT will likely require additional funding before reaching cash break even, resulting in dilution for existing shareholders.

- Given its strict cash management, CVT may not be able to chase up all commercial and technical opportunities in the market, potentially resulting in lower growth than would otherwise have been the case.

Opportunities

- Ongoing data security breaches continue to emphasize the need for high-grade data security protocols for enterprises and governments alike.

- The Cybersecurity market is moving to DSP solutions rather than stand-alone solutions, which creates opportunities for providers of integrated security solutions.

- The General Data Protection Regulation (GDPR) coming into effect in the European Union in 2018 will be a key driver for DSP adoption, both within and outside of the EU.

- For many technology companies, data security is not a core competence, which opens up the market for companies, such as CVT, to offer easily integrated, white label, solutions around data security and secure file sharing.

Threats

- Deep-pocketed and agile competitors, such as Citrix Systems (NASDAQ: CTXS), Box Inc. (NASDAQ: BOX) and Dropbox, could potentially rapidly enhance functionality of their products, bringing them at par with SafeShare or CVT’s broader DSP offering.

- Telecom and OEM channel partners may not always prioritize the selling of CVT’s products, resulting in delayed adoption of CVT’s products by channel partners’ end customers.

12

Covata Limited

Appendices

Board of Directors

William McCluggage (Chairman): With over 15 years of experience working as an IT Director, Chief Technology Officer and Chief Information Officer within central government and the private sector, Mr. McCluggage plays a key role for CVT in sales and contract deployment within the UK and Northern Ireland government sector. Currently Managing Director of Laganview Associates, a digital and technology services consultancy, he is also Head of Information Security on the UK’s Open Banking Program in London, Entrepreneur-in-Residence at Catalyst (formerly Northern Ireland Science Park), a member of the Board of Governors of the Northern Regional College in Northern Ireland and Executive Chairman of Community Mechanics. Previously, Mr. McCluggage served as Chief Information Officer for the Irish Government, leading the development and implementation of an Information and Communications Technology (ICT) strategy. He was also Chief Technologist of Dell EMC’s public-sector business, where he was a trusted adviser to the UK and Ireland’s public-sector customers, and the UK’s Deputy Government Chief Information Officer at the UK Cabinet Office, responsible for ICT strategies and policies. He began his career as an engineering officer with the Royal Air Force, where he worked for 24 years. He held posts in the UK and USA and supported operations in Africa, Cyprus, Norway, Canada and the Falkland Islands. He finished his career as the Technical Director of a Defense Agency.

Edward Pretty (Managing Director and Chief Executive Officer): Mr. Pretty is a widely recognized senior technology and telecommunications executive with considerable experience in complex networks, data hosting and security, as well as a deep knowledge of emerging trends in security and information technology. Joining CVT as Managing Director and Chief Executive Officer in January 2017, his responsibilities include driving revenue, developing the sales pipeline, guiding new product development and exploring near-term growth opportunities. Most recently, he was a senior adviser at Macquarie Group, supporting principal investments in emerging companies, covering information governance, big data and analytics, security and encryption. His career has included roles such as Group Managing Director of Technology Innovation and Product at Telstra Group, Chairman of Fujitsu Limited, Chairman of ASX-listed NEXTDC and RP Data Limited, Advisory Chairman of Tech Mahindra and Managing Director and Chief Executive Officer of Hills Limited.

Lindsay Tanner (Non-Executive Director): Mr. Tanner is a well-regarded and respected executive with considerable expertise from a career spanning in both politics and business. He has developed many strong and enduring business relationships, and built an extensive network across education, industrial relations, public service and non-government organizations. Currently a special adviser for financial advisory firm, Lazard (Australia), he is directly involved in a range of advisory processes regarding major corporate mergers, acquisitions and capital raisings. Mr. Tanner is also Chairman of Essendon Football Club, a non-executive director for Virgin Australia International Holdings, a member of First Principles Review of Department of Defense, a member of the Australian Advisory Board for Canadian Steamships, Vice-Chancellor’s Fellow for Victoria University, and Chairman for Mitchell Institute for Health and Education Research. In politics, he has held several parliamentary positions, most recently the Minister for Finance and Deregulation from 2007 until 2010. Past roles include Federal Opposition Policy Coordinator, Shadow Minister for Finance, Shadow Minister for Community Relationships, Shadow Minister for Communications, Shadow Minister for Consumer Affairs and Shadow Minister for Transport. Between 1993 and 2007, he also served on several parliamentary committees.

