10-K 1 g67875e10-k.txt INTERNET SECURITY SYSTEMS, INC. 1 -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C. 20549 --------------------- FORM 10-K (MARK ONE) [X] ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE FISCAL YEAR ENDED DECEMBER 31, 2000 OR [ ] TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE TRANSITION PERIOD FROM ____________TO ____________
Commission file number 0-23655 INTERNET SECURITY SYSTEMS, INC. (Exact Name of Registrant as Specified in Its Charter) DELAWARE 58-2362189 (State or other jurisdiction of (I.R.S. Employer Identification No.) incorporation or organization) 6303 BARFIELD ROAD 30328 ATLANTA, GEORGIA (Zip code) (Address of principal executive offices)
Registrant's telephone number, including area code: (404) 236-2600 Securities registered pursuant to Section 12(b) of the Act:
NAME OF EACH EXCHANGE TITLE OF EACH CLASS ON WHICH REGISTERED ------------------- --------------------- None None
Securities registered pursuant to Section 12(g) of the Act: COMMON STOCK, $0.001 PAR VALUE (Title of Class) Indicate by check mark whether the Registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes [X] No [ ] Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of Registrant's knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K. [ ] The aggregate market value of the voting stock held by non-affiliates of the Registrant, based upon the closing sale price of Common Stock on March 22, 2001 as reported on the Nasdaq National Market, was approximately $928 million (affiliates being, for these purposes only, directors, executive officers and holders of more than 5% of the Registrant's Common Stock). As of March 22, 2001, the Registrant had 42,924,774 outstanding shares of Common Stock. DOCUMENTS INCORPORATED BY REFERENCE Portions of the Proxy Statement for the Registrant's 2001 Annual Meeting of Stockholders are incorporated by reference into Part III of this Form 10-K. -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- 2 PART I ITEM 1. BUSINESS BUSINESS OVERVIEW We are a leading global provider of security management solutions for protecting digital business assets. Our continuous lifecycle approach to information security protects distributed computing environments, such as internal corporate networks, inter-company networks and electronic commerce environments, from attacks, misuse and security policy violations, while ensuring the confidentiality, privacy, integrity and availability of proprietary information. We deliver an end-to-end security management solution through our SAFEsuite security management platform of software products, our around-the-clock remote security monitoring through our industry-leading managed security services offerings, and our professional services, made up of both consulting and education services. Our SAFEsuite family of software products is a critical element of an active information security program within today's world of global connectivity, enabling organizations to proactively monitor, detect and respond to risks to enterprise information. We currently provide remote management of the industry's best-of-breed security technology including firewalls, virtual private networks (VPN's), antivirus and URL filtering software, security assessment and intrusion detection systems. ISS' Managed Security Services gives organizations the levels of sophisticated security services they need without the costly overhead of extensive, in-house security resources. These services combine managed risk with best-of-breed protection, state-of-the-art 24x7x365 international monitoring, and a secure Web-based interface for instant interaction with the security experts managing your network. Offerings include managed firewalls, intrusion protection, antivirus, Web content filtering and other critical security management needs. ISS Consulting Services professionals combine market-leading intellectual capital and technology with years of real-world experience to help organizations plan and implement sound, appropriate business solutions. ISS also maintains a team of experienced counter-attack specialists that are ready to reclaim organizations' systems, minimizing the severity of security incidents. ISS provides forensic analysis and conducts incident response workshops to help clients identify the best means to prevent recurrence. Since 1996, more than 10,000 students have refined their security management skills at ISS' global SecureU facilities. From security fundamentals and platform-specific issues to advanced classes on vulnerability management, intrusion detection, firewalls and public key infrastructure, ISS transfers its intellectual capital and applied experience to organizations committed to successfully securing their information assets. ISS also provides special assessment and managed security offerings called Secure Steps that helps participants obtain e-commerce insurance or qualify for upgraded levels of insurance services. These services create an economical bridge from basic security practices to comprehensive and affordable online business risk management programs. ISS is a trusted security provider to its customers, protecting online business assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to business success. ISS' lifecycle security management solutions protect more than 8,000 customers worldwide, including 21 of the 25 largest US commercial banks and the 10 largest US telecommunications companies. We also have established strategic relationships with industry leaders, including BellSouth, Check Point, GTE, IBM, MCI WorldCom (Embratel), Microsoft and Nokia to enable worldwide distribution of our core monitoring technology. 1 3 INDUSTRY BACKGROUND Network computing has evolved from client/server-based local area networks to distributed computing environments based on the integration of inter-company wide area networks via the Internet and related technologies. The proliferation and growth of corporate intranets and the increasing importance of electronic commerce have dramatically increased the openness of computer networks, with the Internet becoming a widely accepted platform for many business transactions. To capitalize on these trends, organizations of all sizes and types are increasingly connecting their enterprise networks to the Internet or using Internet-based technologies to facilitate and support their strategic business objectives: With the increased use of the Internet by businesses and consumers, organizations increasingly network their key systems in order to reduce costs and increase revenues. This increased level of access provided by open systems carries with it the risk of unauthorized access to and use of sensitive information or malicious disruptions of important information-exchange systems. THE NEED FOR NETWORK SECURITY Although open computing environments have many business advantages and businesses are depending on them more and more, their accessibility and the relative anonymity of users make these systems, and the integrity of the information that is stored on them, vulnerable to security threats. Open systems present inviting opportunities for computer hackers, curious or disgruntled employees, contractors and competitors to compromise or destroy sensitive information within the system or to otherwise disrupt the normal operation of the system. In addition, open computing environments are complex and typically involve a variety of hardware, operating systems and applications supplied by a multitude of vendors, making these networks difficult to manage, monitor and protect from unauthorized access. Each new addition of operating system software, applications or hardware products to the distributed computing environment may introduce an increasing number of new vulnerabilities and security risks. Historically, organizations with sophisticated, well-funded information systems departments have responded to perceived security threats by implementing "passive point tools", such as encryption, firewall, authentication and other technologies designed to protect individual components of their internal networks from unauthorized use or outside attacks. Although the passive point tools address some security concerns, they do not address the fundamental issue that the inherent utility of open systems is itself the source of their vulnerability. To be effective, passive point tools need to be coordinated through enterprise-wide systems that automatically evaluate and eliminate the vulnerabilities and threats. Direct observation of vulnerabilities and threats can allow an organization to define and automatically enforce an integrated, enterprise-wide information risk management process that can be managed centrally and implemented on a distributed basis. Any security solution must be: - easy to use by both management and the organization's existing information technology personnel or service provider; - compatible with existing security technologies, as well as flexible enough to incorporate new technologies; and - able to provide a comprehensive and accurate picture of security issues across the organization's entire distributed network such that the managers of the system trust the objectivity of the security system in monitoring, detecting and responding to vulnerabilities and threats. THE ISS SOLUTION The benefits of open network technologies have driven the Internet into the "main stream" and with it, the need for security. However, "main stream" organizations -- unlike our early customers -- are not necessarily interested in managing information security themselves. Instead, we believe they want to concentrate on their core business competence and purchase security as a turnkey solution. For this market- 2 4 driven reason, we have dramatically increased our emphasis on providing total lifecycle security solutions and have entered the managed security services market. In 1999, we adopted British Standard of Practice 7799-1, now ISO/IEC 17799. ISO 17799 is a blueprint for wrapping various interpretations of information security policy management into one unified assessment methodology. This standard divides security policy into a five-step, cyclical process: (1) assess, (2) design, (3) deploy, (4) manage/support and (5) educate. Our customer life cycle methodology, based on ISO 17799, permeates our approach to providing total solutions to our customers. Our implementation consists of the following: Assess. (Where Are We?) Many companies do not know what information resides on their network. They do not know where it is located, who has access to it or what would be the cost to them if the information were compromised in any way. During this phase of the life cycle, our experts identify all of a customer's network devices and resources and establish valuations for all groups of data on the customer's network. The value of assessment lies in turning general descriptions of security needs and network structures into measurable sets of data that we use to design verifiable security policy and information technology infrastructure. Design. (Where Do We Need to Be?) In this phase of the life cycle, our teams convert the data gathered during the assessment phase into lists of information security solutions, deployment locations, implementation strategies and configuration guidelines for each network device or security application. When the solution road map is complete, our customer has a security policy, accompanied by a plan for deploying it and concrete metrics for measuring compliance. Deploy. (How Do We Get There?) During this period, our experts test and install the devices and security applications into the customer's production environment. Manage and Support. (How Do We Maintain and Improve?) At this stage, a customer can either choose to run an in-house security management solution, or outsource information security through our managed security services. This ongoing stage is where our experts measure performance data from the information security infrastructure against the goals stated in the security policy mapped out earlier. Non-compliant systems and events trigger specific actions, as stated in the policy. These include a re-evaluation of the policy and a restart of the policy generation process. Educate. (How Do We Enhance our Understanding?) Education is a critical component of the customer life cycle methodology. This ongoing effort to raise awareness of the need for information security at the executive, management, administrator and end-user levels cuts across all the phases listed above. It includes both continuing training for administrators in emerging threats to their systems and awareness among end users of the benefits of working within the security architecture. Our process-driven lifecycle approach to enterprise-wide information risk management relies on the principles of monitoring, detection and response to the ever-changing vulnerabilities in and threats to the hardware products, operating systems and applications that comprise every network system. We designed our SAFEsuite family of products to enable an organization to centrally define and manage an information risk policy for its existing network system infrastructure, including all Internet protocol-enabled devices. Our solutions provide the ability to visualize, measure and analyze real-time security vulnerabilities and control threats across the entire enterprise computing infrastructure, keeping the organization's information technology personnel informed of changing risk conditions and automatically making adjustments as necessary. Through custom policies or by using our "best practice" templates, our customers can minimize security risks without closing off their networks to the benefits of open computing environments and the Internet. Our solutions reach beyond the traditional approaches to network security that rely on the use of passive point tools and are predicated on a proactive, risk management-based approach to enterprise security that links security practice and security policy through a continuous improvement process. Our solution is to: - continuously monitor network, system and user activity and configure devices, systems and applications on the network; 3 5 - detect security risks in network traffic and within systems; - respond to security threats to minimize risks; and - analyze and report dynamic risk conditions and response actions and update security policies. Comprehensive Enterprise Security Solution We combine the above principles with our extensive knowledge of network, system and application vulnerabilities and threats to provide scalable security solutions. Our SAFEsuite family of products provides a comprehensive network and system security framework. In addition, we sell our products individually as solutions for a particular function. We also offer a broad range of professional services to assist in the development and enforcement of an effective security policy and to facilitate the deployment and use of our software. Our software products operate with a broad range of platforms and complement the products of leading security and network management vendors. They provide a single point of management and control for an enterprise-wide security policy. In this manner, our SAFEsuite family of products serves as a critical enhancement to traditional passive point tools, such as encryption, firewalls and authentication. We have designed our products to be easily installed, configured, managed and updated by a system administrator through an intuitive graphical user interface without interrupting or affecting network operation. The software automatically identifies systems and activities that do not comply with a customer's policies, and provides a critical feedback mechanism for adjusting the security levels of networked systems based upon its findings. Our products generate easy-to-understand reports ranging from executive-level trend analysis to detailed step-by-step instructions for eliminating security risks. The X-Force Because there are few information technology professionals specifically trained in network and system security issues, we have assembled a senior research and development team composed of security experts who are dedicated to understanding new vulnerabilities and real-time threats and attacks, and developing solutions to address these security issues. The team is known in the industry as the "X-Force" and represents one of our competitive advantages. Because of the collective knowledge and experience of the members of the X-Force, we believe that they comprise one of the largest and most sophisticated groups of information technology security experts currently researching vulnerability and threat science. Organizations such as CERT (Computer Emergency Response Team), the FBI and leading technology companies routinely consult the X-Force on network security issues. Through the X-Force, we maintain a proprietary and comprehensive knowledge base of computer exploits and attack methods, including what we believe is the most extensive publicly available collection of Windows NT and Windows 2000 vulnerabilities and threats in existence. To respond to an ever-changing risk profile, the X-Force continually updates this knowledge base with the latest network vulnerability information, which aids in the design of new products and product enhancements. STRATEGY Our objective is to be the leader in security management for the Internet. This means providing information risk management systems that proactively protect the integrity and security of enterprise-wide information systems from vulnerabilities, misuse, attacks and other information risks. This is regardless of whether the system is run "in-house" by the management information systems organization or is outsourced to ISS for remote 24-by-7 management and monitoring. We focus on developing innovative and automated software and service solutions to provide customers with a comprehensive framework for protecting their networks and systems by monitoring for vulnerabilities and real-time threats. Our solutions allow customers to enforce "best practice" network and system security policies. Key elements of our strategy include: Continue Our Leadership Position in Security Technology We intend to maintain and enhance our technological leadership in the enterprise security market by hiring additional network and Internet security experts, broadening our proprietary knowledge base, continuing to invest in product development and product enhancements and acquiring innovative companies and 4 6 technologies that complement our solutions. By remaining independent of other providers of system software, applications and hardware and by solidifying our position as a best-of-breed provider of monitoring, detection and response software, we believe that customers and potential customers will view us as the firm of choice for establishing and maintaining effective security practices and policies. Strive for Leadership in Managed Security Services During 1999, we extended our market leadership position with the acquisition of Netrex, Inc., a pioneer and leading provider of remote security monitoring services. The Managed Security Services (MSS) we acquired are designed for businesses that need security but do not have the time, internal resources or expertise to effectively protect networked systems and information through an in-house solution. This acquisition enables us to deliver end-to-end security management solutions by extending our market-leading SAFEsuite security management platform into around-the-clock managed services. In return, our customers now can entrust their security to ISS experts who monitor and manage their networks 24 hours a day, seven days a week, 365 days a year. International Data Corp. (IDC) projects that demand for managed security services will reach more than $1.4 billion annually by 2004, with a compounded growth rate of 24 percent. As network-based business operations have penetrated the economy, security management has come to be viewed as an essential system on the network, just as network and systems management and storage management are today. We're poised to take advantage of this inevitability. Expand Domestic Sales Channels We intend to increase the distribution and visibility of our products by expanding our regional direct sales program and increasing our market coverage through the establishment of additional indirect channels with key managed service providers, Internet service providers, systems integrators, resellers, OEMs and other channel partners. We believe that a multi-channel sales approach will build customer awareness of the need for our products and enable us to more rapidly build market share across a wide variety of industries. Enhance and Promote Professional Services Capabilities We aim to establish long-term relationships with our customers by serving as a "trusted advisor" in addressing network security issues. To continue to fulfill this responsibility to our customers, we are expanding our professional services capabilities. These capabilities will allow us to increase the return on investment we've made in standardizing on ISO 17799. As previously mentioned, ISO 17799 is a blueprint for wrapping various interpretations of information security policy management into one unified methodology. It is our customer life cycle methodology, built on this standard, that permeates our approach to providing total solutions to our customers and provides them with effective information risk management solutions. By providing professional services, we also can heighten customer awareness about network security issues, which creates opportunities for us to sell new products or product enhancements to our existing customers. Expand International Operations We plan to continue to aggressively expand our international operations to address the rapid global adoption of distributed computing environments. Many foreign countries do not have laws recognizing network intrusion or misuse as a crime or the resources to enforce such laws if they do exist. As a consequence, we believe that organizations in such countries will have greater need for effective security solutions. We currently maintain international offices in Australia, Belgium, Brazil, Canada, Egypt, England, France, Germany, Italy, Japan, Mexico, the Netherlands, the Philippines, Spain, Sweden and Switzerland and plan to expand in those regions where businesses, governments and other institutional users are using distributed networks and the Internet for their mission-critical needs. 