UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

SCHEDULE 14A

PROXY STATEMENT PURSUANT TO SECTION 14(a) OF THE

SECURITIES EXCHANGE ACT OF 1934

Filed by the Registrant  ☒

Filed by a Party other than the Registrant  ☐

Check the appropriate box:

☐ Preliminary Proxy Statement

☐ Confidential, for Use of the Commission Only (as permitted by Rule 14a-6(e)(2))

☐ Definitive Proxy Statement

☒ Definitive Additional Materials

☐ Soliciting Material under §240.14a-12

KNOWBE4, INC.

(Name of Registrant as Specified In Its Charter)

Payment of Filing Fee (Check all boxes that apply):

☒ No fee required.

☐ Fee paid previously with preliminary materials.

☐ Fee computed on table in exhibit required by Item 25(b) per Exchange Act Rules 14a-6(i)(1) and 0-11.

Stu Sjouwerman on What Vista Equity’s Buy Means for KnowBe4

CEO on How Going Private Will Accelerate KnowBe4’s Journey From $300M to $1B in ARR

Michael Novinson • January 13, 2023

Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I’m joined today by Stu Sjouwerman. He is the founder and CEO of security awareness training vendor Knowbe4. Started the Company in 2010, took it public last year, they’re now under agreement to go private with Vista Equity Partners. Good afternoon. Stu, how are you?

Stu Sjouwerman: Great. Glad to be here.

Michael Novinson: Thanks so much for making the time. Did want to start with that go private agreement that you signed with Vista Equity in October for upwards, a little above four and a half billion dollars. Wanted to get a sense from you of why you thought that was the right move for your company, especially given how recently you’d just gone public, why do you feel it’s better at this juncture to be privately owned?

Stu Sjouwerman: We decided that becoming part of a private equity group of portfolio companies was the right move at this moment in time. There’s lots of market volatility. And we, frankly, were very interested in getting assistance in scaling up to a billion dollars in ARR. And we feel that Vista is a very good partner in doing that.

Michael Novinson: Got you, and love to hear a little bit about what Vista brings to the table. I know they have some other security investments, Securonix, and as well as some other folks, but yeah, what in particular made them such a good fit?

Stu Sjouwerman: They are specialized specifically in enterprise software. That’s the only thing they do. So they have a whole library of best practices that we can tap into and then grab for particular areas in our execution plans. And they have their Vista consulting group, more than 100 we call them SME’s, you know, the specialists in particular areas, subject matter experts, and they are all at our disposal. So, we feel we have a valuable new partner that can help us grow.

Michael Novinson: Of course, and I know you’d mentioned the market volatility there and I realize you went public in a very different economy. Why is it easier to navigate market volatility being privately held versus being publicly held?

Stu Sjouwerman: Well, listen, what we felt as a public company, we didn’t really get credit for the very high quality stock that we really are. And so we saw the stock price go up and down, and we didn’t necessarily feel we had much control over that. So for us at our stage, where we are still growing very rapidly, we felt going private was actually the better choice.

Michael Novinson: Gotcha. And then from the standpoint of Vista, I know you mentioned that goal of getting to a billion in ARR, how will Vista help you get there, and what are some of the key areas of priority areas for focus of investment in order to get to that one billion dollar figure?

Stu Sjouwerman: You know, when you are at roughly well over 300 in ARR, where we are today, you look back and you look at your existing processes, your technology stack, and you do have to realize that what gets you there doesn’t necessarily get you to that next level, which is three times more. And at that point in time, we said it’s actually a good idea to partner up with people who have been there who have done that they know how this works, and they can guide you from your 3, 350, to that billion dollar so partnering up is actually a good idea.

Michael Novinson: Gotcha. And I know you’re under agreement to be acquired but you’ve also over the past 24 months made some acquisitions of your own. You bought Security Advisor, you bought MediaPro, have you been leveraging those in in recent months to strengthen your company?

Stu Sjouwerman: Well, it’s good you asked because the Security Advisor team helped us rebuild and rebrand that to SecurityCoach, and that we just released four weeks ago, which was to some degree a somewhat soft release. We are going to promote SecurityCoach big time during Q1 2023. However, the first results, the first feedback has been very, very positive. And we’re very happy that we were able to get that release roughly a year after the acquisition. It’s fully integrated, it’s fully part of the KnowBe4 platform, looks the same feels the same and provides some very exciting new functionality.

Michael Novinson: Interesting, and SecurityCoach more recently announced an integration with Netskope around that capability. What’s the opportunity there? Specifically, NetSkope and then are you – do you anticipate having some more third-party security vendor integrations with SecurityCoach?

