0001178913-20-000737.txt : 20200305 0001178913-20-000737.hdr.sgml : 20200305 20200305160754 ACCESSION NUMBER: 0001178913-20-000737 CONFORMED SUBMISSION TYPE: 20-F PUBLIC DOCUMENT COUNT: 108 CONFORMED PERIOD OF REPORT: 20191231 FILED AS OF DATE: 20200305 DATE AS OF CHANGE: 20200305 FILER: COMPANY DATA: COMPANY CONFORMED NAME: CyberArk Software Ltd. CENTRAL INDEX KEY: 0001598110 STANDARD INDUSTRIAL CLASSIFICATION: SERVICES-PREPACKAGED SOFTWARE [7372] IRS NUMBER: 000000000 FILING VALUES: FORM TYPE: 20-F SEC ACT: 1934 Act SEC FILE NUMBER: 001-36625 FILM NUMBER: 20690882 BUSINESS ADDRESS: STREET 1: 94 EM-HA'MOSHAVOT RD. STREET 2: PARK OFER, P.O. BOX 3143 CITY: PETACH-TIKVA STATE: L3 ZIP: 4970602 BUSINESS PHONE: 97239180000 MAIL ADDRESS: STREET 1: 94 EM-HA'MOSHAVOT RD. STREET 2: PARK OFER, P.O. BOX 3143 CITY: PETACH-TIKVA STATE: L3 ZIP: 4970602 FORMER COMPANY: FORMER CONFORMED NAME: Cyber-Ark Software Ltd. DATE OF NAME CHANGE: 20140123 20-F 1 cybr20f2019.htm 20-F CyberArk Software Ltd.
0001598110 --12-31 2019 FY false P2Y P1Y P3Y 0001598110 2017-01-01 2017-12-31 iso4217:USD 0001598110 us-gaap:RetainedEarningsMember 2017-01-01 2017-12-31 0001598110 2019-01-01 2019-12-31 0001598110 2018-01-01 2018-12-31 0001598110 us-gaap:RetainedEarningsMember 2018-01-01 2018-12-31 0001598110 us-gaap:RetainedEarningsMember 2019-01-01 2019-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2017-01-01 2017-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2018-01-01 2018-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2019-01-01 2019-12-31 0001598110 us-gaap:CommonStockMember 2016-12-31 i:shares 0001598110 us-gaap:CommonStockMember 2017-12-31 0001598110 us-gaap:CommonStockMember 2018-12-31 0001598110 us-gaap:CommonStockMember 2019-12-31 0001598110 2016-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2016-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2016-12-31 0001598110 us-gaap:RetainedEarningsMember 2016-12-31 0001598110 2017-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2017-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2017-12-31 0001598110 us-gaap:RetainedEarningsMember 2017-12-31 0001598110 2018-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2018-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2018-12-31 0001598110 us-gaap:RetainedEarningsMember 2018-12-31 0001598110 2019-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2019-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2019-12-31 0001598110 us-gaap:RetainedEarningsMember 2019-12-31 0001598110 us-gaap:CommonStockMember 2017-01-01 2017-12-31 0001598110 us-gaap:CommonStockMember 2018-01-01 2018-12-31 0001598110 us-gaap:CommonStockMember 2019-01-01 2019-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2017-01-01 2017-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2018-01-01 2018-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2019-01-01 2019-12-31 0001598110 us-gaap:CostOfSalesMember 2017-01-01 2017-12-31 0001598110 us-gaap:ResearchAndDevelopmentExpenseMember 2017-01-01 2017-12-31 0001598110 us-gaap:SellingAndMarketingExpenseMember 2017-01-01 2017-12-31 0001598110 us-gaap:GeneralAndAdministrativeExpenseMember 2017-01-01 2017-12-31 0001598110 us-gaap:CostOfSalesMember 2018-01-01 2018-12-31 0001598110 us-gaap:ResearchAndDevelopmentExpenseMember 2018-01-01 2018-12-31 0001598110 us-gaap:SellingAndMarketingExpenseMember 2018-01-01 2018-12-31 0001598110 us-gaap:GeneralAndAdministrativeExpenseMember 2018-01-01 2018-12-31 0001598110 us-gaap:CostOfSalesMember 2019-01-01 2019-12-31 0001598110 us-gaap:ResearchAndDevelopmentExpenseMember 2019-01-01 2019-12-31 0001598110 us-gaap:SellingAndMarketingExpenseMember 2019-01-01 2019-12-31 0001598110 us-gaap:GeneralAndAdministrativeExpenseMember 2019-01-01 2019-12-31 0001598110 country:US 2018-12-31 0001598110 country:IL 2018-12-31 0001598110 country:GB 2018-12-31 0001598110 us-gaap:EMEAMember 2018-12-31 0001598110 cybr:OtherCountryMember 2018-12-31 0001598110 country:US 2019-12-31 0001598110 country:IL 2019-12-31 0001598110 country:GB 2019-12-31 0001598110 us-gaap:EMEAMember 2019-12-31 0001598110 cybr:OtherCountryMember 2019-12-31 iso4217:ILS i:shares 0001598110 us-gaap:ConvertibleNotesPayableMember 2019-11-30 0001598110 cybr:ConjurMember 2017-12-31 0001598110 cybr:VaultiveMember 2018-12-31 0001598110 cybr:ConjurMember 2017-05-01 2017-05-31 0001598110 cybr:VaultiveMember 2018-01-01 2018-03-31 0001598110 srt:MinimumMember us-gaap:ComputerEquipmentMember 2019-01-01 2019-12-31 i:pure 0001598110 srt:MaximumMember us-gaap:ComputerEquipmentMember 2019-01-01 2019-12-31 0001598110 srt:MinimumMember cybr:OfficeFurnitureAndEquipmentMember 2019-01-01 2019-12-31 0001598110 srt:MaximumMember cybr:OfficeFurnitureAndEquipmentMember 2019-01-01 2019-12-31 0001598110 us-gaap:ComputerEquipmentMember 2018-12-31 0001598110 us-gaap:LeaseholdImprovementsMember 2018-12-31 0001598110 cybr:OfficeFurnitureAndEquipmentMember 2018-12-31 0001598110 us-gaap:ComputerEquipmentMember 2019-12-31 0001598110 us-gaap:LeaseholdImprovementsMember 2019-12-31 0001598110 cybr:OfficeFurnitureAndEquipmentMember 2019-12-31 0001598110 us-gaap:TechnologyBasedIntangibleAssetsMember 2018-12-31 0001598110 us-gaap:CustomerRelationshipsMember 2018-12-31 0001598110 us-gaap:OtherIntangibleAssetsMember 2018-12-31 0001598110 us-gaap:TechnologyBasedIntangibleAssetsMember 2019-12-31 0001598110 us-gaap:CustomerRelationshipsMember 2019-12-31 0001598110 us-gaap:OtherIntangibleAssetsMember 2019-12-31 0001598110 cybr:RangeOneMember 2019-12-31 0001598110 cybr:RangeTwoMember 2019-12-31 0001598110 cybr:RangeThreeMember 2019-12-31 0001598110 cybr:RangeFourMember 2019-12-31 0001598110 cybr:RangeFiveMember 2019-12-31 0001598110 srt:MinimumMember 2017-01-01 2017-12-31 0001598110 srt:MaximumMember 2017-01-01 2017-12-31 0001598110 srt:MinimumMember 2018-01-01 2018-12-31 0001598110 srt:MaximumMember 2018-01-01 2018-12-31 0001598110 srt:MinimumMember 2019-01-01 2019-12-31 0001598110 srt:MaximumMember 2019-01-01 2019-12-31 iso4217:USD i:shares 0001598110 cybr:RangeOneMember 2019-01-01 2019-12-31 0001598110 cybr:RangeTwoMember 2019-01-01 2019-12-31 0001598110 cybr:RangeThreeMember 2019-01-01 2019-12-31 0001598110 cybr:RangeFourMember 2019-01-01 2019-12-31 0001598110 cybr:RangeFiveMember 2019-01-01 2019-12-31 0001598110 us-gaap:IsraelTaxAuthorityMember 2014-01-01 2014-01-31 0001598110 us-gaap:DomesticCountryMember 2019-01-01 2019-12-31 0001598110 srt:MaximumMember cybr:TCJAMember 2019-01-01 2019-12-31 0001598110 srt:MinimumMember cybr:TCJAMember 2019-01-01 2019-12-31 0001598110 us-gaap:ForeignCountryMember 2019-12-31 0001598110 cybr:ForeignCountrySubsidiaryMember 2019-12-31 0001598110 us-gaap:ForeignCountryMember 2019-01-01 2019-12-31 0001598110 us-gaap:FairValueInputsLevel1Member us-gaap:MoneyMarketFundsMember 2019-12-31 0001598110 us-gaap:MoneyMarketFundsMember 2019-12-31 0001598110 us-gaap:FairValueInputsLevel2Member us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001598110 us-gaap:FairValueInputsLevel2Member us-gaap:MoneyMarketFundsMember 2019-12-31 0001598110 us-gaap:FairValueInputsLevel1Member us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001598110 us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2018-12-31 0001598110 us-gaap:FairValueInputsLevel1Member us-gaap:MoneyMarketFundsMember 2018-12-31 0001598110 us-gaap:FairValueInputsLevel2Member us-gaap:MoneyMarketFundsMember 2018-12-31 0001598110 us-gaap:MoneyMarketFundsMember 2018-12-31 0001598110 us-gaap:FairValueInputsLevel1Member us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2018-12-31 0001598110 us-gaap:FairValueInputsLevel2Member us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2018-12-31 0001598110 us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001598110 us-gaap:CorporateDebtSecuritiesMember 2018-12-31 0001598110 us-gaap:CorporateDebtSecuritiesMember 2019-12-31 0001598110 cybr:SingleCustomerMember us-gaap:SalesRevenueNetMember 2017-01-01 2017-12-31 0001598110 cybr:SingleCustomerMember us-gaap:SalesRevenueNetMember 2018-01-01 2018-12-31 0001598110 cybr:SingleCustomerMember us-gaap:SalesRevenueNetMember 2019-01-01 2019-12-31 0001598110 us-gaap:FairValueInputsLevel1Member 2019-12-31 0001598110 us-gaap:FairValueInputsLevel2Member 2019-12-31 0001598110 us-gaap:FairValueInputsLevel1Member 2018-12-31 0001598110 us-gaap:FairValueInputsLevel2Member 2018-12-31 0001598110 us-gaap:FairValueInputsLevel2Member us-gaap:CorporateDebtSecuritiesMember 2019-12-31 0001598110 us-gaap:FairValueInputsLevel1Member us-gaap:CorporateDebtSecuritiesMember 2019-12-31 0001598110 us-gaap:FairValueInputsLevel1Member us-gaap:CorporateDebtSecuritiesMember 2018-12-31 0001598110 us-gaap:FairValueInputsLevel2Member us-gaap:CorporateDebtSecuritiesMember 2018-12-31 0001598110 us-gaap:ComputerEquipmentMember 2018-01-01 2018-12-31 0001598110 us-gaap:ComputerEquipmentMember 2019-01-01 2019-12-31 0001598110 country:US 2017-01-01 2017-12-31 0001598110 country:IL 2017-01-01 2017-12-31 0001598110 country:GB 2017-01-01 2017-12-31 0001598110 us-gaap:EMEAMember 2017-01-01 2017-12-31 0001598110 cybr:OtherCountryMember 2017-01-01 2017-12-31 0001598110 country:US 2018-01-01 2018-12-31 0001598110 country:IL 2018-01-01 2018-12-31 0001598110 country:GB 2018-01-01 2018-12-31 0001598110 us-gaap:EMEAMember 2018-01-01 2018-12-31 0001598110 cybr:OtherCountryMember 2018-01-01 2018-12-31 0001598110 country:US 2019-01-01 2019-12-31 0001598110 country:IL 2019-01-01 2019-12-31 0001598110 country:GB 2019-01-01 2019-12-31 0001598110 us-gaap:EMEAMember 2019-01-01 2019-12-31 0001598110 cybr:OtherCountryMember 2019-01-01 2019-12-31 0001598110 us-gaap:LicenseMember 2018-01-01 2018-12-31 0001598110 us-gaap:LicenseMember 2019-01-01 2019-12-31 0001598110 us-gaap:MaintenanceMember 2018-01-01 2018-12-31 0001598110 us-gaap:MaintenanceMember 2019-01-01 2019-12-31 0001598110 cybr:ProfessionalServicesMember 2018-01-01 2018-12-31 0001598110 cybr:ProfessionalServicesMember 2019-01-01 2019-12-31 0001598110 us-gaap:DeferredProjectCostsMember 2018-12-31 0001598110 us-gaap:DeferredProjectCostsMember 2019-12-31 iso4217:ILS 0001598110 dei:BusinessContactMember 2019-01-01 2019-12-31 0001598110 srt:MinimumMember us-gaap:SoftwareDevelopmentMember 2019-01-01 2019-12-31 0001598110 srt:MaximumMember us-gaap:SoftwareDevelopmentMember 2019-01-01 2019-12-31 0001598110 us-gaap:ForeignExchangeOptionMember 2018-12-31 0001598110 us-gaap:ForeignExchangeOptionMember 2019-12-31 0001598110 us-gaap:ForeignExchangeOptionMember 2018-01-01 2018-12-31 0001598110 us-gaap:ForeignExchangeOptionMember 2019-01-01 2019-12-31 0001598110 us-gaap:OtherAssetsMember us-gaap:ForeignExchangeForwardMember 2018-12-31 0001598110 us-gaap:OtherAssetsMember us-gaap:ForeignExchangeForwardMember 2019-12-31 0001598110 us-gaap:OtherLiabilitiesMember us-gaap:ForeignExchangeOptionMember 2018-12-31 0001598110 us-gaap:OtherLiabilitiesMember us-gaap:ForeignExchangeForwardMember 2018-12-31 0001598110 us-gaap:OtherLiabilitiesMember us-gaap:ForeignExchangeForwardMember 2019-12-31 0001598110 us-gaap:OtherLiabilitiesMember us-gaap:ForeignExchangeOptionMember 2019-12-31 0001598110 us-gaap:ForeignExchangeForwardMember 2017-01-01 2017-12-31 0001598110 us-gaap:ForeignExchangeForwardMember 2018-01-01 2018-12-31 0001598110 us-gaap:ForeignExchangeForwardMember 2019-01-01 2019-12-31 0001598110 cybr:NextTwoPercentContributionMember 2019-01-01 2019-12-31 0001598110 cybr:EmployeesOverFiftyYearsMember 2019-01-01 2019-12-31 0001598110 cybr:FirstThreePercentPayContributionMember 2019-01-01 2019-12-31 0001598110 srt:MinimumMember us-gaap:SoftwareAndSoftwareDevelopmentCostsMember 2019-01-01 2019-12-31 0001598110 srt:MaximumMember us-gaap:SoftwareAndSoftwareDevelopmentCostsMember 2019-01-01 2019-12-31 0001598110 srt:MinimumMember 2019-12-31 0001598110 srt:MaximumMember 2019-12-31 0001598110 us-gaap:ForeignExchangeForwardMember 2019-12-31 0001598110 us-gaap:ConvertibleNotesPayableMember 2019-11-01 2019-11-30 0001598110 us-gaap:ConvertibleNotesPayableMember 2019-12-31 0001598110 us-gaap:SeniorNotesMember 2019-12-31


UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

WASHINGTON, D.C. 20549

FORM 20-F

REGISTRATION STATEMENT PURSUANT TO SECTION 12(b) OR (g) OF THE SECURITIES EXCHANGE ACT OF 1934

 

OR

 

ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

For the fiscal year ended December 31, 2019

 

OR

 

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

OR

 

SHELL COMPANY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

Commission file number 001-36625

cyberark.jpg

CYBERARK SOFTWARE LTD.

(Exact name of Registrant as specified in its charter)

Israel

(Jurisdiction of incorporation or organization)

9 Hapsagot St.

Park Ofer B, P.O. BOX 3143

Petach-Tikva4951040, Israel

(Address of principal executive offices)


Donna Rahav

General Counsel and Compliance Officer

Telephone: +972 (3) 918-0000

CyberArk Software Ltd.

9 Hapsagot St.

Park Ofer B, P.O. BOX 3143

Petach-Tikva  4951040, Israel

(Name, telephone, e-mail and/or facsimile number and address of company contact person)

Securities registered or to be registered pursuant to Section 12(b) of the Act:

Title of each class

Trading Symbol(s)

Name of each exchange on which registered

Ordinary shares, par value NIS 0.01 per share

CYBR

The Nasdaq Stock Market LLC

Securities registered or to be registered pursuant to Section 12(g) of the Act: None.

Securities for which there is a reporting obligation pursuant to Section 15(d) of the Act: None.

Indicate the number of outstanding shares of each of the issuer’s classes of capital or common stock as of the close of the period covered by the annual report: As of December 31, 2019, the registrant had outstanding 38,043,516 ordinary shares, par value NIS 0.01 per share.

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.

Yes ☒  No ☐

If this report is an annual or transition report, indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934.

Yes ☐  No

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.

Yes ☒  No ☐

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).

Yes ☒  No ☐

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.

Large accelerated filer

Accelerated filer ☐

Non-accelerated filer ☐

Emerging growth company

If an emerging growth company that prepares its financial statements in accordance with U.S. GAAP, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards† provided pursuant to Section 13(a) of the Exchange Act. ☐

† The term “new or revised financial accounting standard” refers to any update issued by the Financial Accounting Standards Board to its Accounting Standards Codification after April 5, 2012.

Indicate by check mark which basis of accounting the registrant has used to prepare the financial statements included in this filing:

U.S. GAAP

International Financial Reporting Standards as issued by the

Other ☐

International Accounting Standards Board ☐

If “Other” has been checked in response to the previous question, indicate by check mark which financial statement item the registrant has elected to follow.

Item 17 ☐ Item 18 ☐

If this is an annual report, indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).

Yes   No ☒


CYBERARK SOFTWARE LTD.

FORM 20-F

ANNUAL REPORT FOR THE FISCAL YEAR ENDED DECEMBER 31, 2018

TABLE OF CONTENTS

Introduction

1

Special Note Regarding Forward-Looking Statements

1

PART I

Item 1.Identity of Directors, Senior Management and Advisers

2

Item 2.Offer Statistics and Expected Timetable

2

Item 3.Key Information

2

Item 4.Information on the Company

33

Item 4A.Unresolved Staff Comments

45

Item 5.Operating and Financial Review and Prospects

45

Item 6.Directors, Senior Management and Employees

64

Item 7.Major Shareholders and Related Party Transactions

81

Item 8.Financial Information

83

Item 9.The Offer and Listing

84

Item 10.Additional Information

84

Item 11.Quantitative and Qualitative Disclosures About Market Risk

92

Item 12.Description of Securities Other Than Equity Securities

93

PART II

Item 13.Defaults, Dividend Arrearages and Delinquencies

94

Item 14.Material Modifications to the Rights of Security Holders and Use of Proceeds

94

Item 15.Controls and Procedures

94

Item 16A.Audit Committee Financial Expert

95

Item 16B.Code of Ethics

95

Item 16C.Principal Accountant Fees and Services

95

Item 16D.Exemptions from the Listing Standards for Audit Committees

96

Item 16E.Purchases of Equity Securities by the Issuer and Affiliated Purchasers

96

Item 16F.Change in Registrant’s Certifying Accountant

96

Item 16G.Corporate Governance

96

Item 16H.Mine Safety Disclosure

96

PART III

Item 17.Financial Statements

96

Item 18.Financial Statements

96

Item 19.Exhibits

97


INTRODUCTION

In this annual report, the terms “CyberArk,” “we,” “us,” “our” and “the company” refer to CyberArk Software Ltd. and its subsidiaries.

This annual report includes statistical, market and industry data and forecasts, which we obtained from publicly available information and independent industry publications and reports that we believe to be reliable sources. These publicly available industry publications and reports generally state that they obtain their information from sources that they believe to be reliable, but they do not guarantee the accuracy or completeness of the information. Although we believe that these sources are reliable, we have not independently verified the information contained in such publications. Certain estimates and forecasts involve uncertainties and risks and are subject to change based on various factors, including those discussed under the headings “Special Note Regarding Forward-Looking Statements” and “Item 3.D Risk Factors” in this annual report.

Throughout this annual report, we refer to various trademarks, service marks and trade names that we use in our business. The “CyberArk” design logo is the property of CyberArk Software Ltd. CyberArk® is our registered trademark in the United States. We have several other trademarks, service marks and pending applications relating to our solutions. In particular, although we have omitted the “®” and “™” trademark designations in this annual report from each reference to our Privileged Access Security Solution, Enterprise Password Vault, Privileged Session Manager, Privileged Threat Analytics, CyberArk Privilege Cloud, Application Access Manager, Conjur, Endpoint Privilege Manager, On-Demand Privileges Manager, secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine, DNA, Alero and C3 Alliance, all rights to such names and trademarks are nevertheless reserved. Other trademarks and service marks appearing in this annual report are the property of their respective holders.

SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS

In addition to historical facts, this annual report contains forward-looking statements within the meaning of Section 27A of the U.S. Securities Act of 1933, as amended, or the Securities Act, Section 21E of the U.S. Securities Exchange Act of 1934, as amended, or the Exchange Act, and the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to risks and uncertainties, and include information about possible or assumed future results of our business, financial condition, results of operations, liquidity, plans and objectives. In some cases, you can identify forward-looking statements by terminology such as “believe,” “may,” “estimate,” “continue,” “anticipate,” “intend,” “should,” “plan,” “expect,” “predict,” “potential,” or the negative of these terms or other similar expressions. The forward-looking statements are based on our beliefs, assumptions and expectations of future performance. There are important factors that could cause our actual results, levels of activity, performance or achievements to differ materially from the results, levels of activity, performance or achievements expressed or implied by the forward-looking statements, including, but not limited to:

the significant drivers of our future growth may be different from those we expect;

we may be unsuccessful in our plans to leverage our global footprint in existing and new industry verticals to further expand our market share;

our hybrid sales model may not generate the revenues we expect;

we may be unable to achieve incremental sales to existing customers;

our future operating and net profit margins may differ from our expectations;

we may fail to find, complete, or fully integrate additional strategic acquisitions;

we may experience unanticipated product vulnerabilities or cybersecurity breaches of our or our customers’ systems;

we may be unable to hire, retain and motivate qualified personnel;

we may experience greater than expected harm to our ability to generate future revenues from risks associated with our global sales and operations, such as changes in regulatory requirements, wide-spread viruses and epidemics like the recent novel coronavirus outbreak or fluctuations in currency exchange rates:

we may be unsuccessful in expanding our sales and marketing efforts and we may be unable to expand our channel partnerships across existing and new geographies;

we may be unsuccessful in our efforts to further diversify our product deployments and licensing options;

we may not realize our plans to continue to invest in research and development, and our research and development efforts may not successfully enhance and develop existing and new on-premises and cloud-based products and services;

we may be required to make more capital expenditures than we currently expect; and

1


we may be unable to retain our “foreign private issuer” status or may be classified, for U.S. federal income tax purposes, as a “passive foreign investment company”.

In addition, you should consider the risks provided under “Item 3. Key Information—D. Risk Factors” in this annual report.

You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that future results, levels of activity, performance and events and circumstances reflected in the forward-looking statements will be achieved or will occur. Except as required by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this annual report, to conform these statements to actual results or to changes in our expectations.

PART I

ITEM 1.IDENTITY OF DIRECTORS, SENIOR MANAGEMENT AND ADVISERS

Not applicable.

ITEM 2.OFFER STATISTICS AND EXPECTED TIMETABLE

Not applicable.

ITEM 3.KEY INFORMATION

A.Selected Financial Data

The following tables set forth our selected consolidated financial data. You should read the following selected consolidated financial data in conjunction with “Item 5. Operating and Financial Review and Prospects” and our consolidated financial statements and related notes included elsewhere in this annual report. Historical results are not necessarily indicative of the results that may be expected in the future. Our financial statements have been prepared in accordance with U.S. Generally Accepted Accounting Principles, or U.S. GAAP.