5 7 SAFESUITE FAMILY OF PRODUCTS The SAFEsuite family of products applies our information security methodology through a flexible architecture that integrates with existing security and network system infrastructures. Our SAFEsuite products enhance the effectiveness of passive point tools by monitoring them for threats and vulnerabilities and responding with actions that align customers' security practices and policies. SAFEsuite complements network and security management frameworks by providing information required for informed decisions to minimize security risks while maintaining the desired level of network functionality. Thus, our products provide a risk management-based approach to security with scalable deployment of best-of-breed products and integrated enterprise-wide implementations. The SAFEsuite product architecture includes a policy management interface that lets customers choose among "best practice" templates or policies that establish the acceptable level of risk appropriate for their networks. Our individual products then automatically verify compliance with the chosen policy in terms of actual system configuration and network activity. Graphical reports describe the deviations from the established policy, including the measures required to reduce the risk. This product architecture allows all the SAFEsuite technologies to connect directly into common standards, providing comprehensive security reports for the entire enterprise. To ensure communication confidentiality between individual SAFEsuite components and to prevent their misuse, SAFEsuite components use industry-standard encryption algorithms, which have become de facto encryption standards, among other encryption technologies. The SAFEsuite Security Knowledge Base, a database containing information about the devices and security risks on a customer's network, utilizes open database connectivity, or ODBC, interface and allows customers to select their preferred database such as Informix, Microsoft SQL Server, Oracle, Sybase or any ODBC-compliant database for data storage. The various SAFEsuite products consolidate security data, enabling users to quickly determine their risk profiles and respond. In addition, SAFEsuite products provide automated decision support by assessing priorities and providing a graphical representation of important security risk data sets. This feature allows key decision-makers to prioritize their program strategies for effective deployment of resources to minimize security risks. Each SAFEsuite product can be deployed as a stand-alone, best-of-breed solution to meet the needs of the local administrator or departmental user. Enterprise-level users can analyze security risk conditions for the entire network through support for remote, multi-level management consoles and the SAFEsuite Security Knowledge Base. The SAFEsuite Security Knowledge Base allows the customer to address vulnerabilities and threats, thereby minimizing network security risk and associated costs. SAFEsuite's frequent updates integrate the latest identified security vulnerabilities and threats into the operations of an existing product installation. Internet Scanner Internet Scanner quickly identifies security vulnerabilities in a network and non-compliance with security policy, plus provides appropriate information for correcting these potential security exposures, through automated and comprehensive network security vulnerability detection and analysis. Internet Scanner scans and detects vulnerabilities, prioritizes security risks and generates an array of meaningful reports ranging from executive-level trend analysis to detailed step-by-step instructions for eliminating security risks. Scans may be as simple as determining the basic computing services available on the network or as comprehensive as a thorough testing using the full range of Internet Scanner's vulnerability database. The product uses Smart Scan, a technique that uses the results of prior scans, as well as current scans of other devices, to provide a more thorough investigation of each device. After completing their scans, the Internet Scanner modules return lists of discovered vulnerabilities and prepare in-depth reports to assist administrators with follow-up and review. System Scanner System Scanner serves as a security assessment system that helps manage security risks through comprehensive detection and analysis of operating system, application and user-controlled security weaknesses. System Scanner identifies potential security risks by comparing security policy with actual host 6 8 computer configurations. Routine reviews of these records help identify damaged or maliciously altered systems before they become a security or performance liability. System Scanner augments its automated policy compliance testing with an extensive database of vendor patches and other system enhancements. Database Scanner Database Scanner provides security risk assessment for database management systems. Database Scanner allows a user to establish a database security policy, audit a database and present a database's security risks and exposures in easy-to-read reports. Database Scanner develops, implements and maintains appropriate database system security strategies, policies and procedures. Online Scanner Online Scanner is the world's first security management application for protecting online transactions. Based on our SAFEsuite security management platform, Online Scanner performs security checkups for home users, helping them to protect their systems against data loss or corruption due to malicious attack. Simple instructions guide users through identifying and correcting potential security risks. RealSecure RealSecure is a powerful, automated, real-time intrusion protection system for computer networks and hosts. RealSecure provides unobtrusive, continuous surveillance, intercepting and responding to security breaches and network abuse before systems are compromised. RealSecure provides effective intrusion protection solutions by offering diversified sensors and management consoles. RealSecure Network Sensor. RealSecure Network Sensor runs on a dedicated system that monitors network traffic for attack signatures -- definitive identifiers that an intrusion is underway. Attack recognition, incident response, and intrusion prevention occur immediately, with full customization of signatures and response capabilities. RealSecure Server Sensor. RealSecure Server Sensor performs real-time intrusion monitoring, detection, and prevention of malicious activity by analyzing kernel-level events, host logs, and network activity on critical servers. Server Sensors monitor, detect, and prevent intrusions with Packet Interception, Firecell blocking capability, and Secure Logic event fusion correlation filtering. RealSecure OS Sensor. RealSecure OS Sensor provides real-time log-file monitoring and analysis. As with the RealSecure Network Sensor, the OS Sensor recognizes and responds to attack signatures, and additionally monitors unused ports for suspicious activity. The OS Sensor also provides full customization of signatures and response capabilities. RealSecure for Nokia. RealSecure for Nokia is an appliance-style intrusion detection sensor designed for easy deployment, featuring a hardened operating system, plug and play technology and excellent performance. RealSecure Workgroup Manager. RealSecure Workgroup Manager provides centralized management, configuration, reporting, and real-time alarming for all RealSecure Sensors. RealSecure also includes plug-in management modules for HP OpenView and Tivoli Enterprise Software. SAFEsuite Decisions SAFEsuite Decisions provides information security decision support services that consolidate and simplify the task of maintaining complex information security implementations across an enterprise network environment. SAFEsuite Decisions integrates critical security data generated by our Internet Scanner, System Scanner, RealSecure and third-party firewalls, into a closed, automated feedback loop. This information is condensed into a comprehensive reporting system, enabling timely, focused and informed decisions for effective information risk management. By automating the process of collecting, collating, correlating and 7 9 analyzing data generated by multiple information security engines and applications. SAFEsuite Decisions enables managers and administrators to focus security resources where they are needed most. SAFEsuite Events SAFEsuite Events provides real-time data collection and rapid tactical analysis of critical security events for enterprise network environments. Designed to work in tandem with RealSecure, our market leading intrusion detection and response system, SAFEsuite Events filters intrusion data from multiple sensors on multiple networks, removes low priority alerts and false positives, and presents the most urgent situations in easily understood online and print reports. SAFEsuite Events is an automated, 24x7 security event management solution. Its advanced data collection and analysis technology removes the need for manual event analysis, greatly accelerating response time and improving overall security staff efficiency. MANAGED SECURITY SERVICES We provide comprehensive managed security services, or MSS, for organizations without a compelling reason to develop an in-house information security solution. MSS allows a company to start with basic security needs at low cost, then expand as the business grows. Since the security infrastructure is disbursed across a large managed services customer base, monthly security costs are minimized while each aspect of the enterprise is secured against attack and misuse in accordance with the customer's security policy. MSS ensures that online assets are being properly protected. MSS is analogous to outsourced security, offering unique advantages that make it an attractive resource for online business operations. Instead of separate vendors for security consulting services, firewalls, antivirus and intrusion detection, MSS combines these basic business necessities with thorough information security analysis to deliver a complete, customized information security solution. Our unique Web-based management console allows client oversight of all security operations, plus rapid response to changing network conditions. PROFESSIONAL SERVICES We enhance the value of our products by offering professional services to assure customers' success in establishing, implementing and maintaining their security policy, including consulting and educational services. Consulting Services We have network security professionals ready to assist customers with their particular security policy development and enforcement needs. Our consulting services can range from providing network security resources for overburdened information technology departments to conducting investigations of serious breaches in security. Our offerings include: - Information Security Analysis and Assessment -- Includes enterprise security audits, enterprise security assessment and strategy workshops and risk assessment analysis - Information Security Design Services -- Includes security policy and configuration guideline development; information security architecture design; and risk management process integration - Information Security Deployment Services -- Establish and review security policies; security deployment strategy workshop; hands-on training and assistance with deployment and use of ISS' SAFEsuite products; and enterprise deployment of ISS' SAFEsuite solutions throughout an enterprise-level organization. - Emergency Response Services -- subscription service that helps customers avoid security breaches while helping them prepare in case they do experience a break-in. 8 10 Education We complement our service offerings with a full range of training and certification programs. These programs include courses in the fundamentals of security and networking, vulnerability management, threat management and intrusion detection, public key infrastructures, firewalls and others. Each course offers the option of certification via standardized examinations. Our courses are available worldwide at our in-house education centers, through approved training centers, as well as our customer sites with our mobile training labs. These classes address planning, installation and basic operation of our products in a hands-on, interactive environment. For more advanced needs, our ISS Certified Engineer training courses cover advanced topics specific to each SAFEsuite or SAFEsuite Enterprise product. Our training goes beyond simple "how to" exercises. Upon completion of instructor-led discussions and exercises, students respond to actual, on-the-job scenarios. These simulations allow students to apply their new skills to real-world situations, reinforcing both basic and advanced skills. Our training courses encompass the complete life cycle of our SAFEsuite products, from installation and operations to advanced troubleshooting. PRICING We use a range of fee structures to license our products, depending on the type of product and the intended use. We license our vulnerability detection products, Internet Scanner, System Scanner and Database Scanner, based on the number of devices being scanned. The pricing scheme is scalable, providing low entry points for departmental users without limiting our revenue potential from customers with large networks. Pricing for our threat detection products, RealSecure Engine and RealSecure Agent, is based on the number of engines deployed on the network. Thus, licensing fees for our products are ultimately determined by the size of the customer's network, as size dictates the number of devices to be scanned or the number of engines to be deployed. Enterprise management solutions also generate revenue for the Company. SAFEsuite Decisions is licensed by the size of the deployment and number of data sources. It scales to meet the needs of large security deployments and represents a follow-on revenue opportunity for customers with multiple security technologies. In addition to license fees, customers virtually always purchase maintenance agreements in conjunction with their initial purchase of a software license, with annual maintenance fees typically equal to 20% of the product's license fee. Maintenance agreements include annually renewable telephone support, product updates, access to our X-Force Security Alerts and error corrections. Our continuing research into new security risks and resulting product updates provide significant ongoing value. We provide customers with a regular stream of security updates, known as X-Press Updates, as part of this maintenance agreement. X-Press Updates serve to keep our products up to date with the latest vulnerabilities and threats that are present in Internet environments. As a result, a substantial majority of our customers renew their maintenance agreements. Customers who use our products to provide information technology consulting services have license agreements that are based on a revenue sharing model. We have historically sold fully-paid perpetual licenses with a renewable annual maintenance fee and, more recently, have licensed our products on a subscription basis, including maintenance, for one or two year periods and are exploring other alternatives for customers desiring longer term arrangements or multi-year commitments. Monitoring fees for managed security services are determined by the complexity of the monitoring arrangement and by the number of devices being monitored. The pricing scheme is scalable allowing for customers to start with basic security monitoring services and expand as the business grows. Our consulting services fees are calculated either on a fixed-fee basis or an hourly standard rate per consultant and discounted based on the scope of the engagement, market sector and geographical territory. Educational services are calculated on a per-class basis. PRODUCT DEVELOPMENT We developed our SAFEsuite products to operate in heterogeneous computing environments. Products are compatible with other vendors' products across a broad range of platforms, including HP-UX, IBM AIX, Linux, SGI IRIX, SunOS, Sun Solaris, Microsoft Windows 95/98 and Microsoft Windows NT. We have 9 11 incorporated a modular design in our products to permit plug-and-play capabilities, although customers often use our professional services or our strategic partners to install and configure products for use in larger or more complex network systems. We employ a three-pronged product development strategy to achieve our goal of providing the most comprehensive security coverage within the monitoring, detection and response market. First, we provide regular security updates to our products that are based on our vulnerability and threat database. These updates are usually provided as part of separate maintenance agreements sold with the product license. Second, we continue to develop best-of-breed security products to address particular network configurations. Such new products, and our existing products like Internet Scanner, System Scanner and RealSecure, are updated approximately every four to six months to add new features and improve functionality. Third, to complement our existing products and provide more comprehensive network security coverage, we are expanding our existing SAFEsuite products by developing additional enterprise-level products. These products will allow customers to protect their networks by continuously measuring and analyzing the status of their network's security, and by monitoring and controlling the security risks in real time across the enterprise network. These SAFEsuite enterprise products will operate with our existing products, allowing modular implementation. Expenses for product development were $9.7 million, $20.4 million, and $31.3 million in 1998, 1999, and 2000, respectively. All product development activities are conducted at either our principal offices in Atlanta, or at our research and development facilities in Sunnyvale, California, Southfield, Michigan and Reading, England. At December 31, 2000, 306 personnel were employed in product development teams. Our personnel include members of the Computer Security Institute, Forum for Incident Response and Security Technicians (FIRST), Georgia Tech Industrial Partners Association, Georgia Tech Information Security Center and the International Computer Security Association (ICSA), enabling us to actively participate in the development of industry standards in the emerging market for network and Internet security systems and products. CUSTOMERS As of December 31, 2000, we had licensed versions of our SAFEsuite family of products to over 8,000 customers. No customer accounted for more than 10% of our consolidated revenues in 1998, 1999 or 2000. Our target customers include both public and private sector organizations that utilize Internet protocol- enabled information systems to facilitate mission-critical processes in their operations. Our customers represent a broad spectrum of organizations within diverse sectors, including financial services, technology, telecommunications, government and information technology services. SALES AND MARKETING Sales Organization Our sales organization is divided regionally among the Americas, Europe and the Asia/Pacific regions. In the Americas, we market our products primarily through our direct sales organization augmented by our indirect channels, including security consultants, resellers, OEMs and systems consulting and integration firms. The direct sales organization for the Americas consists of regionally based sales representatives and sales engineers and a telesales organization located in Atlanta. We maintain a number of domestic sales offices in various cities throughout the United States and in Canada and Mexico. A dedicated group of professionals in our Atlanta headquarters covers Latin America. As of December 31, 2000, we employed approximately 344 people in the Americas direct sales and professional services organization. The regionally based direct sales representatives focus on opportunities with large organizations. Included as part of the sales organization is a channel management group that drives incremental revenue through selected partners and acts as the liaison between the direct sales representatives and the channel partners. In Europe and the Asia/Pacific region, the substantial portion of our sales occurs through authorized resellers. Internationally we have established regional sales offices in several countries in Europe as well as in Brazil, Egypt, Australia and Japan. Personnel in these offices are responsible for market development, 10 12 including managing our relationships with resellers, assisting them in winning and supporting key customer accounts, acting as a liaison between the end user and our marketing and product development organizations, and providing consulting and training services. As of December 31, 2000, approximately 285 employees were located in our European and Asia/Pacific regional offices. We expect to continue to expand our field organization into additional countries in these regions. Security Partners Program We have established a Security Partners Program to train and organize security consulting practices, Internet service providers, systems integrators and resellers to match our products