Stu Sjouwerman: We are, and we have—that scope is a great example. The whole idea of SecurityCoach is, you interface with the existing security stack that someone already has. So generally, an organization has 10 to 20 different layers in their security stack that we actually can interface with on an API basis. So that scope is a great example they observe events and some of those are user related. We ingest those and translate that into ‘oh user so and so did this, that’s a security risk, let’s send them an immediate security tip so that they understand they did this and that is their coaching point, why that is risky. And Netskope, again, is a great example but we are integrating with a few dozen partners as we speak and more to come.

Michael Novinson: Of course, wanted to talk a little bit about that security awareness training market landscape. You’re obviously a pure play vendor, a bit smaller than you you have Cofense as well and then you obviously have other companies that have built that security awareness training capability, and particularly in the email security world with companies like Proofpoint, you have your acquisition of Wombat as well as Mimecast with Ataata. So what I, when you’re in a competitive bid type scenario with a prospect, what other offers are you encountering the most often and what makes KnowBe4 different?

Stu Sjouwerman: You know it very much is different by geography. We deal with Proofpoint in the U.S. But it’s also only in a particular segment of the market. In Europe, it’s completely different. South Africa, which, funnily enough is where Mimecast started, they’re growing over there so you compete with Mimecast over there. If you, look at it big picture, we like to think we’re best of breed point solution, but point ‘plus plus plus’ because we have not just the training and phishing we also have PhishER, which allows you to ingest reported emails, and then rip out the truly dangerous emails from the user’s inbox. Better yet, if you see some that’s a great example. You can flip it and turn the tables on the bad actors and make that malicious email into a phishing test for the rest of the users. So we have a vast feature set with a ton of benefits that practically no one else has. So the customer needs to essentially kind of ultimately I recommend always, you know, take the best of breed and just combine them because we live in in the same environment as Proofpoint and Mimecast, and we can be very effective with both platforms up and running.

Michael Novinson: Gotcha. From the standpoint of the customer, why is that better to get the secured email gateway from them and that the trend—the awareness training for you versus just getting both from them?

Stu Sjouwerman: You get what you pay for. We have a vastly larger library with different content that you can choose. There’s tests, we have a proficiency test, we have a security culture test, there’s a much bigger choice of different features and functionality that allows you to truly build a security culture instead of only testing and usually the same training modules year after year.

Michael Novinson: Gotcha. Once we had discussed a little bit earlier the market volatility, wanted to pinpoint more specifically what if any changes in customer buying behavior have you seen in recent months as a result of that volatility? Then what adjustments have you made to your own business at KnowBe4 in response to the economic downturn?

Stu Sjouwerman: Tech generally sees a somewhat elongation of the salecycle. People are sometimes just a little more careful with their investments. We are fairly lucky in the sense that the average sales price is really low. A large part of our sales in volume is SMB. If you look at it on dollar basis, it is almost the same as to be an enterprise. And so for us, the sale cycles are relatively short. However, you do see that some of them, you know, bounce over into the next month or the next quarter. So that’s where we’re focusing on in the sense of okay, what can we do to help that customer understand that this truly is a no brainer, that their users are their largest attack surface, and that you really can’t afford not to do this.

Michael Novinson: Gotcha. So I mean, and what about internally at KnowBe4? So what given, given the downtrend have you reprioritized, shifted some investments, made any changes to your strategy in result as a result of kind of more cautious buying environment?

Stu Sjouwerman: Not all that much except for the fact that we are providing our sales and C-Sim team just more ammo and more help to get the customer the sufficient level of urgency to make sure that the KnowBe4 platform stays, you know, on top of the list of PO’s because again, your users are your biggest risk. And this is an extremely effective way to mitigate that risk. Significantly. I’m almost tempted to say dramatically but significantly less risk.

Michael Novinson: Of course. Let’s gaze into the crystal ball here, take a look ahead to 2023. From the standpoint of your customers, what do you feel is the biggest challenge around security awareness training that they’re going to need to grapple with in the year ahead?

Stu Sjouwerman: Well they really need to understand that awareness training is only where you start. There are the ABCs in our business, which awareness is the A. The B is behavior, but the C really is culture. If you have a really strong security culture that makes a massive difference in your risk, your exposure and building a security culture is what most organizations are now working on, which is a challenge and especially in 23.

Michael Novinson: Gotcha, the culture piece is an interesting one. I know you’ve been at this for 13 years at KnowBe4. Have you seen a change in security culture when you look kind of broadly across your customer base, do you feel that the typical user is more security conscious today than maybe they were a couple years ago or is it still really an uphill battle?