The selected consolidated statements of operations data for each of the years in the three-year period ended December 31, 2019 and the consolidated balance sheet data as of December 31, 2018 and 2019 are derived from our audited consolidated financial statements appearing elsewhere in this annual report. The consolidated statements of operations data for the years ended December 31, 2015 and 2016 and the consolidated balance sheet data as of December 31, 2015, 2016 and 2017 are derived from our audited consolidated financial statements that are not included in this annual report.

Year ended December 31,

2015(1)

2016(1)

2017(1)

2018

2019

(in thousands except share and per share data)

Consolidated Statements of Operations:

Revenues:

License

$

100,113

$

131,530

$

147,640

$

192,514

$

237,879

Maintenance and professional services

60,699

85,083

114,061

150,685

196,016

Total revenues

160,812

216,613

261,701

343,199

433,895

Cost of revenues:

License

5,088

4,726

7,911

10,526

10,569

Maintenance and professional services

17,572

25,425

33,937

37,935

52,046

Total cost of revenues(2)

22,660

30,151

41,848

48,461

62,615

Gross profit

138,152

186,462

219,853

294,738

371,280

Operating expenses:

Research and development(2)

21,734

34,614

42,389

57,112

72,520

Sales and marketing(2)

66,206

93,775

126,739

148,290

184,168

General and administrative(2)

16,990

22,117

30,399

42,044

52,308

Total operating expenses

104,930

150,506

199,527

247,446

308,996

Operating income

33,222

35,956

20,326

47,292

62,284

Financial income (expenses), net

(1,479

)

245

4,103

4,551

7,800

Income before taxes on income

31,743

36,201

24,429

51,843

70,084

Taxes on income

(5,949

)

(8,077

)

(8,414

)

(4,771

)

(7,020

)

Net income

$

25,794

$

28,124

$

16,015

$

47,072

$

63,064

Basic net income per ordinary share(3)

$

0.80

$

0.83

$

0.46

$

1.30

$

1.68

Diluted net income per ordinary share(3)

$

0.73

$

0.78

$

0.44

$

1.27

$

1.62

Weighted average number of ordinary shares used in computing basic net income per ordinary share(3)

32,124,772

33,741,359

34,824,312

36,174,316

37,586,387

Weighted average number of ordinary shares used in computing diluted net income per ordinary share(3)

35,322,716

35,838,863

36,175,824

37,065,727

38,890,108

2


As of December 31,

2015(1)

2016(1)

2017(1)

2018

2019

(in thousands)

Consolidated Balance Sheet Data:

Cash, cash equivalents, marketable securities and short-term bank deposits

$

238,252

$

295,475

$

330,340

$

451,244

$

1,119,250

Deferred revenue, current and long term

54,389

73,506

105,235

149,534

190,355

Working capital(4)

197,095

235,010

251,247

338,340

953,530

Total assets

334,424

403,031

502,576

673,620

1,405,166

Convertible senior notes, net

485,119

Total shareholders’ equity

246,670

296,216

353,965

466,770

624,132

(1)On January 1, 2018, we adopted Accounting Standard Update (“ASU”) No. 2014-09, Revenue from Contracts with Customers Topic 606 (“ASC No. 606”) using the modified retrospective method. Results for reporting periods beginning after January 1, 2018 are presented under ASC No. 606, while prior period results are not adjusted and continue to be reported in accordance with historic accounting under Revenue Recognition Topic 605 (“ASC No. 605”).

(2)Includes share-based compensation expense as follows:

Year ended December 31,

2015

2016

2017

2018

2019

(in thousands)

Cost of revenues

$

499

$

1,386

$

2,289

$

3,350

$

5,690

Research and development

1,507

4,660

6,110

7,922

10.960

Sales and marketing

2,214

5,765

8,642

12,708

20,976

General and administrative

2,829

5,724

8,196

11,984

17,891

 

Total share-based compensation expenses

$

7,049

$

17,535

$

25,237

$

35,964

$

55,517

(3)Basic and diluted net income per ordinary share is computed based on the weighted average number of ordinary shares outstanding during each period. For additional information, see note 15 to our consolidated financial statements included elsewhere in this annual report.

(4)We define working capital as total current assets minus total current liabilities.

3


Non-GAAP gross profit, non-GAAP operating income and non-GAAP net income are non-GAAP financial measures. We define non-GAAP gross profit, non-GAAP operating income and non-GAAP net income as gross profit, operating income and net income, respectively, which each exclude (i) share-based compensation expense and (ii) amortization of intangible assets related to acquisitions. Non-GAAP operating income also excludes (i) expenses related to the March 2015 public offering of ordinary shares by certain of our shareholders and to the June 2015 public offering of ordinary shares by us and certain of our shareholders, (ii) expenses related to acquisitions and (iii) expenses related to facility exit and transition costs. Non-GAAP net income also excludes (i) tax effects related to the non-GAAP adjustments set forth above, (iii) tax effects related to the impact to our deferred tax assets as a result of the U.S. Tax Cuts and Jobs Act 2017 (the “Tax Act”), (iii) intra-entity intellectual property transfer tax effects and (iv) amortization of debt discount and issuance costs. The following tables reconcile operating income and net income, the most directly comparable U.S. GAAP measures, to non-GAAP operating income and non-GAAP net income for the periods presented:

Year ended December 31,

2015

2016

2017

2018

2019

(in thousands)

Reconciliation of Gross Profit to Non-GAAP Gross Profit:

Gross profit

$

138,152

$

186,462

$

219,853

$

294,738

$

371,280

Share-based compensation – Maintenance and professional services

499

1,386

2,289

3,350

5,690

Amortization of intangible assets – License

359

1,420

4,213

5,563

5,029

 

Non-GAAP Gross profit

$

139,010

$

189,268

$

226,355

$

303,651

$

381,999

Year ended December 31,

2015

2016

2017

2018

2019

(in thousands)

Reconciliation of Operating Income to Non-GAAP Operating Income:

Operating income

$

33,222

$

35,956

$

20,326

$

47,292

$

62,284

Share-based compensation

7,049

17,535

25,237

35,964

55,517

Public offering related expenses

1,568

Acquisition related expenses

677

686

268

Amortization of intangible assets – Cost of revenues

359

1,420

4,213

5,563

5,029

Amortization of intangible assets – Research and development

749

1,913

Amortization of intangible assets – Sales and marketing

17

1,190

1,046

793

576

Facility exit and transition costs

342

580

 

Non-GAAP operating income

$

43,641

$

58,014

$

51,850

$

90,460

$

123,406

Year ended December 31,

2015

2016

2017

2018

2019

(in thousands)

Reconciliation of Net Income to Non-GAAP Net Income:

Net income

$

25,794

$

28,124

$

16,015

$

47,072

$

63,064

Share-based compensation

7,049

17,535

25,237

35,964

55,517

Public offering related expenses

1,568

Acquisition related expenses

677

686

268

Amortization of intangible assets – Cost of revenues

359

1,420

4,213

5,563

5,029

Amortization of intangible assets – Research and development

749

1,913

Amortization of intangible assets – Sales and marketing

17

1,190

1,046

793

576

Facility exit and transition costs

342

580

Amortization of debt discount and issuance costs

1,966

Taxes on income related to non-GAAP adjustments

(951

)

(4,937

)

(12,226

)

(15,485

)

(18,251

)

Change in the U.S. federal tax rate

6,582

Intra-entity intellectual property transfer tax effect, net

1,768

 

Non-GAAP net income

$

35,262

$

45,245

$

41,895

$

76,523

$

107,901

4


For a description of how we use non-GAAP gross profit, non-GAAP operating income and non-GAAP net income to evaluate our business, see “Item 5. Operating and Financial Review and Prospects—Key Financial Metrics.” We believe that these non-GAAP financial measures are useful in evaluating our business because of varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact a company’s non-cash expenses and because they exclude one-time cash expenditures that do not reflect the performance of our core business. We believe that providing non-GAAP gross profit and non-GAAP operating income that exclude, as appropriate, share-based compensation expenses, expenses relating to public offerings of our ordinary shares, expenses related to facility exit and transition costs, expenses related to acquisitions and amortization of intangible assets related to acquisitions, allows for more meaningful comparisons between our operating results from period to period. Share-based compensation expense has been, and will continue to be for the foreseeable future, a significant recurring expense in our business and an important part of the compensation we provide to employees. We also believe that non-GAAP net income which additionally excludes intra-entity intellectual property transfer tax effects, tax effects related to the impact to our deferred tax assets as a result of the Tax Act, the tax effects related to these non-GAAP adjustments and financial expenses with respect to amortization of debt discount and issuance costs allows for more meaningful comparison between our net income from period to period. We also believe that expenses related to the public offerings of our ordinary shares in March 2015 and June 2015, expenses related to our acquisitions, expenses related to facility exit and transition costs, amortization of intangible assets related to acquisitions, tax effects related to the impact to our deferred tax assets as a result of the Tax Act, intra-entity intellectual property transfer tax effects, tax effects related to the non-GAAP adjustments set forth above and amortization of debt discount and issuance costs do not reflect the performance of our core business and would impact period-to-period comparability.

Other companies, including companies in our industry, may calculate non-GAAP operating income and non-GAAP net income differently or not at all, which reduces their usefulness as a comparative measure. You should consider non-GAAP operating income and non-GAAP net income along with other financial performance measures, including operating income and net income, and our financial results presented in accordance with U.S. GAAP.

B.Capitalization and Indebtedness

Not applicable.

C.Reasons for the Offer and Use of Proceeds

Not applicable.

5


D.Risk Factors

Risks Related to Our Business and Our Industry

The IT security market is rapidly evolving within the increasingly challenging cyber threat landscape and the continuing use of hybrid on-premise and cloud-based environments. As a result of unanticipated market, industry or company developments our sales may not continue to grow at current rates or may decline, and our share price could decrease.

We operate in a rapidly evolving industry focused on securing organizations’ IT systems and sensitive data. Our solutions focus on safeguarding privileged accounts, credentials, and secrets. Privileged accounts are those accounts within an organization that give users, applications, and machine identities the highest levels of access, or “privileged” access, to IT systems and infrastructure, industrial control systems, applications and data both on-premises and in cloud environments. While breaches of such privileged accounts have continued to gain media attention in recent years, IT security spending within enterprises is often concentrated on endpoint and network security products designed to stop threats from penetrating corporate networks. Organizations may allocate all or most of their IT security budgets to these products and may not adopt our solutions in addition to such products. Organizations are moving portions of their IT systems to be managed by third parties, primarily infrastructure, platform and application service providers, and may rely on such providers’ internal security measures.

Further, security solutions such as ours, which are focused on disrupting cyber attacks by insiders and external perpetrators that have penetrated an organization’s on-premise or cloud environment, represent a security layer designed to respond to advanced threats and more rigorous compliance standards and audit requirements. However, advanced cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive data. As our customers’ technologies and business plans evolve and become more complex, we expect them to face new and increasingly sophisticated methods of attack. We face significant challenges in ensuring that our solutions effectively identify and respond to such attacks without disrupting the performance of our customers’ IT systems. As a result, we must continually modify and improve our products, services, and licensing models in response to market and technology trends to ensure we are meeting market needs and continue providing valuable solutions that can be deployed in a variety of environments, including cloud and hybrid.

We cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to develop or acquire product enhancements or new products to meet such needs or opportunities in a timely manner or at all. Even if we are able to anticipate, develop and commercially introduce new products such as CyberArk Privilege Cloud and CyberArk Alero, and ongoing enhancements to our existing products, there can be no assurance that such enhancements or new products will achieve widespread market acceptance. Delays in developing, completing or delivering new or enhanced products could cause our offerings to be less competitive, impair customer acceptance of our solutions and result in delayed or reduced revenue for our solutions.

In addition, any changes in compliance standards or audit requirements that reduce the priority for the types of controls, security, monitoring and analysis that our solutions provide would adversely impact demand for our solutions. It is therefore difficult to predict how large the market will be for our solutions. If our solutions are not viewed by organizations as necessary, or if customers do not recognize the benefit of our solutions as a critical layer of an effective security strategy, then our revenues may not continue to grow at their current rate or may decline, which could cause our share price to decrease in value.