with their own complementary products and services. By reselling SAFEsuite products, our partners provide additional value for specific market and industry segments, while maintaining our ongoing commitment to quality software and guaranteed customer satisfaction. We have established three different levels of partnership opportunities: - Premier Partners. Premier Partners are value-added resellers and systems integrators with focused security practices. Many Premier Partners are experienced in the sales and implementation of leading firewall technology, as well as authentication and encryption technologies. These partners leverage their expertise with our vulnerability assessment and intrusion detection products. Premier Partners receive direct distribution of our products, sales training, financial incentives, access to our Web site for placing orders and partner-only communications, including a link to the ISS Partner Web site. - Authorized Partners. Authorized Partners generally consist of organizations that provide security-focused consulting services, but elect not to commit to the minimum annual purchase commitments and entry fees applicable to Premier Partners. Authorized Partners may purchase products directly from us and may access our Web site to place orders and receive partner-only communications. - Registered Partners. Unlike Premier Partners and Authorized Partners, Registered Partners are not required to maintain an ISS Certified Engineer on their staffs. Registered Partners receive re-seller only communications and may purchase products directly from us, including through our online Web order system. Marketing Programs We conduct a number of marketing programs to support the sale and distribution of our products. These programs are designed to inform existing and potential end-user customers, OEMs and resellers about the capabilities and benefits of our products. Marketing activities include: - press relations and education; - publication of technical and educational articles in industry journals and our on-line magazine, ISS Alert; - participation in industry tradeshows; - product/technology conferences and seminars; - competitive analysis; - sales training; - advertising and development and distribution of marketing literature; and - maintenance of our Web site. 11 13 A key element of our marketing strategy is to establish our products and information security methodology as the leading approach for enterprise-wide security management. We have implemented a multi-faceted program to leverage the use of our SAFEsuite product family and Managed Security Services to increase their acceptance through relationships with various channel partners: - Strategic Resellers. Although we have numerous resellers, certain of these relationships have generated significant leverage for us in targeted markets. Our strategic resellers, which include EDS, IBM, Lucent, Siemens and Softbank, provide broad awareness of our brand through enhanced marketing activity, access to large sales forces, competitive control points and access to larger strategic customer opportunities. - Consultants. The use of our products by security consultants not only generates revenue from the license sold to the consultant, but also provides us with leads to potential end users with a concern for network security. Consultants who have generated substantial leads for our sales organization include Accenture, Arthur Andersen, Deloitte Touche Tohmatsu International, Ernst & Young, IBM, KPMG, PricewaterhouseCoopers and SAIC Global Integrity. - OEMs. A number of vendors of security products, including Check Point, Entrust, Lucent and Nortel, have signed OEM agreements with us. These agreements enable OEMs to incorporate our products into their own product offerings to enhance their security features and functionality. We receive royalties from OEM vendors and increased acceptance of our products under these arrangements, which, in turn, promote sales of our other products to the OEM's customers. We typically enter into written agreements with our strategic resellers, consultants, managed service providers, Internet service providers and OEMs. These agreements generally do not provide for firm dollar commitments from the strategic parties, but are intended to establish the basis upon which the parties will work together to achieve mutually beneficial objectives. CUSTOMER SERVICE AND SUPPORT We provide ongoing product support services under license agreements. Maintenance contracts are typically sold to customers for a one-year term at the time of the initial product license and may be renewed for additional periods. Under our maintenance agreements with our customers, we provide, without additional charge, telephone support, documentation and software updates and error corrections. Customers that do not renew their maintenance agreements but wish to obtain product updates and new version releases are generally required to purchase such items from us at market prices. In general, major new product releases come out annually, minor updates come out every four to six months and new vulnerability and threat checks come out every two to four weeks. Customers with current maintenance agreements may download product updates from our Web site. We believe that providing a high level of customer service and technical support is necessary to achieve rapid product implementation, which, in turn, is essential to customer satisfaction and continued license sales and revenue growth. Accordingly, we are committed to continued recruiting and maintenance of a high-quality technical support team. We provide telephone support to customers who purchase maintenance agreements along with their product license. A team of dedicated engineers trained to answer questions on the installation and usage of the SAFEsuite products provides telephone support worldwide, 24 hours a day, seven days a week (including holidays), from our corporate office in Atlanta. In the United States and internationally, our resellers provide telephone support to their customers with technical assistance from us. For our managed services security solutions, customer support is available in several offerings up to 24 hours a day, seven days a week for customers electing this coverage. Support is offered via phone, email or secure web form and includes access to an online knowledge base as well as direct contact with qualified support personnel. COMPETITION The market for information security, including monitoring, detection and response solutions and managed security services is intensely competitive, and we expect competition to increase in the future. We believe that 12 14 the principal competitive factors affecting the market for information security include security effectiveness, manageability, technical features, performance, ease of use, price, scope of product offerings, professional services capabilities, distribution relationships and customer service and support. Although we believe that our solutions generally compete favorably with respect to such factors, we cannot guarantee that we will compete successfully against current and potential competitors, especially those with greater financial resources or brand name recognition. PROPRIETARY RIGHTS AND TRADEMARK ISSUES We rely primarily on copyright and trademark laws, trade secrets, confidentiality procedures and contractual provisions to protect our proprietary rights. We have obtained one United States patent and have a patent application under review. We also believe that the technological and creative skills of our personnel, new product developments, frequent product enhancements, our name recognition, our professional services capabilities and delivery of reliable product maintenance are essential to establishing and maintaining a technology leadership position. We cannot assure you that our competitors will not independently develop technologies that are similar to ours. We generally license our SAFEsuite products to end users in object code (machine-readable) format. Certain customers have required us to maintain a source-code escrow account with a third-party software escrow agent, and a failure by us to perform our obligations under any of the related license and maintenance agreements, or our insolvency, could result in the release of our product source code to such customers. The standard form license agreement for our software products allows the end user to use our SAFEsuite products solely on the end user's computer equipment for the end user's internal purposes, and the end user is generally prohibited from sublicensing or transferring the products. Despite our efforts to protect our proprietary rights, unauthorized parties may attempt to copy aspects of our products or to obtain and use information that we regard as proprietary. Policing unauthorized use of our products is difficult. While we cannot determine the extent to which piracy of our software products occurs, we expect software piracy to become a persistent problem. In addition, the laws of some foreign countries do not protect our proprietary rights to as great an extent as do the laws of the United States and many foreign countries do not enforce these laws as diligently as U.S. government agencies and private parties. Internet Security Systems, Internet Scanner, System Scanner, Database Scanner, Online Scanner, RealSecure, ADDME, X-Force, X-Press Updates, ActiveAlert, FlexCheck, SecureLogic, SecurePartner, and SecureU are trademarks and service marks, and SAFEsuite is a registered trademark, of Internet Security Systems, Inc. Other trademarks and trade names mentioned are marks and names of their owners as indicated. EMPLOYEES As of December 31, 2000, we had 1,183 employees, of whom 306 were engaged in product research and development, 328 were engaged in sales, 152 were engaged in customer service and support, 222 were engaged in professional services, 53 were engaged in marketing and business development and 122 were engaged in administrative functions. We believe that we have good relations with our employees. ITEM 2. PROPERTIES In November 1999 we signed an eleven and one-half year lease for a new Atlanta headquarters and research and development facility. This new facility consists of approximately 240,000 square feet that we began occupying in varying phases beginning in November 2000. Annual minimum payments under the lease increase as occupied space increases, with total minimum payments due under the lease of approximately $64 million over the lease term. We lease additional office space in Chicago, Illinois; Sunnyvale, California; Southfield, Michigan; Denver, Colorado; New York City, New York; San Francisco, California; and Washington, D.C., as well as small executive suites in several United States cities. In addition, we lease office space in Brussels, Belgium; London and Reading, England; Paris, France; Stuttgart, Germany; Warsaw, Poland; Stockholm and Helsinborg, Sweden; Milan and Padova, Italy; Madrid, Spain; The Netherlands; Sydney, Australia; Manila, Philippines; and Tokyo, Japan. 13 15 We believe that our existing facilities and our upcoming new headquarters are adequate for our current needs and that additional space will be available as needed. ITEM 3. LEGAL PROCEEDINGS From time to time we are involved in litigation relating to claims arising in the ordinary course of business. We are not presently involved in any material legal proceedings. ITEM 4. SUBMISSION OF MATTERS TO A VOTE OF SECURITY HOLDERS No matter was submitted to a vote of our shareholders during the fourth quarter of 2000. 14 16 PART II ITEM 5. MARKET FOR REGISTRANT'S COMMON EQUITY AND RELATED STOCKHOLDER MATTERS Our Common Stock is quoted on the Nasdaq National Market under the symbol "ISSX". The following table lists the high and low per share sales prices for the Common Stock as reported by the Nasdaq National Market for the periods indicated (prices have been adjusted for the 2-for-1 stock split in May 1999):
2000: HIGH LOW ----- ------- ------ First Quarter............................................... $141.00 $46.25 Second Quarter.............................................. 116.00 58.00 Third Quarter............................................... 108.75 51.13 Fourth Quarter.............................................. 102.94 58.81
1999: HIGH LOW ----- ------ ------ First Quarter............................................... $46.25 $22.19 Second Quarter.............................................. 45.00 20.13 Third Quarter............................................... 40.63 20.00 Fourth Quarter.............................................. 71.13 26.25
As of March 22, 2001, there were 42,924,774 shares of our Common Stock outstanding held by 302 stockholders of record. We have not declared or paid cash dividends on our capital stock during the last two years. We currently intend to retain any earnings for use in our business and not anticipate paying any cash dividends in the foreseeable future. Our Board of Directors, if any, will determine future dividends. During 1998, we issued 277,500 shares of its Common Stock to employees and a director pursuant to exercises of stock options, with exercise prices ranging from $0.075 to $3.50 per share, principally under the Company's Restated 1995 Stock Incentive Plan which were deemed exempt from registration under Section 5 of the Securities Act of 1933 in reliance upon Rule 701 thereunder. The recipients of securities in each such transaction represented their intentions to acquire the securities for investment only and not with a view to, or for sale in connection with, any distribution thereof and appropriate legends were affixed to the share certificates issued in each such transaction. We issued 2,444,174 shares of our Common Stock as consideration for all the issued and outstanding stock of Netrex, Inc. on August 31, 1999. We also issued 141,479 shares of our Common Stock in September 1999 as consideration for all the issued and outstanding stock of NJH Security Consulting, acquired by us in September 1999. As part of the terms of these acquisitions, we filed a shelf registration statement in October 1999 on Form S-3 covering 723,987 shares issued in connection with the acquisitions of Netrex and NJH. In August 2000, we issued 29,100 shares of our Common Stock as consideration for all of the issued and outstanding stock of privately held ISYI of Padova, Italy. These shares were issued in a transaction exempt from registration under the Securities Act of 1933. 15 17 ITEM 6. SELECTED CONSOLIDATED FINANCIAL DATA The financial data set forth below for each of the three years in the period ended December 31, 2000, and as of December 31, 1999 and 2000 has been derived from the audited consolidated financial statements appearing elsewhere in this Annual Report on Form 10-K. The financial data for the years ended December 31, 1996 and 1997, and as of December 31, 1996, 1997 and 1998, has been derived from audited financial statements not included herein.
YEAR ENDED DECEMBER 31, ------------------------------------------------- 1996 1997 1998 1999 2000 ------- ------- ------- -------- -------- (AMOUNTS IN THOUSANDS, EXCEPT PER SHARE AMOUNTS) CONSOLIDATED STATEMENT OF OPERATIONS DATA: Revenues: Product licenses and sales............................. $ 6,503 $16,074 $36,908 $ 74,050 $119,703 Subscriptions.......................................... 1,077 4,488 12,037 24,141 41,706 Professional services.................................. 1,945 4,863 8,143 18,296 33,566 ------- ------- ------- -------- -------- 9,525 25,425 57,088 116,487 194,975 Costs and expenses: Cost of revenues....................................... 2,948 7,275 19,951 37,700 59,424 Research and development............................... 1,225 3,855 9,655 20,412 31,316 Sales and marketing.................................... 4,549 14,096 25,998 43,124 68,032 General and administrative............................. 1,704 3,668 6,557 9,230 14,481 Amortization........................................... -- -- 230 992 1,153 Charges for in-process research and development........ -- -- 802 -- -- Merger costs........................................... -- -- -- 2,329 -- ------- ------- ------- -------- -------- 10,426 28,894 63,193 113,787 174,406 ------- ------- ------- -------- -------- Operating income (loss).................................. (901) (3,469) (6,105) 2,700 20,569 Interest income, net..................................... 28 163 2,274 5,902 8,415 Foreign currency exchange loss........................... -- -- -- (136) (331) ------- ------- ------- -------- -------- Income (loss) before income taxes........................ (873) (3,306) (3,831) 8,466 28,653 Provision for income taxes............................... -- -- 62 976 10,338 ------- ------- ------- -------- -------- Net income (loss)........................................ $ (873) $(3,306) $(3,893) $ 7,490 $ 18,315 ======= ======= ======= ======== ======== Basic net income (loss) per share(1)..................... $ (0.05) $ (0.18) $ (0.12) $ 0.19 $ 0.44 ======= ======= ======= ======== ======== Diluted net income (loss) per share(1)................... $ (0.05) $ (0.18) $ (0.12) $ 0.17 $ 0.41 ======= ======= ======= ======== ======== Weighted average shares:(2).............................. Basic.................................................. 18,276 18,399 32,351 39,996 41,892 ======= ======= ======= ======== ======== Diluted................................................ 18,276 18,399 32,351 43,691 45,099 ======= ======= ======= ======== ======== Unaudited pro forma net loss per share(1)................ $ (0.11) $ (0.11) ======= ======= Unaudited weighted average shares used in unaudited pro forma net loss per share calculation(1)................ 29,873 34,963 ======= =======
DECEMBER 31, ------------------------------------------------- 1996 1997 1998 1999 2000 ------- ------- ------- -------- -------- (IN THOUSANDS) CONSOLIDATED BALANCE SHEET DATA: Cash and cash equivalents................................ $ 2,051 $ 4,174 $53,056 $ 70,090 $ 66,210 Working capital.......................................... 2,403 1,523 53,157 127,135 145,133 Total assets............................................. 5,931 13,816 84,724 184,845 240,240 Redeemable, convertible preferred stock.................. 3,614 8,878 -- -- -- Stockholders' equity (deficit)........................... (620) 4,468 66,505 155,153 188,389
--------------- (1) Computed on the basis described in Note 1 of Notes to Consolidated Financial Statements. (2) See Note 10 of Notes to Consolidated Financial Statements for the determination of shares used in computing basic and diluted net income per share. 16 18 ITEM 7. MANAGEMENT'S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS The following discussion should be read in conjunction with the Consolidated Financial Statements and related Notes thereto included elsewhere in this document. Except for the historical financial information, the matters discussed in this document may be considered "forward-looking" statements. Such statements include declarations regarding our intent, belief or current expectations. Such forward-looking statements are not guarantees of future performance and involve a number of risks and uncertainties. Actual results may differ materially from those indicated by such forward-looking statements as a result of certain factors, including, but not limited to, those set forth under the "Risk Factors" heading below. OVERVIEW We are a leading global provider of security management solutions for protecting digital business assets. Our continuous lifecycle approach to information security protects distributed computing environments, such as internal corporate networks, inter-company networks and electronic commerce environments, from attacks, misuse and security policy violations, while ensuring the confidentiality, privacy, integrity and availability of proprietary information. We deliver an end-to-end security management solution through our SAFEsuite security management platform coupled with around-the-clock remote security monitoring through our managed services offerings. Our SAFEsuite family of products is a critical element of an active Internet and networking security program within today's world of global connectivity, enabling organizations to proactively monitor, detect and respond to risks to enterprise information. Our managed services offerings currently provide remote management of the industry's best-of-breed security technology including firewalls, VPNs, anti-virus and URL filtering software, security assessment and intrusion detection systems. We focus on serving as the trusted security provider to our customers by maintaining within our existing products the latest counter-measures to security risks, creating new innovative products based on our customers' needs and providing professional and managed services. We generate a majority of our revenues from our SAFEsuite family of products in the form of perpetual licenses and subscriptions, and sales of best-of-breed technology products developed by our partners. We recognize perpetual license revenues from ISS developed products upon delivery of software or, if the customer has evaluation software, delivery of the software key and issuance of the related license, assuming that no significant vendor obligations or customer acceptance rights exist. Where payment terms are extended over periods greater than 12 months, revenue is recognized as such amounts are billable. Product sales consist of (i) appliances sold in conjunction with ISS licensed software and (ii) software developed by third party-partners, combined in some instances with associated hardware appliances and partner maintenance services. These sales are recognized upon shipment to the customer. Annual renewable maintenance is a separate component of each perpetual license agreement for ISS products with revenue recognized ratably over the maintenance term. Subscription revenues include maintenance, term licenses, and managed service arrangements. Term licenses allow customers to use our products and receive maintenance coverage for a specified period, generally 12 months. We recognize revenues from these term agreements ratably over the subscription term. Security monitoring services of information assets and systems are part of managed services and are recognized as such services are provided. Professional services revenues include consulting services and training. Consulting services, typically billed on a time-and-materials basis, assist in the successful deployment of our products within customer networks, the development of customers' security policies and the assessment of security policy decisions. We recognize such professional services revenues as the related services are rendered. We believe that our total solutions approach will grow all of our revenue categories. This includes our products and managed services offerings, as well as maintenance and professional services and training. While we expect the expansion of these product and service offerings to originate primarily from internal development, our strategy includes acquiring products, technologies and service capabilities that fit within our strategy and that potentially accelerate the timing of the commercial introduction of such products and technologies. Over the last 24 months, we have made four different acquisitions, each of which included such products, technologies or service capabilities. 