David Irvine (Non-Executive Director): A well-respected leader with over 45 years in the industry, Mr. Irvine has a deep understanding of the intelligence and cyber security landscape. His

13

Covata Limited

knowledge, experience and network are of significant value, providing strategic direction and support to CVT’s management team. Mr. Irvine is Chairman of the Foreign Investment Review Board which advises the Treasurer and the Government on Australia’s Foreign Investment Policy and its administration. He is also a member of the Advisory Council of the National Archives of Australia. From 2009 to 2014, he was Director-General of Security, in charge of the Australian Security Intelligence Organisation (ASIO), and a member of the Board of the Australian Crime Commission. David served with the Australian Department of Foreign Affairs and Trade for 33 years from 1970, with a professional focus on Australia’s relations with the Asia-Pacific region. He was Australia’s High Commissioner to Papua New Guinea from 1996 to 1999, and Australian Ambassador to the People’s Republic of China, North Korea and Mongolia from 2000 to 2003. Mr. Irvine was appointed an Officer of the Order of Australia (AO) in 2005, for services to the promotion of Australia’s international relations. He has authored several publications and books.

Patents

CVT owns several patents and patent applications around securing data, location-based access for key retrieval, encryption key fragmentation, managing secure data and secure communications, across a number of jurisdictions, including the US, Australia, Singapore and PCT member countries.

14

Covata Limited

GENERAL ADVICE WARNING, DISCLAIMER & DISCLOSURES

The information contained herein (“Content”) has been prepared and issued by TMT Analytics Pty Ltd ABN 17

611 989 774 (“TMT Analytics”), an Authorised Representative (no: 1242594) of BR Securities Australia Pty Ltd.

ABN 92 168 734 530, AFSL 456663. All intellectual property relating to the Content vests with TMT Analytics

unless otherwise noted.

DISCLAIMER

The Content is provided on an as is basis, without warranty (express or implied). Whilst the Content has been

prepared with all reasonable care from sources we believe to be reliable, no responsibility or liability shall be

accepted by TMT Analytics for any errors or omissions or misstatements howsoever caused. Any opinions,

forecasts or recommendations reflect our judgment and assumptions at the date of publication and may

change without notice. TMT Analytics will not accept any responsibility for updating any advice, views, opinions

or recommendations contained in this document.

No guarantees or warranties regarding accuracy, completeness or fitness for purpose are provided by TMT

Analytics, and under no circumstances will any of TMT Analytics, its officers, representatives, associates or

agents be liable for any loss or damage, whether direct, incidental or consequential, caused by reliance on or

use of the Content.

GENERAL ADVICE WARNING

The Content has been prepared for general information purposes only and is not (and cannot be construed or

relied upon as) personal advice nor as an offer to buy/sell/subscribe to any of the financial products mentioned

herein. No investment objectives, financial circumstances or needs of any individual have been taken into

consideration in the preparation of the Content.

Financial products are complex, entail risk of loss, may rise and fall, and are impacted by a range of market and

economic factors, and you should always obtain professional advice to ensure trading or investing in such

products is suitable for your circumstances, and ensure you obtain, read and understand any applicable offer

document.

DISCLOSURES

TMT Analytics has been commissioned to prepare the Content. From time to time, TMT Analytics’

representatives or associates may hold interests, transact or hold directorships in, or perform paid services for,

companies mentioned herein. TMT Analytics and its associates, officers, directors and employees, may, from

time to time hold securities in the companies referred to herein and may trade in those securities as principal,

and in a manner which may be contrary to recommendations mentioned in this document.

TMT Analytics receives fees from the company referred to in this document, for research services and other

financial services or advice we may provide to that company. The analyst has received assistance from the

company in preparing this document. The company has provided the analyst with communication with senior

management and information on the company and industry. As part of due diligence, the analyst has

independently and critically reviewed the assistance and information provided by the company to form the

opinions expressed in the report. Diligent care has been taken by the analyst to maintain an honest and fair

objectivity in writing this report and making the recommendation. Where TMT Analytics has been commissioned

to prepare Content and receives fees for its preparation, please note that NO part of the fee, compensation or

employee remuneration paid will either directly or indirectly impact the Content provided.

RECOMMENDATIONS

TMT Analytics’ issues a BUY recommendation in case of an expected total shareholder return (TSR, share price

appreciation plus dividend yield) in excess of 25% within the next twelve months, an ACCUMULATE

recommendation in case of an expected TSR between 5% and 25%, a HOLD recommendation in case of an

expected TSR between -5% and +5% within the next twelve months and a SELL recommendation in case of an

expected total return lower than -5% within the next twelve months.