6


Our quarterly results of operations may fluctuate for a variety of reasons, including our failure to close significant sales before the end of a particular quarter or unexpected changes in the sales volumes we expect across certain quarters, geographies or license models. We may, as a result, fail to meet publicly announced financial guidance or other expectations about our business, which could cause our ordinary shares to decline in value.

A meaningful portion of our quarterly revenues is generated through transactions of significant size, and purchases of our products and services often occur at the end of each quarter. We also experience quarterly and annual seasonality in our sales, demonstrated by increased sales in the third month of each quarter relative to the first two months and by the fourth quarter of the year being the largest quarter for sales. In addition, our sales cycle can be intensively competitive and last several quarters from proof of concept to the actual sale and delivery of our solutions to our customers. This sales cycle can be even longer, less predictable and more resource-intensive for larger sales, or with customers implementing complex digital transformation strategies or facing a complex set of compliance and user requirements that need to be met and confirmed during the sales cycle. Customers may also require additional prolonged contract negotiations, internal committee or executive approvals or seek to test our products for a longer trial period before they purchase our solutions. A failure to close a large transaction in a particular quarter may adversely impact our revenues in that quarter. Additionally, closing of an exceptionally large transaction in a certain quarter may increase our revenues in that quarter which may make it more difficult for us to meet growth rate expectations of our investors in subsequent quarters. Furthermore, even if we close a sale during a given quarter, we may be unable to recognize the revenues derived from such sale during the same period due to our revenue recognition policy. See “Item 5.A. Operating and Financial Review and Prospects—Operating Results—Application of Critical Accounting Policies and Estimates—Revenue Recognition.” As a result, the timing of closing sales cycles and the resulting revenue from such sales can be difficult to predict. In some cases, sales have occurred in quarters which were either earlier than, or subsequent to the quarters we anticipated them to close in and in some cases sale opportunities expected to close did not close at all.

We also offer new and existing customers multiple software pricing and delivery models including perpetual and term-based licenses, and software as a service (SaaS) subscriptions. We recognize revenue differently based on the type of license sold. Specifically, we recognize revenue from perpetual licenses and term-based licenses upon delivery, while our revenue from SaaS sales is recognized ratably over the period of the SaaS contract. This may cause trends in revenue recognition to lag those in sales, potentially causing us to fall short of investor expectations for revenue even while meeting periodic sales targets. Conversely, the impact of a decline in periodic sales may not be fully reflected in terms of revenue until future periods. We anticipate in the medium term that the majority of our software will continue to be sold as perpetual licenses; however, our strategy is to infuse more recurring revenue license models mainly from SaaS subscriptions, which could reduce our overall revenue growth rates, operating margins and cash flow in the short term due to the ratable revenue recognition. Also, as we introduce more SaaS solutions, existing customers may wish to transition to our SaaS solutions, making it more difficult to predict revenues. If new or current customers prefer our SaaS solutions at a greater rate than we anticipate, our software revenues may lag our expectations in the short term.

All of these factors impact our quarterly results and our ability to accurately predict them and may result in missing market expectations regarding our actual results. If our financial results for a particular period do not meet our guidance or if we reduce our guidance for future periods, the market price of our ordinary shares may decline.

In addition to fluctuations related to sales cycles and multiple licensing models set forth above, our results of operations may continue to vary as a result of a number of factors, many of which may be outside of our control or difficult to predict, including:

our ability to attract new customers;

our ability to retain existing customers by and through renewals of maintenance and subscription license agreements;

The rate our customers fully deploy their purchased licenses, and our ability to sell additional licenses or new products to current customers;

the ability of our service operation, performed independently or through our service providers, to keep pace with license sales to new and existing customers and to satisfy customer demands for consultancy and professional services;

the amount and timing of our operating costs;

our ability to successfully expand our business globally;

7


the timing and success of new product and service introductions by us or our competitors or any other change in the competitive landscape of the information security market, including consolidation among our customers or competitors;

increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates or changes in taxes or other applicable regulations (See “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations”);

introduction of new accounting pronouncements or changes in our accounting policies or practices;

changes in our pricing policies or those of our competitors;

changes in the growth rate of the information security market; and

the size and discretionary nature of our prospective and existing customers’ IT budgets.

Any of these factors, individually or in the aggregate, may result in significant fluctuations in our financial and other operating results from period to period. These fluctuations could result in our failure to meet our operating plan or the expectations of investors or analysts for any given period. If we fail to meet such expectations for these or other reasons, the market price of our ordinary shares could decrease substantially.

Our reputation and business could be harmed based on real or perceived shortcomings, defects or vulnerabilities in our solutions or the provision of our services, or due to the failure of our customers, channel partners, managed security service providers, or subcontractors to correctly implement, manage and maintain our solutions, resulting in loss of existing or new customers, lawsuits or financial losses.

Security products and solutions are complex in design and deployment and may contain errors that are not capable of being remediated or detected until after their deployment. Any errors, defects, or misconfigurations could cause our products or services to not meet specifications, be vulnerable to security attacks or fail to secure networks and could negatively impact customer operations and harm our business and reputation. In particular, we may suffer significant adverse publicity and reputational harm, including a downgrade in our industry leadership position by industry analysts, if our solutions (or the services we provide in relation to our solutions) are associated, or are believed to be associated with, or fail to reasonably protect against, a significant breach or a breach at a high profile customer, managed service provider network, or third party system utilized by us as part of our cloud-based security solution.

In addition, our Endpoint Privilege Manager, CyberArk Privilege Cloud, and CyberArk Alero solutions are made available to our customers as SaaS. Providing SaaS involves storage and transmission of customers’ proprietary information related to their assets and users. Security breaches or product defects in our SaaS solutions could result in loss or alteration of this data, unauthorized access to multiple customers’ data and compromise of our networks or our customer’s networks secured by our SaaS solutions, which could result in significant liability for us.

Further, the third party data hosting facilities used for the provision of our SaaS solutions may experience damages, interruptions or other unanticipated problems that could result in disruptions in the provision of these solutions. Any disruptions or other performance problems with our SaaS solutions could harm our reputation and business, damage our customers’ businesses, subject us to potential liability, cause customers to terminate or not renew their subscriptions to our SaaS solutions and make it more challenging for us to retain existing customers and acquire new customers.

False detection of threats (referred to as “false positives”), while typical in our industry, may reduce perception of the reliability of our products and may therefore adversely impact market acceptance of our products. If our solutions restrict legitimate privileged access by authorized personnel to IT systems and applications by falsely identifying those users as attackers or otherwise unauthorized, our customers’ businesses could be harmed.

Our solutions not only reinforce but also rely on the common security concept of placing multiple layers of security controls throughout an IT system. The failure of our customers, channel partners, managed service providers or subcontractors to correctly implement and effectively manage and maintain our solutions (and the environments in which they are utilized), or to consistently implement and utilize generally accepted and comprehensive, multi-layered security measures and processes in customer networks, may lessen the efficacy of our solutions. Additionally, our customers or our channel partners may independently develop plug-ins or change existing plug-ins or APIs that we provided to them for interfacing purposes in an incorrect or insecure manner. Such failures or actions may lead to security breaches and data loss, which could result in a perception that our solutions failed. Further, our failure to provide our customers and channel partners with adequate services or inaccurate product documentation related to the use, implementation and maintenance of our solutions, could lead to claims against us.

8


An actual or perceived cyber attack, other security breach or theft of our customers’ data, regardless of whether the breach or theft is attributable to the failure of our products, SaaS solutions or the services we provided in relation thereto, could adversely affect the market’s perception of the efficacy of our solutions and our industry standing, cause current or potential customers to look to our competitors for alternatives to our solutions and subject us to lawsuits, indemnity claims and financial losses, as well as the expenditure of significant financial resources to analyze, correct or eliminate any vulnerabilities. In addition, provisions in our license agreements that attempt to limit our liabilities towards our customers, channel partners and relevant third parties may not withstand legal challenges, and certain liabilities may not be limited or capped. Additionally, any insurance coverage we may have may not adequately cover all claims asserted against us or may cover only a portion of such claims. An actual or perceived cyber attack could also cause us to suffer reputational harm, lose existing customers and potential new customers, or deter new and existing customers from purchasing or implementing our products.

If we are unable to acquire new customers or sell additional products and services to our existing customers, our future revenues and operating results will be harmed.

Our success and continued growth depend, in part, on our ability to continue to acquire a sufficient number of new customers. The number of customers that we add in a given period impacts both our short and long-term revenues. Similarly, a majority of our license revenues is generated from sales to existing customers. If we are unable to attract a sufficient number of new customers or fail to continue to sell new licenses and incremental licenses to our existing customers, we will likely be unable to generate revenue growth at desired rates. In addition, competition in the marketplace may lead us to acquire fewer new customers or result in us providing discounts and other commercial incentives to new or existing customers.

Although we continue to introduce and acquire new products, we derive and expect to continue to derive a substantial majority of our revenue from customers using our Core Privileged Access Security offering. Our inability to increase sales of our Core Privileged Access Security offering, including additional software licenses, associated maintenance and support and professional services, or a decline in prices of our Core Privileged Access Security offering would harm our business and operating results more seriously than if we derived significant revenues from a variety of different products.

In addition, we have several other products, including Application Access Manager, Endpoint Privilege Manager, CyberArk Privilege Cloud and CyberArk Alero that make up a smaller portion of our revenue. It is uncertain whether these products will increase their share of revenue generation or gain market acceptance or will compensate for loss of revenues due to any inability to increase sales of our Core Privileged Access Security offering.

We devote significant efforts to developing, marketing and selling additional licenses and associated maintenance and support to existing customers and rely on these efforts for a portion of our revenues, and to a lesser extent, renewing term-based license and SaaS agreements. These efforts require a significant investment in building and supporting customer relationships.

With our incremental focus on SaaS products, our sales, research and development, and support teams may have difficulties selling, supporting and maintaining multiple license models, including perpetual and SaaS, which may lead to lower software sales, longer sales cycles, customer dissatisfaction, lower renewal rates and a reduction in our ability to sell add-on business to customers or gain new customers. Further, as part of the natural lifecycle of our products, we may determine that certain products will be reaching their end of development or end of life and will no longer be supported or receive updates and security patches. Failure to effectively manage our product lifecycles could lead to existing customer dissatisfaction and contractual liabilities.

As we expand our market reach to gain new business, including expanding sales of our products to medium-sized commercial organizations and securing DevOps environments, we may experience difficulties in gaining traction and raising awareness among potential customers regarding the critical role that our solutions play in securing their organizations, or may face more competitive pressure in such markets. As a result, it may be difficult for us to add new customers to our customer base and to retain our existing customers.

9


Additional factors that impact our ability to acquire new customers or sell additional products and services to our existing customers include the consumption of their past purchases, perceived need for IT security, the size of our prospective and existing customers’ IT budgets, the utility and efficacy of our existing and new offerings, whether proven or perceived, changes in our pricing or licensing model that may impact the size of new business transactions, a downgrade of our recognized industry leadership position by industry analysts and general economic conditions. These factors may have a material negative impact on future revenues and operating results.

We face intense competition from a wide variety of IT security vendors operating in different market segments and across diverse IT environments, which may challenge our ability to maintain or improve our competitive position or to meet our planned growth rates.

The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.

Our current competitors include BeyondTrust Corporation, Broadcom Inc. (which acquired CA Technologies), One Identity LLC, and Thycotic Software Ltd., in the access and identity management market, some of which may offer solutions at lower price points. Further, we may face competition due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, such as the provision of privileged account security functionalities as part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. Limited IT budgets may also result in competition with providers of other advanced threat protection solutions such as McAfee, LLC, Palo Alto Networks, Splunk Inc., and NortonLifeLock, Inc. (formerly known as Symantec Corporation acquired by Broadcom Inc.). We also may compete, to a certain extent, with vendors that offer products or services in adjacent or complementary markets to privileged access management, including identity management vendors and cloud platform providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure. As the privileged access management market has matured significantly over the recent years, the entry barrier is now lower and it is easier for competitors to compete in the market. Some of our competitors are large companies and have wider technical and financial resources and broader customer bases used to bring competitive solutions to the market. These companies may already have existing relationships as an established vendor for other product offerings, and certain customers may prefer one single IT vendor for product security procurement rather than purchasing solely based on product performance. Such companies may use these advantages to offer products and services that are perceived to be as effective as ours at a lower price or for free as part of a larger product package or solely in consideration for maintenance and services fees, which could result in increased market pressure to offer our solutions and services at lower prices. They may also develop different products to compete with our current solutions and respond more quickly and effectively than we do to new or changing opportunities, technologies, standards or client requirements or enjoy stronger sales and service capabilities in certain regions. Additionally, niche vendors are developing and marketing lower cost solutions with limited privileged access management functionality that may impact our ability to maintain premium market pricing.