17 19 Two of these acquisitions, ISYI and Seguranca Ativa de Redes Internet e Sistemas Ltda ("SARIS") were completed in the third quarter of 2000. ISYI is a leader in advanced network security monitoring services in the Italian market and an early provider of remote security monitoring services. The ISYI transaction has been accounted for using the pooling-of-interests method; however, this transaction was not material to ISS's consolidated operations and financial position and, therefore, our operating results have not been restated for this transaction. Our operating results include the results of operations of ISYI since the date of acquisition. SARIS was formed in 1999 in order to create and implement a security methodology for the Brazilian market. This transaction has been accounted for using the purchase method of accounting and accordingly our operating results include the results of operations of SARIS since the date of acquisition. The acquisitions of Netrex, Inc. and NJH Security Consulting, were completed in the third quarter of 1999. Founded in 1992 with a current services customer base of more than 500 customers, Netrex was a leading provider of remote, security monitoring services of digital assets. NJH Security Consulting includes a technology foundation to provide an outsourced solution for the automatic detection and management of customers' security risks using ISS software solutions. This technology is being incorporated into our managed security service offerings. These transactions were accounted for using the pooling-of-interests method of accounting. Our consolidated financial statements have been restated for all periods presented to include the results of Netrex. Our business has been growing rapidly. Although we continue to experience significant revenue growth, we cannot assure our stockholders that such growth can be sustained and, therefore, investors should not rely on our past growth as a predictor of future performance. We expect to continue to expand our domestic and international sales and marketing operations, increase our investment in product development including our proprietary threat and vulnerability database and managed services capabilities, seek acquisition candidates that will enhance our products and market share, and improve our internal operating and financial infrastructure in support of our strategic goals and objectives. All of these initiatives will increase operating expenses. Thus, our prospects must be considered in light of the risks and difficulties frequently encountered by companies in new and rapidly evolving markets. As a result, while we achieved profitability throughout 1999 and in 2000, we cannot be certain that we can sustain such profitability. RESULTS OF OPERATIONS The following table sets forth our consolidated historical operating information, as a percentage of total revenues, for the periods indicated:
YEAR ENDED DECEMBER 31, ----------------------- 1998 1999 2000 ----- ----- ----- Consolidated Statement of Operations Data: Product licenses and sales.............................. 64.6% 63.6% 61.4% Subscriptions........................................... 21.1 20.7 21.4 Professional services................................... 14.3 15.7 17.2 ----- ----- ----- Total revenues.................................. 100.0 100.0 100.0 ----- ----- ----- Cost of revenues.......................................... 34.9 32.4 30.5 Research and development.................................. 16.9 17.5 16.1 Sales and marketing....................................... 45.6 37.0 34.9 General and administrative................................ 11.5 7.9 7.4 Amortization.............................................. 0.4 0.9 0.6 Charge for in-process research and development............ 1.4 -- -- Merger costs.............................................. -- 2.0 -- ----- ----- ----- Total costs and expenses........................ 110.7 97.7 89.5 ----- ----- ----- Operating income (loss)................................... (10.7) 2.3 10.5 ===== ===== =====
18 20 REVENUES Our total revenues increased from $57.1 million in 1998 to $116.5 million in 1999 and to $195 million in 2000. Historically we have generated most of our revenues from product licenses and sales, which represented 65% in 1998, 64% in 1999 and 61% in 2000. Revenues from product licenses and sales increased from $36.9 million in 1998 to $74.1 million in 1999 and to $119.7 million in 2000. Product sales are generated both through a direct sales force and through channel partners. When our partners generate sales, revenues are recognized when the end user sale has occurred, which is identified through electronic delivery of a software key that is necessary to operate the product. We continue to add functionality to our SAFEsuite product family, including our vulnerability assessment and intrusion detection products providing both network and host based solutions and our security management applications. In addition, in the second half of 2000, we introduced Nokia RealSecure, an integrated offering of ISS intrusion detection software on a Nokia hardware appliance. These improvements and new offerings provide our customers with more powerful and easier-to-use solutions for security management across the enterprise. In addition to sales of our proprietary software, product licenses and sales include the sales of partner products as a part of our total solution approach whereby we provision such products to provide a single solution source for our customers. Subscriptions revenue grew from $12.0 million in 1998 to $24.1 million in 1999 and to $41.7 million in 2000, representing 21% of total revenues in these periods. Subscription revenues consist of maintenance, term licenses of product usage and security monitoring fees for managed services offerings. Professional services revenue increased from $8.1 million in 1998 to $18.3 million in 1999 and to $33.6 million in 2000, increasing from 14% of total revenues in 1998 to 16% in 1999 and to 17% in 2000. We continue to build our service capabilities to address the demand from our customers for security consulting and implementation services and for expanded training offerings. Geographically, we derived the majority of our revenues from sales to customers within the Americas region; however, international operations continued to be a significant contributor to revenues and a growing percentage of the business. In the aggregate, the Europe and Asia/Pacific Rim regions represented the following percentages of total revenues:
1998 1999 2000 ---- ---- ---- Europe...................................................... 9% 11% 13% Asia/Pacific Rim............................................ 3% 5% 8%
No customer represented more than 10% of our total revenues in any of these periods. COSTS AND EXPENSES Cost of revenues Cost of revenues consists of several components. Substantially all of the cost of product licenses and sales represents payments to partners for their products that we integrate with our products or provision to our customers in providing a single solution source. Costs associated with licensing our products are minor. Costs of product revenues as a percentage of total revenues decreased from 16% in 1998 and 1999 to 12% in 2000, as sales of partner software and hardware appliances represented a lower percentage of total revenues. This was a conscientious effort to focus sales of partner products in 2000 to situations where the ISS solution methodology was being employed, involving professional services or monitoring services. In 1998 and 1999, results included sales by Netrex prior to being acquired in 1999 using the pooling-of-interests method of accounting; Netrex also emphasized sales without associated service offerings. Cost of subscription and services includes the cost of our technical support personnel who provide assistance to customers under maintenance agreements, the operations center costs of providing managed security monitoring services and the costs related to professional services and training. These costs represented 19% in 1998, 16% in 1999 and 19% in 2000 of total revenues. The decline in the percentage from 1998 to 1999 was the result of an increase in the utilization of our professional services staff. In 2000, the percentage 19 21 increased as we made a significant commitment to our managed security offerings in terms of automated systems, number of managed security operations centers and personnel resources. We also committed resources to continue to build professional services capabilities and more automated technical support programs. Research and development Research and development expenses consist of salary and related costs of research and development personnel, including costs for employee benefits, and depreciation on computer equipment. These costs include those associated with maintaining and expanding the "X-Force," our internal team of security experts dedicated to understanding, documenting and coding new vulnerability checks, real-time threats and attack signatures and developing solutions to address global security issues. We continue to increase these expenditures, as we perceive primary research and product development and managed service offerings as essential ingredients for retaining our leadership position in the market. We also increased the number of our development personnel focused on our best-of-breed products, enterprise applications, managed services offerings and research for future product offerings. Accordingly, research and development expenses increased in absolute dollars from $9.7 million in 1998 to $20.4 million in 1999, and to $31.3 million in 2000. These costs represented 17% of total revenues in 1998, 18% in 1999 and 16% in 2000. We will continue to seek more leverage in the research and development area while continuing to invest in the enhancement of current technologies and the development of new technologies. We have reflected a charge of $802,000 in our 1998 statement of operations for identified in-process research and development in connection with our October 1998 acquisitions of two companies engaged in Windows NT, Unix and database security assessment technologies. The charge was based on a valuation of products under development using estimated future cash flows, reduced for the core technology component of such products and the percentage of product development remaining at the time of acquisition. Sales and marketing Sales and marketing expenses consist primarily of salaries, travel expenses, commissions, advertising, maintenance of our Website, trade show expenses, costs of recruiting sales and marketing personnel and costs of marketing materials. Sales and marketing expenses were $26.0 million in 1998, $43.1 million in 1999, and $68.0 million in 2000. Sales and marketing expenses increased in total dollars during these periods primarily from our larger workforce, which has increased each quarter, both domestically and internationally. Sales and marketing expenses have decreased as a percentage of total revenues from 46% in 1998 to 37% in 1999, and to 35% in 2000. The decrease in sales and marketing expenses as a percentage of total revenues is due to greater levels of productivity achieved by our sales force. We believe that sales force productivity has benefited from the experience gained by sales personnel in selling our broadening enterprise offering of products and services as well as the heightened interest of the marketplace in such offerings. We expect to continue to create leverage in our sales and marketing efforts through better market segmentation, by focusing our direct sales force, and by expanding the channel as a source of our product sales. General and administrative General and administrative expenses of $6.6 million in 1998, $9.2 million in 1999 and $14.5 million in 2000, represented approximately 12% in 1998, 8% in 1999, and 7% in 2000 of our total revenues. General and administrative expenses consist of personnel-related costs for executive, administrative, finance and human resources, information systems and other support services costs and legal, accounting and other professional service fees. The increase in these expenses in absolute dollars is attributable to our efforts, through additional employees and systems, to enhance our management's ability to obtain and analyze information about our domestic and international operations, as well as the expansion of our facilities. In November 2000 we began occupying our new corporate headquarters in Atlanta incurring expenses associated with the move. Additional costs will be incurred related to this move in 2001 as the construction process is completed and the balance of our Atlanta personnel is relocated to the new facility. Merger costs of $2.3 million in 1999 represented the direct out-of-pocket costs incurred in connection with two acquisitions. These costs were principally investment advisor, legal and accounting fees. We also 20 22 incurred amortization expense of $230,000 in 1998, $992,000 in 1999, and $1.2 million in 2000 related to goodwill and intangible assets resulting from acquisitions. Interest income and foreign currency exchange loss Net interest income increased from $2.3 million in 1998 to $5.9 million in 1999, and to $8.4 million in 2000 primarily due to increased amounts of cash invested in interest-bearing securities. This increase in cash primarily resulted from the sale of equity securities. The exchange loss of $136,000 in 1999 and $331,000 in 2000 is a result of fluctuations in currency exchange rates between the U.S. Dollar and other currencies, primarily the Euro and, to a lesser degree, the Japanese Yen. Income taxes We recorded a provision for income taxes of $62,000 in 1998, $976,000 in 1999, and $10.3 million in 2000. These provisions included taxes for Japanese and European operations and the results of Netrex following our August 1999 merger. Prior to the merger, Netrex profits were taxed at the shareholder level. In 1999, we utilized loss carryforwards to offset tax expense that would otherwise be recorded on profits from certain operations for 1999. As of December 31, 1999 substantially all loss carryforwards that would reduce future income tax expense related to United States operations had been utilized. While income tax expense was recorded on domestic income in 2000, taxes payable were reduced by deductions related to the employee exercise of stock options. The tax benefit for the use of these stock option deductions was recorded as additional paid-in capital. As of December 31, 2000 we had a net operating loss carryforward of approximately $78 million related to stock option deductions. The tax benefit for this carryforward will be recorded as additional paid-in-capital as realized. We also have approximately $2.4 million of research and development tax credit carryforwards which expire between 2011 and 2020. Quarterly Results of Operations The following table sets forth certain unaudited consolidated quarterly statement of operations data for the eight quarters ended December 31, 2000, as well as such data expressed as a percentage of our total revenues for the periods indicated. This data has been derived from unaudited consolidated financial statements that, in our opinion, include all adjustments (consisting only of normal recurring adjustments) necessary for a fair presentation of such information when read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this document. As a result of our limited operating history and the risks associated with the new and rapidly evolving market that we serve, the operating results for any quarter below are not necessarily indicative of results for any future period.
1999 2000 ---------------------------------------- ---------------------------------------- MAR. JUN. SEPT. DEC. MAR. JUN. SEPT. DEC. 31 30 30 31 31 30 30 31 ------- ------- ------- ------- ------- ------- ------- ------- (AMOUNTS IN THOUSANDS) CONSOLIDATED STATEMENT OF OPERATIONS DATA: Revenues: Product and license sales..... $14,458 $17,606 $19,200 $22,786 $24,778 $26,331 $31,770 $36,824 Subscriptions................. 4,883 5,497 6,202 7,559 8,089 9,537 10,938 13,142 Professional services......... 3,634 4,176 4,599 5,887 6,424 8,349 9,079 9,714 ------- ------- ------- ------- ------- ------- ------- ------- 22,975 27,279 30,001 36,232 39,291 44,217 51,787 59,680 Costs and expenses: Cost of revenues.............. 6,518 9,206 9,856 12,120 11,988 13,039 16,409 17,988 Research and development...... 4,062 4,785 5,315 6,250 6,802 7,566 8,449 8,499 Sales and marketing........... 9,437 10,161 10,991 12,535 14,284 15,658 17,406 20,684 General and administrative.... 2,311 2,140 2,105 2,674 2,884 3,491 3,429 4,677 Amortization.................. 251 248 247 246 248 248 289 368 Merger costs.................. -- -- 2,329 -- -- -- -- -- ------- ------- ------- ------- ------- ------- ------- ------- Total costs and expenses.............. 22,579 26,540 30,843 33,825 36,206 40,002 45,982 52,216 Operating income (loss)......... 396 739 (842) 2,407 3,085 4,215 5,805 7,464 Interest income, net............ 861 1,513 1,640 1,888 1,868 2,070 2,253 2,224 Foreign currency exchange gain (loss)........................ -- -- -- (136) (126) 95 (463) 163 ------- ------- ------- ------- ------- ------- ------- -------
21 23
1999 2000 ---------------------------------------- ---------------------------------------- MAR. JUN. SEPT. DEC. MAR. JUN. SEPT. DEC. 31 30 30 31 31 30 30 31 ------- ------- ------- ------- ------- ------- ------- ------- (AMOUNTS IN THOUSANDS) Income (loss) before taxes...... 1,257 2,252 798 4,159 4,827 6,380 7,595 9,851 Provision for income taxes...... 81 125 105 665 1,757 2,299 2,740 3,542 ------- ------- ------- ------- ------- ------- ------- ------- Net income...................... $ 1,176 $ 2,127 $ 693 $ 3,494 $ 3,070 $ 4,081 $ 4,855 $ 6,309 ======= ======= ======= ======= ======= ======= ======= ======= AS A PERCENTAGE OF TOTAL REVENUES: Revenues: Product and license sales..... 62.9% 64.5% 64.0% 62.9% 63.1% 59.5% 61.4% 61.7% Subscriptions................. 21.3% 20.2% 20.7% 20.9% 20.6% 21.6% 21.1% 22.0% Professional services......... 15.8% 15.3% 15.3% 16.2% 16.3% 18.9% 17.5% 16.3% ------- ------- ------- ------- ------- ------- ------- ------- 100% 100% 100% 100% 100% 100% 100% 100% Costs and expenses: Cost of revenues.............. 28.4% 33.8% 32.9% 33.5% 30.5% 29.5% 31.7% 30.1% Research and development...... 17.7% 17.6% 17.7% 17.2% 17.3% 17.1% 16.3% 14.2% Sales and marketing........... 41.1% 37.2% 36.6% 34.6% 36.4% 35.4% 33.6% 34.8% General and administrative.... 10.0% 7.8% 7.0% 7.4% 7.3% 7.9% 6.6% 7.8% Amortization.................. 1.1% 0.9% 0.8% 0.7% 0.6% 0.6% 0.6% 0.6% Merger costs.................. --% --% 7.8% --% --% --% --% --% ------- ------- ------- ------- ------- ------- ------- ------- Total costs and expenses.............. 98.3% 97.3% 102.8% 93.4% 92.1% 90.5% 88.8% 87.5% Operating income (loss)......... 1.7% 2.7% (2.8)% 6.6% 7.9% 9.5% 11.2% 12.5% ======= ======= ======= ======= ======= ======= ======= =======