Stu Sjouwerman: I’m going to quote one of my favorite science fiction writers William Gibson. And he said the future is already here, it’s just unevenly distributed. And so, you know, mapping that on top of the security culture concept, it’s it varies wildly by Geo and by different size of organization. And so, some organizations already understand and are working hard on their security culture maturity model, if you will, and are getting to that next level. Others are not there yet. So it is very much an area of enlightening and educating the market and showing them just with hard numbers that it’s a very effective way to secure your environment.

Michael Novinson: What are some of the biggest obstacles or challenges that you have to navigate there as you as you try to help organizations build that security culture? What are the stumbling blocks they most frequently encounter?

Stu Sjouwerman: You know, the funny thing is that the people we talked to initially are IT folk and they completely understand the problem because they’re dealing with this day in day out. Sometimes they have the challenge to communicate this effectively to their C suite. And so the C suite needs to be essentially explained in non InfoSec terms why this is so important. And that translation now and then causes an issue. Although if you make the point clear, most of these people are very, very smart and immediately understand that if it’s an end user who’s clicked on a phishing link, which opens up an infected attachment, which lets in a Trojan, which in turn is a ransomware infection that causes two weeks of downtime, any C level executive understands that and sees the need to train that user.

Michael Novinson: Of course, let me ask you here finally, in terms of KnowBe4, specifically, what’s your top priority for 2023?

Stu Sjouwerman: International expansion. We have been extremely successful in the U.S. And now the rest of the world should benefit from the same feature set we have heavily invested in international expansion in translating our management console in hundreds and hundreds of translated modules. You can, for instance, run the whole platform in Japanese, which is the management console, all the phishing tests, all the phishing emails, all the reporting. So that is just an example of the investment we have made in those international markets.

Michael Novinson: Definitely will be an interesting push to watch. Stu, thank you so much here for the time.

Stu Sjouwerman: You are very welcome. And thank you.

Michael Novinson: Of course. We’ve been speaking with Stu Sjouwerman, he is the co-founder and CEO at KnowBe4. For Information Security Media Group, this is Michael Milken. Have a nice day.

Forward-Looking Statements

This communication contains forward-looking statements that involve risks and uncertainties, including statements regarding the proposed acquisition (the “Transaction”) of KnowBe4, Inc. (“KnowBe4”) by affiliates of Vista Equity Partners (“Vista”), including the expected timing of the closing of the Transaction, and statements regarding KnowBe4’s future financial and operating performance. There are a number of risks that could cause actual results to differ materially from statements made in this communication, including: the possibility that the conditions to the closing of the Transaction are not satisfied, including the risk that our stockholders do not approve the adoption of the merger agreement with affiliates of Vista Equity Partners (the “Merger Agreement”); the occurrence of any event, change or other circumstance that could result in the Merger Agreement being terminated, including in circumstances that would require us to pay a termination fee or other expenses; uncertainties as to the timing of the consummation of the Transaction; the effect of the pendency of the Transaction and related publicity on our current plans and operations, including our ability to retain and hire key personnel and our ability to maintain relationships with our current and prospective customers, suppliers and others with whom we do business; the diversion of management’s attention from our ongoing business operations due to processes related to the Transaction; our limited operating history; our ability to identify and effectively implement the necessary changes to address execution challenges; risks associated with managing our rapid growth; our limited experience with new product and subscription introductions and the risks associated with new products and subscriptions, including the risk of defects, errors, or vulnerabilities; our ability to attract new and retain existing customers; the integration of companies we have acquired and may acquire in the future; the failure to timely develop and achieve market acceptance of new products as well as existing products; rapidly evolving technological developments in the market; length of sales cycles; and general market, political, economic, and business conditions. Additional risks and uncertainties are detailed in the periodic reports that KnowBe4 files with the SEC, including KnowBe4’s Annual Report on Form 10-K filed with the SEC on March 10, 2022 and Quarterly Reports on Form 10-Q filed with the SEC on May 10, 2022, August 4, 2022 and November 14, 2022, each of which may be obtained on the investor relations section of KnowBe4’s website (https://investors.knowbe4.com). If any of these risks or uncertainties materialize, or if any of KnowBe4’s assumptions prove incorrect, KnowBe4’s actual results could differ materially from the results expressed or implied by these forward-looking statements. All forward-looking statements in this communication are based on information available to KnowBe4 as of the date of this communication, and KnowBe4 does not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made, except as required by law.