Our competitors may enjoy potential competitive advantages over us, such as:

greater name recognition, a longer operating history and a larger customer base, notwithstanding the increased visibility of our brand in recent years since our initial public offering;

larger sales and marketing budgets and resources;

broader distribution and established relationships with channel partners, advisory firms and customers;

increased effectiveness in protecting, detecting and responding to cyber attacks;

greater or localized resources for customer support and provision of services;

greater speed at which a solution can be deployed and implemented;

greater resources to make acquisitions;

10


larger intellectual property portfolios; and

greater financial, technical and other resources.

Our current and potential competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their resources and capabilities. Current or potential competitors have been acquired and consolidated or may be acquired by third parties with greater resources in the future. As a result of such acquisitions, our current or potential competitors may be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. Larger competitors with more diverse product offerings may reduce the price of products that compete with ours in order to promote the sale of other products or may bundle them with other products, which would lead to increased pricing pressure on our products and could cause the average sales prices for our products to decline. Similarly, we may also face increased competition following an acquisition of new lines of business that compete with providers of such technologies or from security vendors or other companies in adjacent markets extending their solutions into privilege access management. We may be at a competitive disadvantage to our privately-held competitors, as they may not face the same accounting, auditing and legal standards we do as a public company. Such privately-held competitors may face less public scrutiny than we do and may be less risk-averse than we are, and therefore may have greater operational flexibility.

Furthermore, an increasing number of independent industry analysts and researchers, regularly evaluate, compare and publish reviews regarding the functionality of IT security products, including ours. These reviews may significantly influence the market perception of our products, and our reputation and brand could be harmed if they publish negative reviews of our products or increasingly positive reviews of our competitors’ products, or do not view us as a market leader.

In addition, other IT security technologies exist or could be developed in the future by current or future competitors, and our business could be materially and adversely affected if such technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or to convince our customers and potential customers of the value of our solutions even in light of new technologies, our business, results of operations and financial condition could be materially and adversely affected.

Our share price may be adversely affected if our investments in our business do not deliver anticipated growth and we are unable to increase our operating and net income margins or cash flow from operating activities.

As we invest in the growth of our business, we expect our operating and net income margins to decline compared to prior periods. During the year ended December 31, 2019, we did not experience a decline due to an increase in revenue at a rate that exceeded the increase in expenses; however, in future periods, we expect our operating and net income margins to decline, primarily because of investment in expanding our direct and indirect sales forces, marketing activities, professional services, support and research and development, and as a result our expenses are expected to grow faster than our revenue. Further, due to the increased number of customers and sales of our SaaS products, we anticipate an increase in costs of goods related to the hosting costs for our SaaS products which would cause our gross margins to decline. We expect that these invested costs will adversely impact our operating and net income margins as we may not be able to increase our revenue at a rate sufficient to offset the expected increase in our costs. From the year ended December 31, 2017 to the year ended December 31, 2019, our revenue grew from $261.7 million to $433.9 million, representing a compound annual growth rate of approximately 29%.

We expect the increased expenses will be generated mostly from expanding our sales and marketing personnel, where we will face a number of challenges in achieving our hiring goals. It takes time and resources to train and integrate new sales force members across our global operations. Costs associated with adding new personnel to our sales force are expensed before their positive impact on our sales is recognized, and even then, a significant portion of any revenues that they generate from maintenance and services are deferred over the delivery period of those services. In addition, our investments in the business, the mix of our revenues, contract payment terms, contract duration, and the seasonality of expenses, including cash taxes, may negatively impact our cash flow from operating activities. Our share price may be adversely affected even if we generate future growth in revenues, if we are unable to also increase each of the nominal amounts or margins for our operating, net income margin and or cash flow from operations at the same time, or if the growth rate generated is less than anticipated causing the operating, net income or cash flow from operating margins or nominal amounts to decline.

11


We may fail to fully execute, integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.

As part of our business strategy and in order to remain competitive, we continue to evaluate acquiring or making investments in complementary companies, products or technologies. We may not be able to find suitable acquisition candidates or complete such acquisitions on favorable terms. We may incur significant expenses, divert employee and management time and attention from other business-related tasks and our organic strategy and incur other unanticipated complications while engaging with potential target companies where no transaction is eventually completed. If we do complete acquisitions, we may not ultimately strengthen our competitive position or achieve our goals or expected growth, and any acquisitions we complete could be viewed negatively by our customers, analysts and investors. In addition, if we are unsuccessful at integrating our acquisitions or the technologies associated with such acquisitions or fail to fully attain the expected benefits of these acquisitions, our revenues and results of operations could be adversely affected. Any integration process may require significant time and resources, and we may not be able to manage the process successfully and may experience a decline in our profitability as we incur expenses prior to fully realizing the benefits of the acquisition. We could expend significant cash and incur acquisition related costs and other unanticipated liabilities associated with the acquisition. We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast the financial impact of an acquisition transaction, including accounting charges and tax liabilities. Further, the issuance of equity or securities convertible to equity to finance any such acquisitions could result in dilution to our shareholders and the issuance of debt could subject us to covenants or other restrictions that would impede our ability to manage our operations. We could become subject to legal claims following an acquisition or fail to accurately forecast the potential impact of any claims. Any of these issues could have a material adverse impact on our business and results of operations.

If our internal IT network system, or those of third parties associated with us, is compromised by cyber attackers or other data thieves, or by a critical system failure, our reputation, financial condition and operating results could be materially adversely affected.

Our solution and product offerings will not gain market share unless the marketplace is confident that we provide effective IT security protection. As we provide privileged account security products, we may be an attractive target for cyber attackers or other data thieves since a breach of our system could provide information regarding not only us, but potentially regarding the customers that our solutions protect. Further, we may be targeted by cyber terrorists because we are an Israeli company.

From time to time we encounter intrusion incidents and attempts, none of which to date has resulted in any material adverse impact to our business or operations. Any such future attacks could materially adversely affect our business or results of operations. In addition, as our market position continues to grow, specifically in the security industry, an increasing number of cyber attackers may focus on finding ways to penetrate our network systems, which might eventually affect our products and services. For example, third parties may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our internal networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data.

Separately, we may be subject to information technology system failures or network disruptions caused by natural disasters, accidents, power disruptions, telecommunications failures, acts of terrorism, security breaches, wars, computer viruses, or other events or disruptions. System redundancy and other continuity measures may be ineffective or inadequate, and our business continuity and disaster recovery planning may not be sufficient for all eventualities. These events could adversely affect our operation, reputation, financial condition and operating results.

Additionally, cyber attacks against our company may also be caused by breaches by our contractors, business partners, vendors and other third parties associated with us, or due to human error by those acting on our behalf. We rely on third parties to operate critical functions of our business, including hosting our SaaS products and supporting our customer relationship management and financial operation services (provided by our Enterprise Resource Planning system). If these services are breached or become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms, our expenses could increase, our ability to manage our operations could be interrupted and our processes for managing sales of our products and services and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated; all of which could materially harm our business.

12


If we experience a significant technology incident, such as a serious product vulnerability, security breach or a failure of a system that is critical for the operation of our business, it could impair our ability to operate our business, including our ability to provide maintenance and support services to our customers. If this happens, our revenues could decline and our business could suffer, and we may need to make significant further investments to protect data and infrastructure. Because we are in the computer security industry, an actual or perceived vulnerability, failure, disruption, or breach of our network or privileged account security in our systems also could adversely affect the market perception of our products and services, or of our expertise in this field, as well as perception of us among new and existing customers. Additionally, a significant security breach could subject us to potential liability, litigation and regulatory or other government action (See “—Regulatory data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support our current customers, thus reducing our revenues, harming our operating results and adversely affecting our business”). We are unable to ensure that any limitations of liability provisions in our contracts with respect to our information security operations would be enforceable or adequate or would otherwise protect us from any liabilities or damages with respect to any particular claim, or that we would be able to adequately recover damages from third parties associated with us which were involved in a security incident. Additionally, any insurance coverage we may have may not adequately cover any of these claims asserted against us or any related damage, or may cover only a portion of such damages. If any of the foregoing were to occur, our business may suffer and our share price may be negatively impacted.

If we do not effectively expand, train and retain our sales and marketing personnel, we may be unable to acquire new customers or sell additional products and services to existing customers, and our business will suffer.

We depend significantly on our sales force to attract new customers and expand sales to existing customers. We generate approximately 35% of our revenues from direct sales and the remaining balance from indirect sales. As a result, our ability to grow our revenues depends in part on our success in recruiting, training and retaining sufficient numbers of sales personnel to support our growth. The number of our sales and marketing personnel increased from 541 as of December 31, 2018 to 656 as of December 31, 2019. We expect to continue to expand our sales and marketing personnel significantly and face a number of challenges in achieving our hiring and integration goals. There is intense competition for individuals with sales training and experience. In addition, the training and integration of a large number of sales and marketing personnel in a short time requires the allocation of significant internal resources. We invest significant time and resources in training new sales force personnel to understand our solutions and growth strategy. Based on our past experience, it takes an average of approximately six to nine months before a new sales force member operates at target performance levels. However, we may not be able to recruit at our anticipated rate or be unable to achieve or maintain our target performance levels with large numbers of new sales personnel as quickly as we have done in the past. Our failure to timely hire the sufficient number of qualified sales force members and train them to operate at target performance levels may materially and adversely impact our projected growth rate.

We are subject to a number of risks, including regulatory and public health risks, associated with global sales and operations, which could materially affect our business.

We are a global company subject to varied and complex laws, regulations and customs. The application of these laws and regulations to our business is often unclear and may at times conflict. Compliance with these laws and regulations may involve significant costs or require changes in our business practices that result in reduced revenue and profitability. Furthermore, business practices in the global markets that we serve may differ from those in the United States and may require us to include non-standard terms in customer contracts, such as extended payment or warranty terms. To the extent that we enter into customer contracts that include non-standard terms related to payment, warranties, or performance obligations, our results of operations may be adversely impacted. Further, there may be higher costs of doing business globally including costs incurred in maintaining office space, securing adequate staffing and localizing our contracts.

13


Additionally, our global sales and operations are subject to a number of risks, including the following:

failure to fully comply with various, global data privacy laws (See “—Regulatory data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support our current customers, thus reducing our revenues, harming our operating results and adversely affecting our business”);

uncertainty of the economic, financial, regulatory, trade, tax and legal implications of the withdrawal of the U.K. from the European Union, or Brexit, and how this could affect our business, both globally and specifically in Europe. Our U.K. subsidiary is the main entity for sales into Europe. In 2019, the revenues generated by our U.K. subsidiary from the European Union countries (excluding the U.K.) accounted for 18% of our total global revenue. Our London office is also our European headquarters and third largest office globally. In particular, the withdrawal from the European Union by the U.K. could, among other potential outcomes, disrupt the free movement of goods, services and people between the U.K. and the European Union, create recruiting and retention risks for us, and significantly disrupt trade between the U.K. and the European Union and other countries, including by imposing greater taxes, restrictions and regulatory complexities on imports and exports between the U.K. and the European Union. These developments may also require us to modify our corporate structure for sales into the European Union which may result in increased operational and legal costs;

fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business (See “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations”);

social, economic and political instability, terrorist attacks and security concerns in general, and any wide-spread viruses or epidemics, such as the recent novel coronavirus outbreak;

greater difficulty in enforcing contracts and managing collections, as well as longer collection periods;

compliance with anti-bribery laws, including, without limitation, compliance with the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act 2010;

heightened risk of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements by us or by our channel partners or service providers that may impact financial results and result in restatements of, or irregularities in, financial statements;

risks associated with trade restrictions and foreign legal requirements, including any importation, certification, and localization of our platform that may be required in foreign countries;

greater risk of unexpected changes in regulatory practices, tariffs, and tax laws and treaties (See “—Our business may be materially affected by changes to fiscal and tax policies. Potentially negative or unexpected tax consequences of these policies, or the uncertainty surrounding their potential effects, could adversely affect our results of operations and share price”);

compliance with, and the uncertainty of, laws and regulations that apply to our areas of business, including corporate governance, anti-trust and competition, trade, import and export control, employee and third-party complaints, limitation of liability, conflicts of interest, securities regulations and other regulatory requirements affecting trade and investment;

reduced or uncertain protection of intellectual property rights in some countries; and

management communication and integration problems resulting from cultural and geographic dispersion.