LIQUIDITY AND CAPITAL RESOURCES In 2000 we met our working capital needs and capital equipment needs with cash provided by operations. Cash provided by operations in 2000 totaled $20.5 million, resulting primarily from net income of $18.3 million, non-cash depreciation and amortization expense of $7.5 million, income tax benefit from employee exercises of stock options of $8.4 million; and the growth of deferred revenues of $14.5 million. The increase in accounts receivable of $28.7 million, associated with our growth, accounted for the primary use of our cash. Our investing activities of $29.7 million in 2000 included the purchase of $141.1 million of marketable securities, primarily interest-bearing government obligations and commercial paper, offset by net proceeds from the maturity of marketable securities of $132.9 million in 2000. We also invested in equipment totaling $20.3 million as we provided existing and new personnel with the computer hardware and software environment necessary to perform their job functions and incurred leasehold improvement costs for our new headquarters. We expect a similar level of equipment investment in 2001, assuming continued growth in our number of employees, which includes additional leasehold improvements for the new headquarters that are being completed and occupied in phases over the course of 2001. Our financing activities provided $6.1 million of cash in 2000, which consisted primarily of proceeds of $5.5 million from the exercise of stock options by our employees and $1.6 million of proceeds from the issuance of common stock through our Employee Stock Purchase Plan. At December 31, 2000, we had $132.1 million of cash and cash equivalents and marketable securities, consisting primarily of money market accounts and commercial paper carrying the highest investment grade rating. We believe that such cash and cash equivalents and marketable securities will be sufficient to meet our working capital needs and capital expenditures for the foreseeable future. From time to time we evaluate possible acquisition and investment opportunities in businesses, products or technologies that are complimentary to ours. In the event we determine to pursue such opportunities, we may use our available cash and cash equivalents. Pending such uses, we will continue to invest our available cash in investment grade, interest-bearing investments. Additionally, we have restricted marketable securities of $12.5 million securing a $10 million letter of credit issued in connection with our commitment to a long-term lease of our future Atlanta corporate operations. 22 24 RISK FACTORS Forward-looking statements are inherently uncertain as they are based on various expectations and assumptions concerning future events and are subject to known and unknown risks and uncertainties. Our forward-looking statements should be considered in light of the following important risk factors. Variations from our stated intentions or failure to achieve objectives could cause actual results to differ from those projected in our forward-looking statements. We undertake no obligation to update publicly any forward-looking statements for any reason, even if new information becomes available or other events occur in the future. We Have Only Recently Achieved Profitability We began operations in 1994 and achieved profitability in 1999. We operate in a new and rapidly evolving market and must, among other things: - respond to competitive developments; - continue to upgrade and expand our product and services offerings; and - continue to attract, retain and motivate our employees. We cannot be certain that we will successfully address these risks. As a result, we cannot assure our investors that we will be able to continue to operate profitably in the future. Our Future Operating Results Will Likely Fluctuate Significantly As a result of our limited operating history, we cannot predict our future revenues and operating results. However, we do expect our future revenues and operating results to fluctuate due to a combination of factors, including: - the growth in the acceptance of, and activity on, the Internet and the World Wide Web, particularly by corporate, institutional and government users; - the extent to which the public perceives that unauthorized access to and use of online information are threats to network security; - the volume and timing of orders, including seasonal trends in customer purchasing; - our ability to develop new and enhanced product and managed service offerings and expand our professional services capabilities; - our ability to provide scalable managed services offerings through our partners in a cost effective manner; - foreign currency exchange rates that affect our international operations; - product and price competition in our markets; and - general economic conditions, both domestically and in our foreign markets. We increasingly focus our efforts on sales of enterprise-wide security solutions, which consist of our entire product suite and related professional services, and managed security services, rather than on the sale of component products. As a result, each sale may require additional time and effort from our sales and support staff. In addition, the revenues associated with particular sales vary significantly depending on the number of products licensed by a customer, the number of devices used by the customer and the customer's relative need for our professional services. Large individual sales, or even small delays in customer orders, can cause significant variation in our license revenues and results of operations for a particular period. The timing of large orders is usually difficult to predict and, like many software and services companies, many of our customers typically complete transactions in the last month of a quarter. We cannot predict our operating expenses based on our past results. Instead, we establish our spending levels based in large part on our expected future revenues. As a result, if our actual revenues in any future period fall below our expectations, our operating results likely will be adversely affected because very few of 23 25 our expenses vary with our revenues. Because of the factors listed above, we believe that our quarterly and annual revenues, expenses and operating results likely will vary significantly in the future. Our ability to provide timely guidance and meet the expectations of investors, industry analysts and brokerage firms with respect to our operating and financial results is impacted by the tendency of a majority of our sales to be completed in the last month of a quarter. We may not be able to determine whether we will experience material deviations from guidance or expectations until the end of a quarter. We Must Attract and Retain Personnel While Competition for Personnel in Our Industry is Intense Competition in recruiting personnel in the software, network consulting and managed services industries is intense. We believe our future success will depend in part on our ability to recruit and retain highly skilled engineering, technical, consulting, marketing, sales and management personnel. To accomplish this, we believe we must provide competitive compensation, including stock options that may require additional stockholder approval for increased availability. Without sufficient available stock options, our ability to attract and retain personnel may be impaired. We Face Intense Competition in Our Market The market for network security monitoring, detection and response solutions is intensely competitive, and we expect competition to increase in the future. We cannot guarantee that we will compete successfully against our current or potential competitors, especially those with significantly greater financial resources or brand name recognition. Our chief competitors generally fall within one of five categories: - internal information technology departments of our customers and the consulting firms that assist them in formulating security systems; - relatively smaller software companies offering relatively limited applications for network and Internet security; - large companies, including Symantec Corp., Cisco Systems, Inc., Network Associates, Inc. and Bindview Development Corp., that sell competitive products and offerings, as well as other large software companies that have the technical capability and resources to develop competitive products; - software or hardware companies like Cisco Systems, Inc. that could integrate features that are similar to our products into their own products; and - small and large companies with competitive offerings to components of our managed services offerings. Mergers or consolidations among these competitors, or acquisitions of small competitors by larger companies, would make such combined entities more formidable competitors to us. Large companies may have advantages over us because of their longer operating histories, greater name recognition, larger customer bases or greater financial, technical and marketing resources. As a result, they may be able to adapt more quickly to new or emerging technologies and changes in customer requirements. They can also devote greater resources to the promotion and sale of their products than we can. In addition, these companies have reduced and could continue to reduce, the price of their security monitoring, detection and response products and managed security services, which increases pricing pressures within our market. Several companies currently sell software products (such as encryption, firewall, operating system security and virus detection software) that our customers and potential customers have broadly adopted. Some of these companies sell products that perform the same functions as some of our products. In addition, the vendors of operating system software or networking hardware may enhance their products to include the same kinds of functions that our products currently provide. The widespread inclusion of comparable features to our software in operating system software or networking hardware could render our products obsolete, particularly if such features are of a high quality. Even if security functions integrated into operating system software or networking hardware are more limited than those of our software, a significant number of customers may accept more limited functionality to avoid purchasing additional software. 24 26 For the above reasons, we may not be able to compete successfully against our current and future competitors. Increased competition may result in price reductions, reduced gross margins and loss of market share. We Face Rapid Technological Change in Our Industry and Frequent Introductions of New Products Rapid changes in technology pose significant risks to us. We do not control nor can we influence the forces behind these changes, which include: - the extent to which businesses and others seek to establish more secure networks; - the extent to which hackers and others seek to compromise secure systems; - evolving computer hardware and software standards; - changing customer requirements; and - frequent introductions of new products and product enhancements. To remain successful, we must continue to change, adapt and improve our products in response to these and other changes in technology. Our future success hinges on our ability to both continue to enhance our current line of products and professional services and to introduce new products and services that address and respond to innovations in computer hacking, computer technology and customer requirements. We cannot be sure that we will successfully develop and market new products that do this. Any failure by us to timely develop and introduce new products, to enhance our current products or to expand our professional services capabilities in response to these changes could adversely affect our business, operating results and financial condition. Our products involve very complex technology, and as a consequence, major new products and product enhancements require a long time to develop and test before going to market. Because this amount of time is difficult to estimate, we have had to delay the scheduled introduction of new and enhanced products in the past and may have to delay the introduction of new products and product enhancements in the future. The techniques computer hackers use to gain unauthorized access to, or to sabotage, networks and intranets are constantly evolving and increasingly sophisticated. Furthermore, because new hacking techniques are usually not recognized until used against one or more targets, we are unable to anticipate most new hacking techniques. To the extent that new hacking techniques harm our customers' computer systems or businesses, affected customers may believe that our products are ineffective, which may cause them or prospective customers to reduce or avoid purchases of our products. Risks Associated with Our Global Operations The expansion of our international operations includes our presence in dispersed locations throughout the world, including throughout Europe and the Asia/Pacific and Latin America regions. Our international presence and expansion exposes us to risks not present in our U.S. operations, such as: - the difficulty in managing an organization spread over various countries located across the world; - unexpected changes in regulatory requirements in countries where we do business; - excess taxation due to overlapping tax structures; - fluctuations in foreign currency exchange rates; and - export license requirements and restrictions on the export of certain technology, especially encryption technology and trade restrictions. Despite these risks, we believe that we must continue to expand our operations in international markets to support our growth. To this end, we intend to establish additional foreign sales operations, expand our existing offices, hire additional personnel, expand our international sales channels and customize our products for local markets. If we fail to execute this strategy, our international sales growth will be limited. 25 27 Our Networks, Products and Services May be Targeted by Hackers Like other companies, our websites, networks, information systems, products and services may be targets for sabotage, disruption or misappropriation by hackers. As a leading network security solutions company, we are a high profile target. Although we believe we have sufficient controls in place to prevent disruption and misappropriation, and to respond to situations, we expect these efforts by hackers to continue. If these efforts are successful, our operations, reputation and sales could be adversely affected. We Must Successfully Integrate Acquisitions As part of our growth strategy, we have and may continue to acquire or make investments in companies with products, technologies or professional services capabilities complementary to our solutions. When engaging in acquisitions, we could encounter difficulties in assimilating new personnel and operations into our company. These difficulties may disrupt our ongoing business, distract our management and employees, increase our expenses and adversely affect our results of operations. These difficulties could also include accounting requirements, such as amortization of goodwill or in-process research and development expense. We cannot be certain that we will successfully overcome these risks with respect to any of our recent or future acquisitions or that we will not encounter other problems in connection with our recent or any future acquisitions. In addition, any future acquisitions may require us to incur debt or issue equity securities. The issuance of equity securities could dilute the investment of our existing stockholders. We Depend on Our Intellectual Property Rights and Use Licensed Technology We rely primarily on copyright and trademark laws, trade secrets, confidentiality procedures and contractual provisions to protect our proprietary rights. We have obtained one United States patent and have nine patent applications under review. We also believe that the technological and creative skills of our personnel, new product developments, frequent product enhancements, our name recognition, our professional services capabilities and delivery of reliable product maintenance are essential to establishing and maintaining our technology leadership position. We cannot assure you that our competitors will not independently develop technologies that are similar to ours. Despite our efforts to protect our proprietary rights, unauthorized parties may attempt to copy aspects of our products or to obtain and use information that we regard as proprietary. Policing unauthorized use of our products is difficult. While we cannot determine the extent to which piracy of our software products occurs, we expect software piracy to be a persistent problem. In addition, the laws of some foreign countries do not protect our proprietary rights to as great an extent as do the laws of the United States and many foreign countries do not enforce these laws as diligently as U.S. government agencies and private parties. ITEM 7A. QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK Interest Rate Sensitivity The primary objective of our investment activities is to preserve principal while at the same time maximizing the income we receive from our investments without significantly increasing risk. Some of the securities that we have invested in may be subject to market risk. This means that a change in prevailing interest rates may cause the principal amount of the investment to fluctuate. For example, if we hold a security that was issued with a fixed interest rate at the then-prevailing rate and the prevailing interest rate later rises, the principal amount of our investment will probably decline. To minimize this risk, we maintain our portfolio of cash equivalents and marketable securities in a variety of relatively short-term investments, including commercial paper and overnight repurchase agreements. As of December 31, 2000, only $14,800,000 of our securities had maturities beyond 90 days. ITEM 8. CONSOLIDATED FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA See the index to Consolidated Financial Statements at Item 14 ITEM 9. CHANGES IN AND DISAGREEMENTS WITH ACCOUNTANTS ON ACCOUNTING AND FINANCIAL DISCLOSURE None. 26 28 PART III Certain information required by Part III is omitted from this Form 10-K because the Company will file a definitive Proxy Statement pursuant to Regulation 14A not later than 120 days after the end of the fiscal year covered by this Form 10-K, and certain information to be included therein is incorporated herein by reference. ITEM 10. DIRECTORS AND EXECUTIVE OFFICERS OF THE REGISTRANT The information required by this Item is incorporated by reference to the Proxy Statement under the sections captioned "Proposal 1 -- Election of Directors," "Executive Compensation -- Directors and Executive Officers" and "Compliance with Section 16(a) of the Securities Exchange Act of 1934." ITEM 11. EXECUTIVE COMPENSATION The information required by this Item is incorporated by reference to the Proxy Statement under the section captioned "Executive Compensation." ITEM 12. SECURITY OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT The information required by this Item is incorporated by reference to the Proxy Statement under the section captioned "Principal Stockholders." ITEM 13. CERTAIN RELATIONSHIPS AND RELATED TRANSACTIONS The information required by this Item is incorporated by reference to the Proxy Statement under the section captioned "Executive Compensation -- Certain Transactions with Management." 27 29 PART IV ITEM 14. EXHIBITS, FINANCIAL STATEMENT SCHEDULES AND REPORTS ON FORM 8-K (a) The following documents are filed as part of this Form 10-K: 1. Consolidated Financial Statements. The following consolidated financial statements of Internet Security Systems, Inc. are filed as part of this Form 10-K on the pages indicated:
PAGE ---- INTERNET SECURITY SYSTEMS, INC. Report of Independent Auditors.............................. 32 Consolidated Balance Sheets as of December 31, 1999 and 2000...................................................... 33 Consolidated Statements of Operations for the Years Ended December 31, 1998, 1999 and 2000.......................... 34 Consolidated Statements of Stockholders' Equity (Deficit) for the Years Ended December 31, 1998, 1999 and 2000...... 35 Consolidated Statements of Cash Flows for the Years Ended December 31, 1998, 1999 and 2000.......................... 36 Notes to Consolidated Financial Statements.................. 37 2. Consolidated Financial Statement Schedules: Schedule II -- Valuation and Qualifying Accounts............ 49
Schedules other than the one listed above are omitted as the required information is inapplicable or the information is presented in the consolidated financial statements or related notes. 3. Exhibits. The exhibits to this Annual Report on Form 10-K have been included only with the copy of this Annual Report on Form 10-K filed with the Securities and Exchange Commission. Copies of individual exhibits will be furnished to stockholders upon written request to the Company and payment of a reasonable fee.
EXHIBIT NUMBER DESCRIPTION OF EXHIBIT ------- ---------------------- 3.1* -- Restated Certificate of Incorporation (filed as Exhibit 3.1 to the Company's Quarterly Report on Form 10-Q, dated November 14, 2000. 3.2* -- Bylaws (filed as Exhibit 3.2 to the Company's Registration Statement on Form S-1, Registration No. 333-44529 (the "Form S-1"). 4.1* -- Specimen Common Stock certificate (filed as Exhibit 4.1 to the Form S-1). 4.2 -- See Exhibits 3.1 and 3.2 for provisions of the Certificate of Incorporation and Bylaws of the Company defining the rights of holders of the Company's Common Stock. 10.1* -- Restated 1995 Stock Incentive Plan (Amended and Restated as of May 24, 2000) filed as Exhibit 99.1 to the Company's Registration Statement on Form S-8, Registration No. 333-54670 dated January 31, 2001. 10.3* -- Stock Exchange Agreement dated December 9, 1997 (filed as Exhibit 10.4 to the Form S-1). 10.5* -- Forms of Non-Employee Director Compensation Agreement, Notice of Stock Option Grants and Stock Option Agreement (filed as Exhibit 10.6 to the Form S-1). 10.7* -- Form of Indemnification Agreement for directors and certain officers (filed as Exhibit 10.8 to the Form S-1). 10.9* -- Sublease for additional Atlanta facilities (filed as Exhibit 10.9 to the Company's Registration Statement on Form S-1, Registration No. 333-71471).
28 30
EXHIBIT NUMBER DESCRIPTION OF EXHIBIT ------- ---------------------- 10.10* -- Lease for Atlanta headquarters and research and development facility (filed as Exhibit 10.10 to the Company's Annual Report on Form 10-K, dated March 30, 2000) 10.12 -- Letter Agreement dated December 14, 1999 with Mark Hangen 10.13 -- Letter Agreement dated June 27, 2000 with Kenneth Walters 10.14 -- Letter Agreement dated August 18, 2000 with Lawrence Costanza 21.1* -- Subsidiaries of the Company. 23.1 -- Consent of Ernst & Young LLP. 23.2 -- Consent of PricewaterhouseCoopers LLP 23.3 -- Report of PricewaterhouseCoopers LLP 24.1 -- Power of Attorney, pursuant to which amendments to this Annual Report on Form 10-K may be filed, is included on the signature page contained in Part IV of the Form 10-K.
--------------- * Incorporated herein by reference to the indicated filing. (b) Reports on Form 8-K The Company filed a report on Form 8-K on October 20, 2000 containing the Company's press release announcement of its results for the period ended September 30, 2000. 29 31 REPORT OF INDEPENDENT AUDITORS Board of Directors Internet Security Systems, Inc. We have audited the accompanying consolidated balance sheets of Internet Security Systems, Inc. (formerly ISS Group, Inc.) as of December 31, 2000 and 1999, and the related consolidated statements of operations, stockholders' equity (deficit), and cash flows for each of the three years in the period ended December 31, 2000. Our audit also included the financial statement schedule listed in the Index at Item 14(a). These financial statements and schedule are the responsibility of the Company's management. Our responsibility is to express an opinion on these financial statements and schedule based on our audits. We did not audit the 1998 financial statements or schedule of Netrex, Inc., a wholly owned subsidiary, which statements reflect total assets constituting 8% and total revenues constituting 37% of the related consolidated totals. Those statements and schedule were audited by other auditors whose report has been furnished to us, and our opinion, insofar as it relates to the 1998 data included for Netrex, Inc., is based solely on the report of the other auditors. We conducted our audits in accordance with auditing standards generally accepted in the United States. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits and the report of other auditors provide a reasonable basis for our opinion. In our opinion, based on our audits and, for 1998, the report of other auditors, the financial statements referred to above present fairly, in all material respects, the consolidated financial position of Internet Security Systems, Inc. (formerly ISS Group, Inc.) at December 31, 2000 and 1999, and the consolidated results of its operations and its cash flows for each of the three years in the period ended December 31, 2000, in conformity with accounting principles generally accepted in the United States. Also, in our opinion, based on our audits and the report of the other auditors, the related financial statement schedule, when considered in relation to the basic financial statements taken as a whole, presents fairly in all material respects the information set forth therein. /s/ Ernst & Young LLP Atlanta, Georgia January 22, 2001 30 32 INTERNET SECURITY SYSTEMS, INC. CONSOLIDATED BALANCE SHEETS
DECEMBER 31, --------------------------- 1999 2000 ------------ ------------ ASSETS Current assets: Cash and cash equivalents................................. $ 70,090,000 $ 66,210,000 Marketable securities..................................... 56,693,000 65,938,000 Accounts receivable, less allowance for doubtful accounts of $848,000 and $1,188,000, respectively............... 26,934,000 56,358,000 Inventory................................................. 473,000 2,275,000 Prepaid expenses and other current assets................. 2,122,000 5,717,000 ------------ ------------ Total current assets.............................. 156,312,000 196,498,000 Property and equipment: Computer equipment........................................ 10,108,000 20,199,000 Office furniture and equipment............................ 5,232,000 9,958,000 Leasehold improvements.................................... 870,000 6,609,000 ------------ ------------ 16,210,000 36,766,000 Less accumulated depreciation............................. 7,277,000 13,673,000 ------------ ------------ 8,933,000 23,093,000 Restricted marketable securities............................ 12,500,000 12,500,000 Goodwill, less accumulated amortization of $396,000 and $876,000, respectively.................................... 2,775,000 3,167,000 Other intangible assets, less accumulated amortization of $827,000 and $1,500,000, respectively..................... 4,019,000 3,346,000 Other assets................................................ 306,000 1,636,000 ------------ ------------ Total assets...................................... $184,845,000 $240,240,000 ============ ============ LIABILITIES AND STOCKHOLDERS' EQUITY Current liabilities: Accounts payable.......................................... $ 5,144,000 $ 4,200,000 Accrued expenses.......................................... 6,878,000 15,490,000 Deferred revenues......................................... 17,155,000 31,675,000 ------------ ------------ Total current liabilities......................... 29,177,000 51,365,000 Other non-current liabilities............................... 515,000 486,000 Commitments and contingencies Stockholders' equity: Preferred stock; $.001 par value; 20,000,000 shares authorized, none issued or outstanding................. -- -- Common stock; $.001 par value; 120,000,000 shares authorized, 40,980,000 and 42,415,000 shares issued and outstanding, respectively.............................. 41,000 42,000 Additional paid-in capital................................ 157,467,000 172,985,000 Deferred compensation..................................... (288,000) (86,000) Accumulated other comprehensive income (loss)............. 100,000 (745,000) Retained earnings (accumulated deficit)................... (2,167,000) 16,193,000 ------------ ------------ Total stockholders' equity........................ 155,153,000 188,389,000 ------------ ------------ Total liabilities and stockholders' equity........ $184,845,000 $240,240,000 ============ ============
See accompanying notes. 31 33 INTERNET SECURITY SYSTEMS, INC. CONSOLIDATED STATEMENTS OF OPERATIONS
YEAR ENDED DECEMBER 31, ---------------------------------------- 1998 1999 2000 ----------- ----------- ------------ Revenues: Product licenses and sales........................... $36,908,000 $74,050,000 $119,703,000 Subscriptions........................................ 12,037,000 24,141,000 41,706,000 Professional services................................ 8,143,000 18,296,000 33,566,000 ----------- ----------- ------------ 57,088,000 116,487,000 194,975,000 Costs and expenses: Cost of revenues: Product licenses and sales........................ 8,875,000 18,842,000 22,653,000 Subscriptions and professional services........... 11,076,000 18,858,000 36,771,000 ----------- ----------- ------------ Total cost of revenues....................... 19,951,000 37,700,000 59,424,000 Research and development............................. 9,655,000 20,412,000 31,316,000 Sales and marketing.................................. 25,998,000 43,124,000 68,032,000 General and administrative........................... 6,557,000 9,230,000 14,481,000 Amortization......................................... 230,000 992,000 1,153,000 Charge for in-process research and development....... 802,000 -- -- Merger costs......................................... -- 2,329,000 -- ----------- ----------- ------------ 63,193,000 113,787,000 174,406,000 Operating income (loss)................................ (6,105,000) 2,700,000 20,569,000 Interest income, net................................... 2,274,000 5,902,000 8,415,000 Foreign currency exchange loss......................... -- (136,000) (331,000) ----------- ----------- ------------ Income (loss) before income taxes...................... (3,831,000) 8,466,000 28,653,000 Provision for income taxes............................. 62,000 976,000 10,338,000 ----------- ----------- ------------ Net income (loss)...................................... $(3,893,000) $ 7,490,000 $ 18,315,000 =========== =========== ============ Basic net income (loss) per share of Common Stock...... $ (0.12) $ 0.19 $ 0.44 =========== =========== ============ Diluted net income (loss) per share of Common Stock.... $ (0.12) $ 0.17 $ 0.41 =========== =========== ============ Weighted average shares: Basic.................................................. 32,351,000 39,996,000 41,892,000 =========== =========== ============ Diluted................................................ 32,351,000 43,691,000 45,099,000 =========== =========== ============ Unaudited pro forma net loss per share of Common Stock................................................ $ (0.11) =========== Unaudited weighted average number of shares used in calculating unaudited pro forma net loss per share of Common Stock......................................... 34,963,000 ===========
See accompanying notes. 32 34 INTERNET SECURITY SYSTEMS, INC. CONSOLIDATED STATEMENTS OF STOCKHOLDERS' EQUITY (DEFICIT)
ACCUMULATED OTHER RETAINED COMMON STOCK ADDITIONAL COMPREHENSIVE EARNINGS ---------------------- PAID-IN DEFERRED INCOME (ACCUMULATED SHARES AMOUNT CAPITAL COMPENSATION (LOSS) DEFICIT) ------------ ------- ------------ ------------ ------------- ------------ Balance at December 31, 1997....... 18,286,000 $18,000 $ 760,000 $(571,000) $(4,617,000) Comprehensive income (loss): Net loss....................... (3,893,000) Translation adjustment......... 142,000 Issuance of Common Stock: Initial public offering........ 6,140,000 6,000 61,525,000 Conversion of Redeemable, Convertible Preferred Stock in connection with the initial public offering...... 11,474,000 12,000 8,866,000 Exercise of stock options...... 810,000 1,000 292,000 Acquisitions................... 316,000 3,901,000 Issuance to consultant......... 2,000 11,000 Subchapter S distributions of a pooled entity.................. (216,000) Buyout of former Subchapter S stockholder.................... (14,000) (438,000) Deferred compensation related to stock options.................. 811,000 (811,000) Amortization of deferred compensation................... 720,000 ---------- ------- ------------ --------- --------- ----------- Balance at December 31, 1998....... 37,028,000 37,000 76,152,000 (662,000) 142,000 (9,164,000) Comprehensive income (loss): Net income..................... 7,490,000 Translation adjustment......... (42,000) Issuance of Common Stock: Secondary public offering...... 2,778,000 3,000 77,361,000 Exercise of stock options...... 1,033,000 1,000 3,948,000 Pooling-of-interests........... 141,000 -- 6,000 164,000 Subchapter S distributions of a pooled entity.................. (657,000) Amortization of deferred compensation................... 374,000 ---------- ------- ------------ --------- --------- ----------- Balance at December 31, 1999....... 40,980,000 41,000 157,467,000 (288,000) 100,000 (2,167,000) Comprehensive income (loss): Net income..................... 18,315,000 Translation adjustment......... (845,000) Issuance of Common Stock: Exercise of stock options...... 1,367,000 1,000 5,507,000 Employee stock purchase plan... 39,000 1,634,000 Pooling-of-interests........... 29,000 45,000 Amortization of deferred compensation................... 202,000 Tax benefit related to employee options........................ 8,377,000 ---------- ------- ------------ --------- --------- ----------- Balance at December 31, 2000....... 42,415,000 $42,000 $172,985,000 $ (86,000) $(745,000) $16,193,000 ========== ======= ============ ========= ========= =========== COMPREHENSIVE TOTAL INCOME STOCKHOLDERS' (LOSS) EQUITY (DEFICIT) ------------- ---------------- Balance at December 31, 1997....... $ (4,410,000) Comprehensive income (loss): Net loss....................... $(3,893,000) (3,893,000) Translation adjustment......... 142,000 142,000 ----------- $(3,751,000) =========== Issuance of Common Stock: Initial public offering........ 61,531,000 Conversion of Redeemable, Convertible Preferred Stock in connection with the initial public offering...... 8,878,000 Exercise of stock options...... 293,000 Acquisitions................... 3,901,000 Issuance to consultant......... 11,000 Subchapter S distributions of a pooled entity.................. (216,000) Buyout of former Subchapter S stockholder.................... (452,000) Deferred compensation related to stock options.................. -- Amortization of deferred compensation................... 720,000 ------------ Balance at December 31, 1998....... 66,505,000 Comprehensive income (loss): Net income..................... $ 7,490,000 7,490,000 Translation adjustment......... $ (42,000) (42,000) ----------- $ 7,448,000 =========== Issuance of Common Stock: Secondary public offering...... 77,364,000 Exercise of stock options...... 3,949,000 Pooling-of-interests........... 170,000 Subchapter S distributions of a pooled entity.................. (657,000) Amortization of deferred compensation................... 374,000 ------------ Balance at December 31, 1999....... 155,153,000 Comprehensive income (loss): Net income..................... $18,315,000 18,315,000 Translation adjustment......... (845,000) (845,000) ----------- $17,470,000 =========== Issuance of Common Stock: Exercise of stock options...... 5,508,000 Employee stock purchase plan... 1,634,000 Pooling-of-interests........... 45,000 Amortization of deferred compensation................... 202,000 Tax benefit related to employee options........................ 8,377,000 ------------ Balance at December 31, 2000....... $188,389,000 ============
See accompanying notes. 33 35 INTERNET SECURITY SYSTEMS, INC. CONSOLIDATED STATEMENTS OF CASH FLOWS
YEAR ENDED DECEMBER 31, ------------------------------------------- 1998 1999 2000 ------------ ------------ ------------- OPERATING ACTIVITIES Net income (loss)................................... $ (3,893,000) $ 7,490,000 $ 18,315,000 Adjustments to reconcile net income (loss) to net cash (used in) provided by operating activities: Depreciation...................................... 2,162,000 3,989,000 6,329,000 Amortization of goodwill and intangibles.......... 230,000 992,000 1,153,000 Accretion of discount on marketable securities.... -- (1,176,000) (1,088,000) Charge for in-process research and development.... 802,000 -- -- Other non-cash expense............................ 838,000 327,000 166,000 Income tax benefit from exercise of stock options........................................ -- -- 8,377,000 Changes in assets and liabilities, excluding the effects of acquisitions: Accounts receivable............................ (10,590,000) (10,241,000) (28,679,000) Inventory...................................... 106,000 (425,000) (1,802,000) Prepaid expenses and other assets.............. (541,000) (1,312,000) (4,664,000) Accounts payable and accrued expenses.......... 2,679,000 3,303,000 7,900,000 Deferred revenues.............................. 5,299,000 8,822,000 14,520,000 ------------ ------------ ------------- Net cash (used in) provided by operating activities.............................. (2,908,000) 11,769,000 20,527,000 ------------ ------------ ------------- INVESTING ACTIVITIES Acquisitions, net of cash received.................. (5,206,000) (1,262,000) Purchases of marketable securities.................. (55,517,000) (141,097,000) Net proceeds from maturity of marketable securities........................................ 132,940,000 Purchase of restricted marketable securities........ (12,500,000) -- Purchases of property and equipment................. (4,166,000) (6,356,000) (20,291,000) ------------ ------------ ------------- Net cash used in investing activities..... (9,372,000) (74,373,000) (29,710,000) ------------ ------------ ------------- FINANCING ACTIVITIES Net proceeds from (payments on) long-term debt and capital leases.................................... (165,000) (526,000) (993,000) Net payments under line of credit................... (320,000) -- -- Capital transactions of merged entity............... (318,000) (1,107,000) -- Proceeds from exercise of stock options............. 292,000 3,949,000 5,507,000 Proceeds from employee stock purchase plan.......... -- -- 1,634,000 Net proceeds from public offerings.................. 61,531,000 77,364,000 -- ------------ ------------ ------------- Net cash provided by financing activities.............................. 61,020,000 79,680,000 6,148,000 ------------ ------------ ------------- Foreign currency impact on cash..................... 142,000 (42,000) (845,000) ------------ ------------ ------------- Net increase (decrease) in cash and cash equivalents....................................... 48,882,000 17,034,000 (3,880,000) Cash and cash equivalents at beginning of year...... 4,174,000 53,056,000 70,090,000 ------------ ------------ ------------- Cash and cash equivalents at end of year............ $ 53,056,000 $ 70,090,000 $ 66,210,000 ============ ============ ============= SUPPLEMENTAL CASH FLOW DISCLOSURE Interest paid....................................... $ 134,000 $ 33,000 $ 50,000 ============ ============ ============= Capital lease obligations incurred.................. $ 468,000 $ 329,000 $ -- ============ ============ ============= Income taxes paid................................... $ -- $ 47,000 $ 446,000 ============ ============ =============