14


These and other factors could harm our ability to generate future global revenues and, consequently, materially impact our business, results of operations and financial condition. Non-compliance could also result in fines, damages, or criminal sanctions against us, our officers or our employees, prohibitions on the conduct of our business, and damage to our reputation.

We rely on channel partners to generate a significant portion of our revenue, market our solutions and provide necessary services to our customers. If we fail to maintain successful relationships with our channel partners, or if our channel partners fail to perform, our ability to market, sell and distribute our solutions will be limited, and our business, financial position and results of operations will be harmed.

In addition to our direct sales force, we rely on our channel partners to market, sell, support and implement our solutions, particularly in Europe and the Asia Pacific and Japan regions. We expect that sales through our channel partners will continue to account for a significant percentage of our revenue. In the year ended December 31, 2019, we generated approximately 65% of our revenues from sales to channel partners such as distributors, systems integrators, value-added resellers and managed security service providers, and we expect that channel partners will represent a substantial portion of our revenues for the foreseeable future. Further, we cooperate with advisory firms in marketing our solutions and providing implementation services to our customers, in both direct and indirect sales. Our agreements with channel partners are non-exclusive, meaning our partners may offer customers IT security products from other companies, including products that compete with our solutions. If our channel partners do not effectively market and sell our solutions or choose to use greater efforts to market and sell their own products and services or the products and services of our competitors, our ability to grow our business will be adversely affected. Our channel partners may cease or de-emphasize the marketing of our solutions with limited or no notice and with little or no penalty. Further, new channel partners require training and may take several months or more to achieve productivity. The loss of key channel partners, the inability to replace them or the failure to recruit additional channel partners could materially and adversely affect our results of operations. Our reliance on channel partners could also subject us to lawsuits or reputational harm if, for example, a channel partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our solutions or violates applicable laws, and may further result in termination of such partner’s agreement and potentially curb future revenues associated with this channel partner. Our ability to grow revenues in the future will depend in part on our success in maintaining successful relationships with our channel partners and training our channel partners to independently sell and install our solutions. If we are unable to maintain our relationships with channel partners or otherwise develop and expand our indirect sales channel, or if our channel partners fail to perform, our business, financial position and results of operations could be adversely affected.

Failure by us, our service providers or our channel partners to maintain sufficient levels of customer support could have a material adverse effect on our business, financial condition and results of operations.

Our customers depend, in large part, on customer support and professional services delivered by us, our service providers or our channel partners to implement and roll out our solutions, and resolve issues relating to their use. Our customers typically purchase one or three years of software maintenance and support contracts as part of their initial purchase of a perpetual software license. In addition, subscription contracts for SaaS and term-based license are typically one or three years in duration. In order for us to maintain and improve our results of operations, it is important that our existing customers renew their maintenance and support agreements and subscription licenses, if applicable, when the contract term expires. Our maintenance renewal rate for each of the years ended December 31, 2018 and 2019 was approximately 90%. With the introduction of our newer SaaS based solutions, CyberArk Privilege Cloud and Alero, and in sales from Endpoint Privilege Manager delivered as SaaS, customer satisfaction will continue to be important. If we, our service providers or channel partners fail to provide adequate services that are responsive, satisfy our customers’ expectations and resolve issues that they encounter with our solutions, including if we have difficulties supporting and maintaining multiple license models, then our customers may elect not to purchase or renew maintenance and support or subscription contracts and they may choose not to purchase additional products and services from us. Accordingly, our failure to provide satisfactory support or professional services or other customer dissatisfaction related to our products and services could lead our customers not to renew their agreements with us or renew on terms less favorable to us, and therefore have a material and adverse effect on our business and results of operations.

15


Even with our support and that of our service providers and channel partners, our customers are ultimately responsible for effectively using our solutions and ensuring that their IT staff and other relevant users are properly trained in the use of our products and complementary security products, methodologies and processes. Our failure or the failure of our service providers or channel partners to support and train our customers in the correct use of our solutions, or failure to effectively assist customers in installing our solutions and providing effective ongoing support, may result in an increase in the vulnerability of our customers’ IT systems and sensitive data. Additionally, if our service providers or channel partners do not effectively provide support and professional services to the satisfaction of our customers, we may be required to provide support to such customers, which would require us to invest in additional personnel and expend significant time and resources. We may not be able to keep up with demand for our services and support, particularly if the sales of our solutions exceed our internal forecasts. To the extent that we, our service providers or our channel partners are unsuccessful in hiring, training and retaining adequate support resources, our ability and the ability of our service providers and channel partners to provide adequate and timely support and other services to our customers will be negatively impacted, and our customers’ satisfaction with us and our products may be adversely affected. Accordingly, our failure to provide satisfactory maintenance and technical support services, whether directly or through our service providers and channel partners, could have a material and adverse effect on our business and results of operations.

Regulatory data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support our current customers, thus reducing our revenues, harming our operating results and adversely affecting our business.

Regulation related to the provision of services on the internet is increasing, as federal, state and foreign governments continue to adopt new laws and regulations addressing cybersecurity, privacy, data protection and the collection, processing, storage and use of personal information.

We are subject to diverse laws and regulations relating to data privacy, including the California Consumer Privacy Act, or CCPA and, as a result of our presence in the European Union (EU), General Data Protection Regulations 2016/679, or GDPR which took effect on May 25, 2018. We and many of our customers are subject to GDPR, and related privacy legislation including the UK Data Protection Act 2018, and we are required to expend significant capital and other resources to ensure we are compliant with privacy legislation. Compliance with global data privacy laws including GDPR and certain associated contractual obligations may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms which are not subject to GDPR or other data regulations. For example, GDPR imposes several stringent requirements for controllers and processors of personal data and increases our obligations including, for example, by requiring more robust disclosures to individuals, strengthening the individual data rights regime, shortening timelines for data breach notifications, requiring detailed internal policies and procedures and limiting retention periods. Ongoing compliance may require changes in services and business practices which may lead to the diversion of engineering resources from other projects. As a company that focuses on privilege access security, if we are unable to engineer products that meet our legal duties or help our customers meet their obligations under GDPR or other data regulations, we might experience reduced demand for our products or services. Claims that we have breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business.

GDPR also increases the scrutiny applied to transfers of personal data from within the EU to countries that are considered to lack an adequate level of data protection, such as the United States. There are currently a number of legal challenges to the validity of EU mechanisms for adequate data transfers (such as the Privacy Shield Framework and the standard contractual clauses). Our work could be impacted by changes in law as a result of a future review of these transfer mechanisms by European regulators and the European courts under GDPR. In addition, following Brexit, the U.K. will cease to be in the EU, and data flows from the EU to the U.K. may need additional safeguards, which could affect our operations in the U.K. and in the EU countries. These and other regulatory requirements around the privacy or cross-border transfer of personal data could restrict our ability to store and process data as part of our solutions, or, in some cases, impact our ability to offer our solutions or services in certain jurisdictions. After Brexit, the U.K. regulator is also empowered to impose fines of up to four percent of global turnover for the preceding financial year or £17.5 million, whichever is higher, for certain breaches of the UK Data Protection Act 2018.

16


In the EU, Directive 2002/58 on Privacy and Electronic Communications or the ePrivacy Directive, is also under reform and will be replaced by a new E-privacy Regulation once agreed. This is likely to impose stricter rules on business to business marketing throughout the EU, requiring fully informed and freely given consent before businesses can market to leads. Existing privacy-related laws and regulations in the United States and other countries are evolving and are subject to potentially differing interpretations, and various U.S. federal and state or other international legislative and regulatory bodies may expand or enact laws regarding privacy and data security-related matters.

In the U.S., the State of California enacted the CCPA, which became effective January 1, 2020, which imposes heightened transparency obligations and requirements to make available data collected about certain California residents and to provide them the ability to object to the sale of their personal data in certain instances. While many of the CCPA’s requirements do not apply to some of the data we process, certain additional provisions may begin to apply from January 1, 2021, which may require additional steps to ensure compliance. Additionally, our customers may require us to undertake further steps to comply with the CCPA, or to assist with their compliance with it, further necessitating changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms which are not subject to CCPA. If other states in the U.S. adopt similar laws or if a comprehensive federal data privacy law is enacted, we may expend considerable resources to meet these requirements.

If we or our service providers fail to comply with applicable data protection laws, we may be subject to litigation (including the new private right of action brought in by the CCPA), regulatory investigations, negative publicity, potential loss of business, enforcement notices and/or fines (which under GDPR can be up to four percent of global turnover for the preceding financial year or 20 million euros, whichever is higher as well as fines under the UK Data Protection Act 2018 and new fines introduced by the CCPA).

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Our functional and reporting currency is the U.S. dollar. In 2019, the majority of our revenues were denominated in U.S. dollars and the remainder primarily in euros and British pounds sterling. In 2019, the substantial majority of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in euros and British pounds sterling. Our foreign currency-denominated expenses consist primarily of personnel, marketing programs, rent and other overhead costs. Since a significant portion of our expenses is incurred in NIS and is substantially greater than our revenues in NIS, any appreciation of the NIS relative to the U.S. dollar could materially adversely impact our operating income. In addition, since the portion of our revenues generated in euros and British pounds sterling is greater than our expenses incurred in euros and British pounds sterling, respectively, any depreciation of the euro or the British pounds sterling relative to the U.S. dollar would adversely impact our operating income. We estimate that a 10% strengthening or weakening in the value of the NIS against the U.S. dollar would have decreased or increased, respectively, our operating income by approximately $7.8 million in 2019. We estimate that a 10% strengthening or weakening in the value of the euro against the U.S. dollar would have increased or decreased, respectively, our operating income by approximately $2.7 million in 2019. We estimate that a 10% strengthening or weakening in the value of the British pounds sterling against the U.S. dollar would have increased or decreased, respectively, our operating income by approximately $0.3 million in 2019. These estimates of the impact of fluctuations in currency exchange rates on our historic results of operations may be different from the impact of fluctuations in exchange rates on our future results of operations since the mix of currencies comprising our revenues and expenses may change. We evaluate periodically the various currencies to which we are exposed and take hedging measures to reduce the potential adverse impact from the appreciation or the depreciation of our non U.S. dollar-denominated operations, as appropriate. We expect that the majority of our revenues will continue to be generated in U.S. dollars with the balance primarily in euros and British pounds sterling for the foreseeable future and that a significant portion of our expenses will continue to be denominated in NIS, U.S. dollars, British pounds sterling and in euros. We cannot provide any assurances that our hedging activities will be successful in protecting us from adverse impacts from currency exchange rate fluctuations. In addition, we have monetary assets and liabilities that are denominated in non-U.S. dollar currencies. For example, starting January 1, 2019, in accordance with a new lease accounting standard, we are required to present a significant NIS linked liability related to our operational leases in Israel. As a result, significant exchange rate fluctuations could have a negative effect on our net income. See “Item 11—Quantitative and Qualitative Disclosures About Market Risk—Foreign Currency Risk.”

17


If we are unable to hire, retain and motivate qualified personnel, our business will suffer.

Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. Our inability to attract or retain qualified personnel or delays in hiring required personnel may seriously harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for highly skilled personnel, specifically engineers for research and development positions, is often intense and results in increasing wages, especially in Israel, where we are headquartered and most of our research and development positions are located, and where several large multinational corporations have entered the market. We may struggle to retain employees, and due to our profile and market position, competitors actively seek to hire skilled personnel away from us. Furthermore, from time to time, we have been subject to allegations that employees we have hired from competitors may have been improperly solicited or divulged proprietary or other confidential information which could subject us to potential liability and litigation.