34 36 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS DECEMBER 31, 2000 1. SIGNIFICANT ACCOUNTING POLICIES DESCRIPTION OF BUSINESS The business of Internet Security Systems' and its subsidiaries ("ISS") is focused on maintaining the latest security threat and vulnerability checks within existing products and creating new products and services that are consistent with ISS's goal of providing security management solutions. This approach entails continuous security risk monitoring and response to develop an active and informed network security policy. Internet Security Systems, Inc. (formerly ISS Group, Inc.) was incorporated in the State of Delaware on December 8, 1997 to be a holding company for Internet Security Systems, Inc., a Georgia company incorporated in 1994 to design, market, and sell computer network security assessment software. In addition, ISS has various other subsidiaries in the United States, Europe and the Asia/Pacific regions with primary marketing and sales responsibilities for ISS's products and services in their respective markets. ISS is organized as, and operates in, a single business segment that provides products, technical support, managed security services and consulting and training services as components of providing security management solutions. On March 27, 1998 ISS completed an initial public offering ("IPO") of its Common Stock. A total of 6,900,000 shares were sold at $11 per share. On March 2, 1999 ISS completed a second public offering of its Common Stock. A total of 5,178,000 shares were sold at $29.50 per share. ISS's shares are traded on the NASDAQ National Market under the ticker symbol "ISSX". Certain prior year amounts have been reclassified to conform to current year presentation. BASIS OF CONSOLIDATION AND FOREIGN CURRENCY TRANSLATIONS The consolidated financial statements include the accounts of Internet Security Systems, Inc. and its subsidiaries. All significant intercompany investment accounts and transactions have been eliminated in consolidation. Assets and liabilities of international operations are translated from the local currency into U.S. dollars at the approximate rate of currency exchange at the end of the fiscal period. Translation gains and losses of foreign operations that use local currencies as the functional currency are included in accumulated other comprehensive income (loss) as a component of stockholders' equity. Revenues and expenses are translated at average exchange rates for the period. Transaction gains and losses arising from exchange rate fluctuations on transactions denominated in currency other than the local functional currency are included in results of operations. USE OF ESTIMATES The preparation of financial statements in conformity with accounting principles generally accepted in the United States requires management to make estimates and assumptions that affect the amounts reported in the financial statements and accompanying notes. Actual results may differ from those estimates, and such differences may be material to the consolidated financial statements. REVENUE RECOGNITION ISS recognizes its perpetual license revenue upon (i) delivery of software or, if the customer has evaluation software, delivery of the software key, and (ii) issuance of the related license, assuming no significant vendor obligations or customer acceptance rights exist. For perpetual license agreements, when payment terms extend over periods greater than twelve months, revenue is recognized as such amounts are billable. Product sales consist of (i) appliances sold in conjunction with ISS licensed software and 35 37 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED) (ii) software developed by third party-partners, combined in some instances with associated hardware appliances and partner maintenance services. These sales are recognized upon shipment to the customer. Subscriptions revenues include maintenance, term licenses and security monitoring services. Annual renewable maintenance is a separate component of perpetual license agreements for which the revenue is recognized ratably over the maintenance contract term. Term licenses allow customer use of the product and maintenance for a specified period, generally twelve months, for which revenues are also recognized ratably over the contract term. Security monitoring services of information assets and systems are a part of managed services and are recognized as such services are provided. Professional services revenues, including consulting and training, are recognized as such services are performed. COSTS OF REVENUES Costs of revenues include the costs of products and services. Cost of products represents the cost of product sales which are incurred upon recognition of the associated product revenues. Cost of services includes the cost of ISS's technical support group who provide assistance to customers with maintenance agreements, the operations center costs of providing managed services and the costs related to ISS's professional services and training. CASH AND CASH EQUIVALENTS Cash equivalents include all highly liquid investments with maturities of three months or less when purchased. Such amounts are stated at cost, which approximates market value. MARKETABLE SECURITIES ISS's investment in marketable securities consists of debt instruments of the U.S. Treasury, U.S. government agencies and corporate commercial paper. All such marketable securities have a maturity of less than one year. These investments are classified as available-for-sale and reported at fair market value. The amortized cost of securities classified as available-for-sale is adjusted for amortization of premiums and accretion of discounts to maturity. Such amortization is included in interest income. Unrealized gains and losses on available-for-sale securities were immaterial for 1999 and 2000. Realized gains and losses, and declines in value judged to be other-than-temporary are included in net securities gains (losses) and are included in ISS's results of operations. Interest and dividends on securities classified as available-for-sale are included in interest income. CONCENTRATIONS OF CREDIT RISK Financial instruments that potentially subject ISS to significant concentrations of credit risk consist principally of cash and cash equivalents, marketable securities and accounts receivable. ISS maintains cash and cash equivalents in short-term money market accounts with three financial institutions and in short-term, investment grade commercial paper. Marketable securities consist of United States government agency securities and investment grade commercial paper. ISS's sales are global, primarily to companies located in the United States, Europe, Latin America and the Asia/Pacific regions. ISS performs periodic credit evaluations of its customer's financial condition and does not require collateral. Accounts receivable are due principally from large U.S. companies under stated contract terms. ISS provides for estimated credit losses as such losses become probable. 36 38 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED) FAIR VALUE OF FINANCIAL INSTRUMENTS The carrying amounts reported in the balance sheets for cash and cash equivalents, marketable securities, accounts receivable and accounts payable approximate their fair values. PROPERTY AND EQUIPMENT Property and equipment are stated at cost less accumulated depreciation. Depreciation is computed using the straight-line method for financial reporting purposes over the estimated useful lives of the assets (primarily three years). INVENTORY Inventory consists of finished goods purchased for resale and is recorded at the lower of cost or market. GOODWILL AND INTANGIBLES The major classes of intangible assets, including goodwill (excess of cost over acquired net assets), at December 31, 1999 and 2000 are as follows:
LIFE 1999 2000 ---- ---------- ---------- Goodwill................................................. 10 $3,171,000 $4,043,000 Less accumulated amortization............................ (396,000) (876,000) ---------- ---------- $2,775,000 $3,167,000 ========== ========== Core technology.......................................... 8 $3,853,000 $3,853,000 Developed technology..................................... 5 778,000 778,000 Work force............................................... 6 215,000 215,000 ---------- ---------- 4,846,000 4,846,000 Less accumulated amortization............................ (827,000) (1,500,000) ---------- ---------- $4,019,000 $3,346,000 ========== ==========
Goodwill and other intangible assets are amortized using the straight-line method for the period indicated. They are reviewed for impairment whenever events indicate that their carrying amount may not be recoverable. In such reviews, undiscounted cash flows associated with their carrying value are compared with their carrying values to determine if a write-down to fair value is required. RESEARCH AND DEVELOPMENT COSTS Research and development costs are charged to expense as incurred. ISS has not capitalized any such development costs under Statement of Financial Accounting Standards ("SFAS") No. 86, Accounting for the Costs of Computer Software to Be Sold, Leased, or Otherwise Marketed, because the costs incurred between the attainment of technological feasibility for the related software product through the date when the product is available for general release to customers has been insignificant. ADVERTISING COSTS ISS incurred advertising costs of $517,000 in 1998, $1,312,000 in 1999 and $2,175,000 in 2000, which are expensed as incurred and are included in sales and marketing expense in the statements of operations. 37 39 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED) STOCK BASED COMPENSATION Accounting for Stock-Based Compensation ("SFAS 123"), establishes accounting and reporting standards for stock based employee compensation plans. As permitted by SFAS 123, ISS continues to account for stock-based compensation in accordance with APB Opinion No. 25, Accounting for Stock Issued to Employees, and has elected the pro forma disclosure alternative of SFAS 123. INCOME (LOSS) PER SHARE Basic net income (loss) per share (see Note 10) was computed by dividing net income (loss) by the weighted average number of shares outstanding of Common Stock. Diluted net income (loss) per share was computed by dividing net income (loss) by the weighted average shares outstanding, including common equivalents (when dilutive). Unaudited pro forma net loss per share was computed by dividing net loss by the unaudited weighted average number of shares of Common Stock outstanding plus the assumed conversion of the Redeemable, Convertible Preferred Stock into 11,474,000 shares of Common Stock as of the later of (i) January 1, 1997 or (ii) the date of issuance of such preferred stock, instead of March 27, 1998 when such shares of preferred stock automatically converted into Common Stock. RECENTLY ISSUED ACCOUNTING STANDARDS In December 1999, the Securities and Exchange Commission Staff released Staff Accounting Bulletin ("SAB") No. 101, "Revenue Recognition in Financial Statements". SAB No. 101 provides guidance on the recognition, presentation and disclosure of revenue in financial statements and is effective immediately. Adoption of SAB No. 101 as of October 1, 2000 did not have a material impact on results of operations or financial position. 2. BUSINESS COMBINATION AND ASSET ACQUISITION In August 2000, ISS acquired privately-held ISYI of Padova, Italy. ISYI is a leader in advanced network security services in the Italian market place and an early provider of remote security monitoring services. In exchange for all the outstanding stock of ISYI, approximately 29,100 shares of ISS common stock were issued in a transaction exempt from registration under the Securities Act of 1933. The transaction was accounted for using the pooling-of-interests method of accounting; however, this transaction was not material to ISS's consolidated operations and financial position and, therefore, the operating results of ISS have not been restated for this transaction. The operating results of ISS include the results of operations of ISYI since the date of acquisition. In August 2000, ISS formed a Brazilian subsidiary, Internet Security Systems Ltda, to affect the acquisition of Seguranca Ativa de Redes Internet e Sistemas Ltda ("SARIS") for cash of $5,000. SARIS was formed in 1999 in order to create and implement a security methodology for the Brazilian market. The transaction was accounted for using the purchase method of accounting. Goodwill of $977,000 related to the purchase was recorded and is being amortized using the straight-line method over 24 months. The operating results of ISS include the results of operations of SARIS since the date of acquisition. In August 1999, ISS acquired Netrex, Inc., a leading provider of remote, security monitoring services of digital assets, in a transaction that was accounted for as a pooling-of-interests. To affect the business combination, ISS issued approximately 2,450,000 shares of ISS stock in exchange for all of the outstanding stock of Netrex. Additionally, options outstanding under the Netrex Stock Plan were assumed by ISS resulting in approximately 510,000 additional ISS shares being reserved for outstanding grants under the 38 40 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 2. BUSINESS COMBINATION AND ASSET ACQUISITION -- (CONTINUED) Netrex Stock Plan. The consolidated financial statements of ISS, including share and per share data, have been restated for all periods presented to include the results of Netrex with all intercompany transactions with ISS eliminated in such restatement. Revenues and net income (loss) of the separate companies that includes periods preceding the Netrex merger were as follows:
1998 1999 ----------- ------------ Total revenues ISS...................................................... $35,929,000 $ 74,204,000 Netrex................................................... 21,159,000 42,283,000 ----------- ------------ Total revenues, as reported...................... $57,088,000 $116,487,000 =========== ============ Net income (loss) ISS...................................................... $(4,102,000) $ 7,326,000 Netrex................................................... 209,000 164,000 ----------- ------------ Combined................................................. $(3,893,000) $ 7,490,000 Business combination expenses.............................. -- 2,329,000 Pro forma income tax expense............................... -- (368,000) ----------- ------------ Pro forma net income (loss)................................ $(3,893,000) $ 9,451,000 =========== ============
Pro forma net income (loss) reflects adjustments to net income (loss) to record an estimated provision for income taxes for each period presented assuming Netrex was a taxpaying entity and excludes merger costs. In September 1999, ISS acquired privately held NJH Security Consulting ("NJH"), which was based in Atlanta, Georgia. NJH is a consulting firm focused on providing information security services to organizations worldwide. Approximately 142,000 shares of ISS common stock were issued in exchange for all of the outstanding stock of NJH. The transaction was accounted for using the pooling-of-interests method of accounting; however, this transaction was not material to ISS's consolidated operations and financial position and, therefore, the operating results of ISS were not restated for this transaction. The operating results of ISS include the results of operations of NJH since the date of acquisition. The consolidated statements of operations include merger costs of $2,329,000 in 1999 that represent the direct out-of-pocket costs associated with the Netrex and NJH business combinations. These costs were principally investment advisor, legal and accounting fees. In October 1998, ISS acquired March Information Systems Limited ("March"), a United Kingdom-based developer of Windows NT and Unix-based security assessment technologies. Also in October 1998, ISS acquired the technology of DbSecure, Inc., a developer of database security risk assessment solutions. ISS issued 316,000 shares of ISS Common Stock and paid $5,206,000 in cash consideration and direct transaction costs for these acquisitions. The 1998 acquisitions were accounted for as purchases and their results have been included in the results of ISS's operations from the effective dates of acquisition. Substantially all of the aggregate consideration of $9,144,000 was allocated to identified intangibles, including core and developed technologies, in-process research and development, work force and goodwill (see Note 1). The valuations of core and developed technologies and in-process research and development were based on the present value of estimated future cash flows over the lesser of: (i) five years or (ii) the period in which the product is expected to be integrated into an existing ISS product. The resulting values were reviewed for reasonableness based on the time and cost spent on the effort, the complexity of the development effort and, in 39 41 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 2. BUSINESS COMBINATION AND ASSET ACQUISITION -- (CONTINUED) the case of in-process development projects, the stage to which it had progressed. For in-process research and development, the valuation was reduced for the core technology component of such product and the percentage of product development remaining at the acquisition date. The resulting in-process research and development amount of $802,000 was reflected as a charge in the 1998 statement of operations. The following table summarizes pro forma results of operations as if the acquisition of March was concluded on January 1, 1998 (the effect of the SARIS acquisition in 2000 and the DbSecure acquisition in 1998 are not included as their impact was immaterial). This pro forma information is not necessarily indicative of what the combined operations would have been if ISS had control of such combined businesses for the period presented. The adjustments to the historical data reflect the following (i) reduction of interest income in connection with the cash payments and (ii) amortization of goodwill and intangibles.