Our research and development efforts may not produce successful products or enhancements to our solutions that result in significant revenue or other benefits in the near future, if at all.

We expect to continue to dedicate significant financial and other resources to our research and development efforts in order to maintain our competitive position. For example, in 2019, we increased our dedicated research and development personnel by 22% compared to 2018. However, investing in research and development personnel, developing new products and enhancing existing products is expensive and time consuming. There is no assurance that such activities will successfully anticipate market needs and result in significant new marketable products or enhancements to our products, including SaaS solutions, design improvements, cost savings, revenues or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, we may not be able to compete effectively, and our business and results of operations may be materially and adversely affected.

Our investment in product enhancements or new products could fail to attain sufficient market acceptance for many reasons, including:

delays in releasing product enhancements or new products;

failure to accurately predict market demand and to supply products that meet this demand in a timely fashion;

inability to interoperate effectively with the existing or newly introduced technologies, systems or applications of our existing and prospective customers;

defects in our products, errors or failures of our solutions to secure and protect privileged accounts against existing and new types of attacks;

negative publicity about the performance or effectiveness of our products;

introduction or anticipated introduction of competing products by our competitors;

installation, configuration or usage errors by our customers; and

easing or changing of regulatory requirements related to security.

If we fail to anticipate market requirements or fail to develop and introduce product enhancements or new products to meet those needs in a timely manner, it could cause us to lose existing customers and prevent us from gaining new customers, which would significantly harm our business, financial condition and results of operations.

18


We currently offer customers multiple pricing and delivery models to buy our software, including perpetual licenses, term-based licenses and SaaS. Part of our strategy is to infuse our business with more SaaS solutions to create more recurring revenue. This may entail several risks which may adversely affect our operating results.

We sell our software predominantly as perpetual licenses and have begun to infuse our business with more SaaS solutions. We may face additional complications or risks with the delivery of SaaS solutions and associated subscription revenues, including the following:

our revenues, operating profitability, net income and cash flow from operating activities may fluctuate as a result of the revenue mix from the different licensing and delivery models;

if new or current customers prefer our SaaS solutions at a greater rate than we anticipate, our recognized software revenues may lag our expectations as a result of the ratable revenue recognition for SaaS revenue;

the introduction of new SaaS solutions may result in (i) confusion among new or existing customers, prospects and partners; (ii) longer sales cycles or lost opportunities; and (iii) less predictable revenue;

as we introduce more SaaS solutions, existing customers may wish to transition to our SaaS solutions, which may make it difficult to predict revenues and earnings;

we rely on third parties to host our SaaS solutions. These services may be breached or become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms. As a result, we may suffer reputational harm, our expenses could increase, our ability to manage our operations could be interrupted and our processes for managing sales of our products and services and supporting our customers could be impaired;

we may face operational challenges supporting multiple pricing and delivery models;

our research and development teams may find it difficult to deliver functionality across multiple code bases;

our services and support teams may find it difficult to support multiple delivery models, which may lead to customer dissatisfaction, lower renewal rates and a reduction in our ability to sell add-on business to customers; and

our sales force may struggle with selling multiple pricing, licensing and delivery models to customers, which may lead to increased turnover rates and lower headcount or impact sales cycles.

Prolonged economic uncertainties or downturns in certain regions or industries could materially adversely affect our business.

Our business depends on our current and prospective customers’ ability and willingness to invest money in IT security, which in turn is dependent upon their overall economic health. Negative economic conditions in the global economy or certain regions such as the U.S. or Europe, including conditions resulting from financial and credit market fluctuations, could cause a decrease in corporate spending on information security software. Other matters that influence consumer confidence and spending, including wide-spread viruses and epidemics like the recent novel coronavirus outbreak, could also negatively affect our customers’ spending on our products and services. In 2019, we generated 54% of our revenues from the United States, 30% of our revenues from Europe, the Middle East and Africa and 16% from the rest of the world, which includes countries from the Asia Pacific and Japan region, the Latin America region and Canada.

In addition, a significant portion of our revenue is generated from customers in the financial services industry, including banking and insurance. Negative economic conditions may cause customers generally, and in that industry in particular, to reduce their IT spending. Customers may delay or cancel IT projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating maintenance and support agreements. Additionally, customers or channel partners may be more likely to make late payments in worsening economic conditions which could lead to increased collection efforts and require us to incur additional associated costs to collect expected revenues. To the extent purchases of licenses for our software are perceived by customers and potential customers to be discretionary, our revenues may be disproportionately affected by delays or reductions in general IT spending. If the economic conditions of the general economy or industries in which we operate worsen from present levels, our results of operation could be adversely affected.

19


A portion of our revenues is generated by sales to government entities, which are subject to a number of challenges and risks, such as increased competitive pressures, administrative delays and additional approval requirements.

A portion of our revenues is generated by sales to U.S. and foreign federal, state and local governmental agency customers, and we may in the future increase sales to government entities. Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will complete a sale or imposing terms of sale which are less favorable than the prevailing market terms. Government demand and payment for our products and services may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions, government shutdowns or delays adversely affecting public sector demand for our products. Additionally, for purchases by the U.S. government, the government may require certain products to be manufactured in the United States and other high cost manufacturing locations, and we may not manufacture all products in locations that meet the requirements of the U.S. government. Finally, some government entities require our products to be certified by industry-approved security agencies as a pre-condition of purchasing our products, such as the international Common Criteria certification by the National Information Association Partnership (NIAP), which we achieved in 2019. We have also initiated the process, and have begun incurring costs, to obtain authorization from the Federal Risk and Authorization Management Program, or FedRAMP, for certain SaaS products. The grant of such certifications depends on the then-current requirements of the certifying agency. We cannot be certain that any certificate will be granted or renewed or that we will be able to satisfy the technological and other requirements to maintain certifications. The loss of any of our product certificates, or the failure to obtain new ones, could cause us to suffer reputational harm, lose existing customers, or deter new and existing customers from purchasing our solutions, additional products or our services.

Our business and operations will be negatively affected if we fail to effectively manage our growth.

We have experienced significant growth in a relatively short period of time and intend to continue to grow our business. Our revenues grew from $261.7 million in 2017 to $433.9 million in 2019. In addition, the number of customers that we serve has grown significantly over the same period.

Our rapid growth has placed significant demands on our management, sales, operational and financial infrastructure, and our growth will continue to place significant demands on these resources. Our headcount has increased from 1,015 as of December 31, 2017 to 1,380 as of December 31, 2019. We plan to hire additional employees in 2020 across all areas of the organization. Additionally, we believe our corporate culture is a critical component of our growth and success. As we continue to add new employees, we may find it challenging to maintain our corporate culture and that may affect our ability to recruit and retain personnel.

Further, in order to manage our current and future growth effectively, we must continue to improve and expand our IT and financial infrastructure, operating and administrative systems and controls, as well as efficiently manage headcount, capital and processes. If we are not able to successfully scale or implement these improvements in a manner that keeps pace with our growth, or is timely and efficient, then our failure to do so may materially impact our projected growth rate.

Intellectual property claims may increase our costs or require us to cease selling certain products, which could adversely affect our financial condition and results of operations.

The IT security industry is characterized by the existence of a large number of relevant patents and frequent claims and litigations regarding patent and other intellectual property rights. Leading companies in the IT security industry have extensive patent portfolios. From time to time, third parties have asserted, and in the future may assert, their patent, copyright, trademark and other intellectual property rights against us, our channel partners or our customers. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property rights pursuant to our agreements with our customers and channel partners. Such indemnification provisions are customary for our industry. Any claims of intellectual property infringement or misappropriation brought against us, our channel partners or our customers, even those without merit, could be expensive and time-consuming to defend, and divert management’s attention. We cannot ensure that we will have the resources to defend against all such claims. Successful claims of infringement or misappropriation by a third-party against us or a third-party that we indemnify could prevent us from distributing certain products or performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others, to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology, to enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify our customers and channel partners (and parties associated with them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected. Defending against claims of infringement or being deemed to be infringing the intellectual property rights of others could impair our ability to innovate, develop, distribute and sell our current and planned products and services. If we were to violate the intellectual property rights of others, our financial position may be adversely affected.

20


If our products fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and results of operations could be materially and adversely affected.

We generate a substantial portion of our revenues from our products and services which enable our customers to achieve and maintain compliance with certain government regulations and industry standards, and we expect that to continue for the foreseeable future. Governments and other customers may require our products to comply with certain privacy, security or other certifications and standards with respect to those solutions utilized by them as a control demonstrating compliance with government regulations and industry standards. We achieved the international Common Criteria certification by the National Information Association Partnership (NIAP) in 2019, and a new SOC 2 certification. Additionally, we have maintained the ISO 27001 annual certification since April 2017. We have also initiated the process, and have begun incurring costs, to obtain authorization from the Federal Risk and Authorization Management Program (FedRAMP), for certain SaaS products. However, we are unable to guarantee that we will achieve FedRAMP authorization in a timely matter, or at all, for any of our SaaS products. In the future, if our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.

Additionally, these industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses, including, without limitation, updates to the Common Criteria for Information Technology Security Evaluation (CC). In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, some of which may conflict with each other, that could impact whether our solutions enable our customers to maintain compliance with such laws or regulations. If we are unable to adapt our solutions to changing government regulations and industry standards in a timely manner, or if our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors. In addition, if government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses, and our customers may be less willing to purchase our products and services. In either case, our sales and financial results would suffer.

If our products do not effectively interoperate with our customers’ existing or future IT infrastructures, installations could be delayed or cancelled, which could harm our business.

Our products must effectively interoperate with our customers’ existing or future IT infrastructures, which often have different specifications, utilize multiple protocol standards, deploy products from multiple vendors and contain multiple generations of products that have been added over time. If we find errors in the existing software or defects in the hardware used in our customers’ infrastructure or problematic network configurations or settings, we may have to modify our software so that our products will interoperate with our customers’ infrastructure and business processes. In addition, to stay competitive within certain markets, we may be required to make software modifications in future releases to comply with new statutory or regulatory requirements. These issues could result in longer sales cycles for our products and order cancellations, either of which could adversely affect our business, results of operations and financial condition.

21


If we are unable to adequately protect our proprietary technology and intellectual property rights, our business could suffer substantial harm.

The success of our business depends on our ability to protect our proprietary technology, brands and other intellectual property and to enforce our rights in that intellectual property. We attempt to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.

As of December 31, 2019, we had 33 issued patents in the United States, and 72 pending U.S. patent applications. We also had 7 issued patents and 23 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.

The process of obtaining patent protection is expensive and time-consuming, and we may not be able to complete all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not be approved, that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. Finally, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property), but we cannot be certain that we have adequately protected our rights in every such agreement or that we have executed an agreement with every such party. Finally, in order to benefit from the protection of patents and other intellectual property rights, we must monitor and detect infringement and pursue infringement claims in certain circumstances in relevant jurisdictions. Litigating claims related to the enforcement of intellectual property rights is very expensive and can be burdensome in terms of management time and resources. Any litigation related to intellectual rights or claims against us could result in loss or compromise of our intellectual property rights or could subject us to significant liabilities. As a result, we may not be able to obtain adequate protection or to effectively enforce our issued patents or other intellectual property rights.

In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented proprietary intellectual property and technology. Unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners, subcontractors and customers, and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot be certain that the steps taken by us will prevent misappropriation of our intellectual property or technology or infringement of our intellectual property rights. In addition, the laws of some foreign countries where we sell our products do not protect intellectual property rights and technology to the same extent as the laws of the United States, and these countries may not enforce these laws as diligently as government agencies and private parties in the United States. If we are unable to protect our intellectual property, we may find ourselves at a competitive disadvantage to others who do not incur the additional expense, time and effort to create the innovative products nevertheless benefiting from such innovation due to misappropriation.

Our use of open source software, third-party software and other intellectual property may expose us to risks.