1998 ----------- (UNAUDITED) Revenues.................................................... $58,894,000 Operating loss.............................................. (6,537,000) Net loss.................................................... (4,619,000) Per share: Basic and diluted net loss................................ $ (0.14) Pro forma net loss........................................ $ (0.13)
3. MARKETABLE SECURITIES The following is a summary of available-for-sale marketable securities as of December 31:
1999 2000 ----------- ----------- Unrestricted: U.S. Treasury securities and obligations of U.S. government agencies.................................... $18,907,000 $ -- U.S. corporate commercial paper........................... 37,786,000 65,938,000 Restricted: U.S. corporate commercial paper........................... 12,500,000 12,500,000 ----------- ----------- $69,193,000 $78,438,000 =========== ===========
As of December 31, 1999 and 2000 the cost of marketable securities approximated fair value. The contractual maturities of all of these investments were less than one year as of December 31, 2000. Marketable securities of $12,500,000 are restricted as of December 31, 2000 as collateral for a letter of credit issued by a financial institution related to the lease on the new ISS headquarters. 4. REDEEMABLE, CONVERTIBLE PREFERRED STOCK All of the outstanding shares of Redeemable, Convertible Preferred Stock were automatically converted into an aggregate of 11,474,000 shares of Common Stock on March 27, 1998 in connection with ISS's IPO. 5. STOCK OPTION PLANS ISS's Incentive Stock Plan (the "Plan") provides for the granting of qualified or nonqualified options to purchase shares of ISS's Common Stock. Under the Plan, at December 31, 2000 there are 8,266,929 shares reserved for future issuance which increases automatically on the first trading day of each year by an amount 40 42 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 5. STOCK OPTION PLANS -- (CONTINUED) equal to 3% of the number of shares of Common Stock outstanding on the last trading day of the preceding year. An additional 160,000 shares have been reserved for non-statutory options issued in 1997 to non-employee directors. Certain options granted under the Plan prior to the IPO are immediately exercisable, subject to a right of repurchase by ISS at the original exercise price for all unvested shares. Options granted after the IPO are generally exercisable as vesting occurs. Vesting is generally in equal annual installments over four years, measured from the date of the grant. Deferred compensation, which appears in the equity section of the balance sheet, originated in 1998 by computing the difference between the exercise price of stock options issued in December 1997 to the estimated price range for the IPO as set forth in the initial filing on January 20, 1998 of ISS's Registration Statement on Form S-1 and the exercise price of stock options issued in January and February 1998 to the final estimated price range contained in ISS's pre-effective amendment to its Registration Statement for the IPO filed in March 1998. The amounts are being charged to operations proportionately over the four-year vesting period of the related stock options. Amortization of deferred compensation was $720,000 in 1998, $374,000 in 1999 and $202,000 in 2000. All other options are issued at fair market value on the date of grant. A summary of ISS's stock option activity is as follows:
1998 1999 2000 --------------------- ---------------------- ---------------------- WEIGHTED WEIGHTED WEIGHTED AVERAGE AVERAGE AVERAGE NUMBER EXERCISE NUMBER EXERCISE NUMBER EXERCISE OF SHARES PRICE OF SHARES PRICE OF SHARES PRICE ---------- -------- ----------- -------- ----------- -------- Outstanding at beginning of year......................... 3,776,000 $ 1.36 5,205,000 $ 5.35 5,067,000 $13.58 Granted...................... 1,921,000 11.37 1,719,000 33.94 2,253,000 67.88 Exercised.................... (809,000) 0.36 (1,033,000) 3.81 (1,366,000) 4.63 Canceled..................... (129,000) 4.66 (884,000) 15.45 (702,000) 33.61 Assumed...................... 446,000 4.00 60,000 3.51 -- -- ---------- ----------- ----------- Outstanding at end of year..... 5,205,000 5.35 5,067,000 13.58 5,252,000 36.54 ========== =========== =========== Exercisable at end of year..... 3,219,000 1.95 2,693,000 3.00 1,430,000 13.24 ========== =========== =========== Weighted average fair value of options granted during the year......................... $ 13.68 $ 29.01 $ 59.25 ========== =========== ===========
The following table summarizes information about stock options outstanding at December 31, 2000:
OPTIONS FULLY OPTIONS OUTSTANDING VESTED AND EXERCISABLE ---------------------------- ----------------------- NUMBER OF WEIGHTED NUMBER OPTIONS AVERAGE EXERCISABLE WEIGHTED OUTSTANDING AT REMAINING AT AVERAGE DECEMBER 31, CONTRACTUAL DECEMBER 31, EXERCISE RANGE OF EXERCISE PRICES 2000 LIFE 2000 PRICE ------------------------ -------------- ----------- ------------ -------- $.08-.49................................. 338,000 5.79 244,000 $ 0.17 $.50-3.99................................ 794,000 7.04 470,000 $ 3.32 $4.00-11.99.............................. 642,000 7.21 296,000 $ 8.94 $12.00-24.99............................. 297,000 7.80 122,000 $17.06 $25.00-54.99............................. 1,181,000 8.71 224,000 $36.62 $55.00-69.99............................. 1,156,000 9.32 75,000 $58.94 $70.00-85.63............................. 844,000 9.57 -- --
41 43 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 5. STOCK OPTION PLANS -- (CONTINUED) Pro forma information regarding net income and net income per share is required by SFAS 123, which also requires that the information be determined as if ISS had accounted for its employee stock options granted subsequent to December 31, 1994 under the fair value method prescribed by that Statement. The fair value for options granted was estimated at the date of grant using the Black-Scholes option-pricing model. The following weighted average assumptions were used for 1998, 1999 and 2000, respectively: risk-free interest rates of 5.27%, 6.19% and 6.27%, respectively; no dividend yield; volatility factors of .60, 1.25 and 1.29 respectively; and an expected life of the options of 5 years. The Black-Scholes option valuation model was developed for use in estimating the fair value of traded options that have no vesting restrictions and are fully transferable. In addition, option valuation models require the input of highly subjective assumptions including the expected stock price volatility. Because employee stock options have characteristics different from those of traded options, and because the changes in the subjective input assumptions can materially affect the fair value estimate, in management's opinion, the existing models do not necessarily provide a reliable single measure of the fair value of its employee stock options. For purposes of pro forma disclosures, the estimated fair value of the option is amortized to expense over the options' vesting period. The following pro forma information adjusts the net income (loss) and net income (loss) per share of Common Stock for the impact of SFAS 123:
YEAR ENDED DECEMBER 31, ------------------------------------ 1998 1999 2000 ----------- -------- ----------- Pro forma net income (loss)............................... $(6,551,000) $743,000 $(8,003,000) =========== ======== =========== Pro forma net income (loss) per share..................... $ (0.20) $ 0.02 $ (0.19) =========== ======== ===========
6. LONG-TERM DEBT AND CAPITAL LEASE OBLIGATIONS ISS has an agreement with a bank providing for a revolving working capital line of credit and a term loan facility. Under the terms of the agreement, ISS may borrow up to $3,000,000 (subject to a borrowing formula) and $500,000, respectively, with interest payable monthly at prime plus .5 percent. The line of credit and the term loan facility are collateralized by certain assets of the Company. There are no amounts outstanding under this arrangement at December 31, 1999 and 2000. ISS leases certain property and equipment under capital leases. Obligations under such lease agreements amounted to $688,000 and $212,000 at December 31, 1999 and 2000, respectively. Future minimum lease payments under these leases are: $124,000 in 2001, $35,000 in 2002, $39,000 in 2003 and $14,000 in 2004, respectively. 7. COMMITMENTS AND CONTINGENT LIABILITIES ISS has non-cancelable operating leases for facilities that expire at various dates through October 2011. In 1999, ISS entered into an 11 1/2-year lease for a new corporate headquarters, which it began to occupy in various stages in November 2000. 42 44 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 7. COMMITMENTS AND CONTINGENT LIABILITIES -- (CONTINUED) Future minimum payments under non-cancelable operating leases with initial terms of one year or more consisted of the following at December 31, 2000:
OPERATING LEASES ------------ 2001....................................................... 11,094,000 2002....................................................... 13,216,000 2003....................................................... 11,675,000 2004....................................................... 12,744,000 2005....................................................... 12,900,000 Thereafter................................................. 84,687,000 ------------ Total minimum lease payments..................... $146,317,000 ============
Rent expense was approximately $2,098,000, $2,831,000 and $4,939,000 for the years ended December 31, 1998, 1999, and 2000, respectively. 8. INCOME TAXES For financial reporting purposes, the provision for income taxes includes the following components, all of which are current:
YEAR ENDED DECEMBER 31, -------------------------------- 1998 1999 2000 ------- -------- ----------- Federal income taxes.................................. $ -- $730,000 $ 8,421,000 State income taxes.................................... -- 149,000 691,000 Foreign income taxes.................................. 62,000 97,000 1,226,000 ------- -------- ----------- Total provision for income taxes............ $62,000 $976,000 $10,338,000 ======= ======== ===========
Pre-tax income attributable to foreign and domestic operations is summarized below:
YEAR ENDED DECEMBER 31, -------------------------------------- 1998 1999 2000 ----------- ---------- ----------- U.S. operations.................................. $(3,297,000) $8,065,000 $26,226,000 Japan operations................................. (642,000) 213,000 3,156,000 U.K. operations.................................. 90,000 132,000 (437,000) Other............................................ 18,000 57,000 (292,000) ----------- ---------- ----------- $(3,831,000) $8,467,000 $28,653,000 =========== ========== ===========
43 45 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 8. INCOME TAXES -- (CONTINUED) A reconciliation of the provision for income taxes to the statutory federal income tax rate is as follows:
YEAR ENDED DECEMBER 31, --------------------------------------- 1998 1999 2000 ----------- ----------- ----------- Federal income taxes applied to pretax income (loss)........................................ $(1,440,000) $ 2,878,000 $10,029,000 State income taxes, net of federal income tax benefit....................................... (160,000) 149,000 691,000 Alternative Minimum Tax......................... -- 230,000 -- Intangibles..................................... 345,000 209,000 57,000 Research and development tax credits............ (384,000) (717,000) (1,104,000) Merger expenses not deductible for tax purposes...................................... -- 792,000 -- S Corp earnings................................. -- (255,000) -- Foreign operations.............................. 62,000 97,000 223,000 Other........................................... 42,000 -- 672,000 Change in valuation allowance................... 1,597,000 (2,407,000) (230,000) ----------- ----------- ----------- $ 62,000 $ 976,000 $10,338,000 =========== =========== ===========
Deferred income taxes reflect the net income tax effects of temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and the amounts used for income tax purposes. The net income tax effect has been computed using a combined statutory rate of 38% for federal and state taxes. Significant components of ISS's net deferred income taxes are as follows:
DECEMBER 31, --------------------------- 1999 2000 ------------ ------------ Deferred income tax assets: Depreciation and amortization........................... 267,000 446,000 Accrued liabilities..................................... 121,000 206,000 Allowance for doubtful accounts......................... 165,000 329,000 Deferred compensation................................... 142,000 -- Net operating loss carryforwards........................ 9,986,000 29,602,000 AMT credit carryforwards................................ 230,000 -- Research and development tax credit carryforwards....... 1,336,000 2,440,000 ------------ ------------ Total deferred income tax assets................ 12,247,000 33,023,000 ------------ ------------ Less valuation allowance.................................. (12,247,000) (33,023,000) ------------ ------------ Net deferred income tax assets.................. $ -- $ -- ============ ============
For financial reporting purposes, a valuation allowance has been recognized to reduce the net deferred income tax assets to zero. ISS has not recognized any benefit from the future use of the deferred tax assets because management's evaluation of all the available evidence in assessing the realizability of the tax benefits of such loss carryforwards indicates that the underlying assumptions of future profitable operations contain risks that do not provide sufficient assurance to recognize such tax benefits currently. The deferred income tax assets include approximately $12,247,000 and $33,023,000 at December 31, 1999 and 2000, respectively, of assets that were created by or are subject to valuation allowance as a result of stock option deductions. While income tax expense will be recorded on any future pre-tax profits from United States operations, these deferred tax assets would reduce the related income taxes payable. This reduction in income taxes payable in future periods would be recorded as additional paid-in capital. ISS has approximately $77,900,000 of net operating loss carryforwards for federal income tax purposes that expire in varying amounts between 2011 and 2020. The net operating loss carryforwards may be subject to 44 46 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 8. INCOME TAXES -- (CONTINUED) certain limitations in the event of a change in ownership. ISS also has approximately $2,440,000 of research and development tax credit carryforwards that expire between 2011 and 2020. 9. EMPLOYEE STOCK AND BENEFIT PLANS ISS sponsors a 401(k) plan that covers substantially all employees over 18 years of age. Participating employees may contribute up to 15% of their pre-tax salary, but not more than statutory limits. Beginning in 2000 ISS matches 25% of a participants contributions with a maximum contribution of 3% of a participant's contributions. Matching contributions in 2000 were $196,000. Prior to 2000 ISS made no contributions to the plan. Effective July 1, 1999 ISS implemented an employee stock purchase plan (the "Plan") for all eligible employees. Under the Plan, shares of ISS's Common Stock may be purchased at six-month intervals at 85% of the lower of the fair market value on the first or the last day of each six-month period. Employees may purchase shares with aggregate fair value up to 10% of their gross compensation during a six-month period. During 2000 employees purchased 39,000 shares at an average price of $41.44 per share. At December 31, 2000, 411,000 shares of ISS Common Stock were reserved for future issuance. 10. INCOME (LOSS) PER SHARE The following table sets forth the computation of basic and diluted net income (loss) per share:
YEAR ENDED DECEMBER 31, --------------------------------------- 1998 1999 2000 ----------- ----------- ----------- Numerator: Net income (loss)..................................... $(3,893,000) $ 7,490,000 $18,315,000 ----------- ----------- ----------- Denominator: Denominator for basic net (income) loss per share -- weighted average shares............................ 32,351,000 39,996,000 41,892,000 Effect of dilutive stock options...................... -- 3,695,000 3,207,000 ----------- ----------- ----------- Denominator for diluted net income (loss) per share -- weighted average shares............................ 32,351,000 43,691,000 45,099,000 ----------- ----------- Redeemable, Convertible Preferred Stock............... 2,612,000 ----------- Weighted average shares for pro forma net loss per share.............................................. 34,963,000 =========== Basic net income (loss) per share....................... $ (0.12) $ 0.19 $ 0.44 =========== =========== =========== Diluted net income (loss) per share..................... $ (0.12) $ 0.17 $ 0.41 =========== =========== =========== Pro forma net income (loss) per share................... $ (0.11) ===========
Options aggregating 5,205,000 at December 31, 1998 were not included in the above calculations as they were anti-dilutive. 45 47 INTERNET SECURITY SYSTEMS, INC. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED) 11. EXPORT SALES ISS generates export sales from the United States to the Europe, Asia/Pacific Rim and Latin America regions. Also, revenues are generated from ISS's foreign operations in these regions. In the aggregate, the Europe, Asia/Pacific Rim and Latin America regions represented the following percentages of total revenues:
1998 1999 2000 ---- ---- ---- Europe...................................................... 9% 11% 13% Asia/Pacific Rim............................................ 3% 5% 8% Latin America............................................... -- 1% 3%
12. QUARTERLY FINANCIAL RESULTS (UNAUDITED) Summarized quarterly results for the two years ended December 31, 1999 and 2000 are as follows (in thousands, except per share data):
FIRST SECOND THIRD FOURTH ------- ------- ------- ------- 1999 by quarter: Revenues........................................ $22,975 $27,279 $30,001 $36,232 Operating income (loss)......................... 396 739 (842) 2,407 Net income...................................... 1,176 2,127 693 3,494 Income per share: Basic........................................... $ 0.03 $ 0.05 $ 0.02 $ 0.09 Diluted......................................... $ 0.03 $ 0.05 $ 0.02 $ 0.08 2000 by quarter: Revenues........................................ $39,291 $44,217 $51,787 $59,680 Operating income................................ 3,085 4,215 5,805 7,464 Net income...................................... 3,070 4,081 4,855 6,309 Income per share: Basic........................................... $ 0.07 $ 0.10 $ 0.12 $ 0.15 Diluted......................................... $ 0.07 $ 0.09 $ 0.11 $ 0.14
Because of the method used in calculating per share data, the quarterly per share data will not necessarily total the per share data as computed for the year. 46 48 SCHEDULE II VALUATION AND QUALIFYING ACCOUNTS
BALANCE AT BEGINNING OF BALANCE AT YEAR PROVISION WRITE-OFFS END OF YEAR ------------ --------- ---------- ----------- 1998 Allowance for Doubtful Accounts................... $286,000 $229,000 $(103,000) $ 412,000 ======== ======== ========= ========== 1999 Allowance for Doubtful Accounts................... $412,000 $554,000 $(118,000) $ 848,000 ======== ======== ========= ========== 2000 Allowance for Doubtful Accounts................... $848,000 $556,000 $(216,000) $1,188,000 ======== ======== ========= ==========
47 49 SIGNATURES Pursuant to the requirements of the Section 13 or 15(d) of the Securities Exchange Act of 1934, the Registrant has duly caused this Report to be signed on its behalf by the undersigned, thereunto duly authorized. INTERNET SECURITY SYSTEMS, INC. By: /s/ Richard Macchia ------------------------------------ Richard Macchia Vice President and Chief Financial Officer By: /s/ Maureen Richards ------------------------------------ Maureen Richards Corporate Controller Dated: March 30, 2001 POWER OF ATTORNEY KNOW ALL PERSONS BY THESE PRESENTS, that each person whose signature appears below hereby severally constitutes and appoints, Thomas E. Noonan, Richard Macchia and Maureen Richards, and each or any of them, his true and lawful attorney-in-fact and agent, each with the power of substitution and resubstitution, for him in any and all capacities, to sign any and all amendments to this Annual Report (Form 10-K) and to file the same, with exhibits thereto and other documents in connection therewith, with the Securities and Exchange Commission, hereby ratifying and confirming all that each said attorney-in-fact and agent, or his substitute or substitutes, may lawfully do or cause to be done by virtue hereof. Pursuant to the requirements of the Securities Exchange Act of 1934, this Report has been signed below by the following persons on behalf of the Registrant and in the capacities and on the dates indicated.
NAME TITLE DATE ---- ----- ---- /s/ Thomas E. Noonan Chairman, President and Chief March 30, 2001 ----------------------------------------------------- Executive (Principal Thomas E. Noonan Executive Officer) /s/ Christopher W. Klaus Chief Technology Officer, March 30, 2001 ----------------------------------------------------- Secretary and Director Christopher W. Klaus /s/ Richard Macchia Vice President and Chief March 30, 2001 ----------------------------------------------------- Financial Officer Richard Macchia /s/ Richard S. Bodman Director March 30, 2001 ----------------------------------------------------- Richard S. Bodman /s/ Robert E. Davoli Director March 30, 2001 ----------------------------------------------------- Robert E. Davoli /s/ Sam Nunn Director March 30, 2001 ----------------------------------------------------- Sam Nunn /s/ Kevin J. O'Connor Director March 30, 2001 ----------------------------------------------------- Kevin J. O'Connor /s/ David N. Strohm Director March 30, 2001 ----------------------------------------------------- David N. Strohm
48 50 CONSENT OF INDEPENDENT AUDITORS We consent to the reference to our firm under the caption "Experts" in the Registration Statement (Form S-3 No. 333-87557) and related prospectus of Internet Security Systems, Inc. for the registration of 723,987 shares of Common Stock and to the incorporation by reference therein of our report dated January 21, 2000, with respect to the consolidated financial statements and schedule of Internet Security Systems, Inc. included in this Annual Report (Form 10-K) for the year ended December 31, 1999, filed with the Securities and Exchange Commission. We also consent to the incorporation by reference in the Registration Statements and in the related prospectuses of Internet Security Systems, Inc. listed below of our report dated January 21, 2000, with respect to the consolidated financial statements and schedule of Internet Security Systems, Inc. included in this Annual Report (Form 10-K) for the year ended December 31, 1999: Registration Statement No. 333-53279 on Form S-8 (Restated 1995 Stock Incentive Plan) Registration Statement No. 333-89563 on Form S-8 (Internet Security Systems Inc. 1995 Stock Incentive Plan, 1999 Employee Stock Purchase Plan, 1999 International Employee Stock Purchase Plan, Netrex, Inc. 1998 Stock Plan) /s/ ERNST & YOUNG LLP Atlanta, Georgia March 23, 2001 49