We license and integrate certain open source software components from third parties into our software, and we expect to continue to use open source software in the future. Some open source software licenses require users, who distribute or make available as a service open source software with their own software products, to add appropriate copyright notices, to publicly disclose all or part of the source code of the users’ developed software or to make available any derivative works of the open source code on unfavorable terms or at no cost. Our efforts to use the open source software in a manner consistent with the relevant license terms that would not require us to disclose our proprietary code or license our proprietary software at no cost may not be successful. We may face claims by third parties seeking to enforce the license terms applicable to such open source software, including by demanding the release of the open source software, derivative works or our proprietary source code that was developed using such software, or we may face termination of such licenses if the author of the open source software asserts we are in breach of its license terms. In addition, if the license terms for the open source code change or the license is terminated, we may be forced to re-engineer our software or incur additional costs.

22


Further, some of our products and services include other software or intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties for our own business operations. This exposes us to risks over which we may have little or no control. For example, a licensor may have difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licenses to us. There can be no assurance that the licenses we use will be available on acceptable terms, if at all. In addition, a third party may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages from us, or both. Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation regarding these matters, could result in delays in releases of new products, and could otherwise disrupt our business, until equivalent technology can be identified, licensed or developed.

Our business may be materially affected by changes to fiscal and tax policies. Potentially negative or unexpected tax consequences of these policies, or the uncertainty surrounding their potential effects, could adversely affect our results of operations and share price.

As a multinational corporation, we are subject to income taxes, withholding taxes and indirect taxes in numerous jurisdictions worldwide. Significant judgment and management attention and resources are required in evaluating our tax positions and our worldwide provision for taxes. In the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting, and other laws, regulations, principles and interpretations. This may include recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, changes in foreign currency exchange rates, or changes in the valuation of our deferred tax assets and liabilities.

We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. If we experience unfavorable results from one or more such tax audits, there could be an adverse effect on our tax rate and therefore on our net income. The final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made. Additionally, we are subject to transfer pricing rules and regulations in various jurisdictions, including those relating to the flow of funds between us and our affiliates, which are designed to ensure that appropriate levels of income are reported in each jurisdiction in which we operate.

We rely significantly on revenues from maintenance and support contracts, which we recognize ratably over the terms of the associated contracts and, to a lesser extent, from professional services contracts, which we recognize as services are performed, and any downturns in sales of these contracts would not be immediately reflected in full in our quarterly operating results.

Maintenance and support and professional services revenues accounted for 45% of our total revenues in 2019. Sales of maintenance and support and professional services may decline or fluctuate as a result of a number of factors, including the number of product licenses we sell, the timing within the reported period those licenses are sold, our customers’ level of satisfaction with our products and services, the prices of our products and services, the prices of products and services offered by our competitors or reductions in our customers’ spending levels. If our sales of maintenance and support and professional services contracts decline, our revenues or revenue growth may decline, and our business will suffer. We recognize revenues from maintenance and support contracts ratably on a straight-line basis over the term of the related contracts which is typically one year and, to a lesser extent, three years, and from professional services as services are performed. As a result, a meaningful portion of the revenues we report each quarter results from the recognition of deferred revenues from maintenance and support and professional services contracts entered into during previous quarters. Consequently, a decline in the number or size of such contracts in any one quarter will not be fully reflected in revenues in that quarter but will negatively affect our revenues in future quarters. Accordingly, the effect of significant downturns in maintenance and support and professional services contracts would not be reflected in full in our results of operations until future periods.

23


We are subject to governmental trade, export and import controls that could subject us to liability in the event of non-compliance or impair our ability to compete in international markets.

Certain of our activities are subject to U.S., Israeli, and possibly other export control and economic sanctions laws and regulations, which may prohibit or restrict our ability to engage in business with certain countries and customers. For example, our products that incorporate encryption capabilities may be subject to certain licensing, reporting, or other requirements under U.S. and Israeli export controls. If the applicable U.S. or Israeli requirements regarding the export of encryption technology were to change or if we change the encryption functionality in our products, we may need to satisfy additional requirements or obtain specific permissions (licenses) in the United States or Israel in order to continue to export our products to the same range of customers and countries as we presently do. There can be no assurance that we will be able to satisfy such additional requirements or obtain specific licenses under these circumstances in either the United States or Israel. Furthermore, various other countries regulate the import of certain encryption products and technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries.

In addition, applicable export control and sanctions laws and regulations may impact our ability to sell our products, directly or indirectly through our channel partners, to countries or territories that are the target of comprehensive sanctions, or to prohibited parties. Despite our due diligence and, in the case of sanctionable activities by our channel partners, the contractual undertakings they have given us, any such export could result in legal exposure, including penalties and/or government investigations, as well as reputational harm. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products and services would likely adversely affect our business, financial condition and results of operations.

In addition, in the future we may be subject to defense-related export controls. For example, currently our solutions are not subject to supervision under the Israeli Defense Export Control Law, 5767-2007, but if they were used for purposes that are classified as defense-related or if they fall under “dual-use goods and technology” as referred to below, we could become subject to such regulation. In particular, under the Israeli Defense Export Control Law, 5767-2007, an Israeli company may not conduct “defense marketing activity” without a defense marketing license from the Israeli Ministry of Defense (MOD) and may be required to obtain a specific license from the MOD for any export of defense related products and/or knowhow. The definition of defense marketing activity is broad and includes any marketing of “defense equipment,” “defense knowhow” or “defense services” outside of Israel, which includes “dual-use goods and technology” (material and equipment intended in principle for civilian use and that can also be used for defensive purposes, such as our cybersecurity solutions) that is specified in the list of Goods and Dual-Use Technology annexed to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, if intended for defense use only, or is specified under Israeli legislation. “Dual-use goods and technology” will be subject to control by the Ministry of Economy if intended for civilian use only. In December 2013, regulations under the Wassenaar Arrangement included for the first time a chapter on cyber-related matters, which chapter was last amended in December 2018. We believe that our products do not fall under this chapter; however, in the future we may become subject to this regulation or similar regulations, which would limit our sales and marketing activities and could therefore have an adverse effect on our results of operations. Similar issues could arise under the U.S. defense/military export controls under the Arms Export Control Act and the International Traffic in Arms Regulations. Accordingly, there can be no assurance whether our solutions would be impacted by any potential new regulations pertaining to cybersecurity products and services similar to those provided by us, and what impact potential new regulations would have on our sales or our costs relating to compliance.

24


Risks Related to Our Ordinary Shares

Our share price may be volatile, and our shareholders may lose all or part of their investment.

From January 2017 through January 2020, our ordinary shares have traded on the Nasdaq Global Select Market, or the Nasdaq at a price per share between a range of $39.34 and $148.74. In addition, the market price of our ordinary shares could be highly volatile and may fluctuate substantially as a result of many factors, some of which are beyond our control, including, but not limited to:

actual or anticipated fluctuations in our results of operations and the results of other similar companies;

variance in our financial performance from the expectations of market analysts;

announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions or expansion plans;

changes in the prices of our products and services or in our pricing models;

our involvement in litigation;

our sale of ordinary shares or other securities in the future;

market conditions in our industry;

changes in key personnel;

speculation in the press or the investment community;

the trading volume of our ordinary shares;

changes in the estimation of the future size and growth rate of our markets;

any merger and acquisition activities; and

general economic and market conditions.

The price of our ordinary shares could also be affected by possible sales of our ordinary shares by investors who view our Convertible Notes as a more attractive means of equity participation in our company, and by hedging and arbitrage trading activity that such investors may engage in.

In addition, the stock markets have experienced price and volume fluctuations. Broad market and industry factors may materially harm the market price of our ordinary shares, regardless of our operating performance. In the past, following periods of volatility in the market price of a company’s securities, securities class action litigation has often been instituted against that company. If we were involved in any similar litigation, we could incur substantial costs and our management’s attention and resources could be diverted, which could materially adversely affect our business.

If securities or industry analysts cease to publish research or publish inaccurate or unfavorable research reports about our business, our share price and trading volume could decline.

The trading price for our ordinary shares is affected by any research or reports that securities or industry analysts publish about us, our business or our industry. If one or more of the analysts who cover us or our business publish inaccurate or unfavorable research reports about us or our business, and in particular, if they downgrade their evaluations of our ordinary shares, the price of our ordinary shares would likely decline. If one or more of these analysts cease coverage of our company, we could lose visibility in the market for our ordinary shares, which in turn could cause our share price to decline. In addition, industry analysts often provide reviews of our offerings, as well as those of our competitors, and perception of our offerings in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and professional services or compared to prior reviews of our offerings, our brand may be adversely affected.

25


Our business could be negatively affected as a result of the actions of activist shareholders, and such activism could impact the trading value of our securities.

In recent years, U.S. and non-U.S. companies listed on securities exchanges in the United States have been faced with governance-related demands from activist shareholders, unsolicited tender offers and proxy contests. Although as a foreign private issuer we are not subject to U.S. proxy rules, responding to any action of this type by activist shareholders could be costly and time-consuming, disrupting our operations and diverting the attention of management and our employees. Such activities could interfere with our ability to execute our strategic plans. In addition, a proxy contest for the election of directors at our annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and our board of directors. The perceived uncertainties due to such actions of activist shareholders also could affect the market price of our securities.

As a foreign private issuer whose ordinary shares are listed on Nasdaq, we may follow certain home country corporate governance practices instead of otherwise applicable SEC and Nasdaq requirements such as Regulation FD or U.S. proxy rules and exemption from filing certain Exchange Act reports. This may result in less protection than is accorded to investors under rules applicable to domestic U.S. issuers or limit the information available to our shareholders.

As a foreign private issuer whose ordinary shares are listed on Nasdaq, we are permitted to follow certain home country corporate governance practices instead of certain rules of Nasdaq. We currently follow Israeli home country practices with regard to the quorum requirement for shareholder meetings and the requirements relating to distribution of our annual report to shareholders. As permitted under the Israeli Companies Law, 5759-1999, or the Companies Law, our articles of association provide that the quorum for any meeting of shareholders shall be at least two shareholders present in person or by proxy who hold at least 25% of the voting power of our shares instead of 33 1/3% of our issued share capital (as prescribed by Nasdaq’s rules). Further, as permitted by the Companies Law and in accordance with the generally accepted business practice in Israel, we do not distribute our annual report to shareholders but make it available through our public website. We may in the future elect to follow Israeli home country practices with regard to other matters such as director nomination procedures, separate executive sessions of independent directors and the requirement to obtain shareholder approval for certain dilutive events (such as for the establishment or amendment of certain equity-based compensation plans, issuances that will result in a change of control of the company, certain transactions other than a public offering involving issuances of a 20% or more interest in the company and certain acquisitions of the stock or assets of another company). Accordingly, our shareholders may not be afforded the same protection as provided under Nasdaq corporate governance rules. Following our home country governance practices as opposed to the requirements that would otherwise apply to a U.S. company listed on Nasdaq may provide less protection than is accorded to shareholders of domestic issuers. See “Item 16.G. Corporate Governance.”

As a foreign private issuer, we are exempt from a number of requirements under U.S. securities laws that apply to public companies that are not foreign private issuers. In particular, we are exempt from the rules and regulations under the Exchange Act related to the furnishing and content of proxy statements, and our officers, directors and principal shareholders are exempt from the reporting and short-swing profit recovery provisions contained in Section 16 of the Exchange Act. In addition, we are not required under the Exchange Act to file annual, quarterly and current reports and financial statements with the SEC, as frequently or as promptly as domestic companies whose securities are registered under the Exchange Act. We are also exempt from the provisions of Regulation FD, which prohibits issuers from making selective disclosure of material nonpublic information. Even though we intend to comply voluntarily with Regulation FD, these exemptions and leniencies will reduce the frequency and scope of information and protections to which our shareholders are entitled as investors. For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules applicable to U.S. domestic companies, although pursuant to the Companies Law, we disclose the annual compensation of our five most highly compensated office holders (as defined under the Companies Law) on an individual basis, including in this annual report. Because of these exemptions for foreign private issuers, our shareholders do not have the same information generally available to investors holding shares in public companies that are not foreign private issuers.

26


Our Convertible Notes may impact our financial results, result in the dilution of existing shareholders, create downward pressure on the price of our ordinary shares, and restrict our ability to take advantage of future opportunities.

In November 2019, we issued $575.0 million aggregate principal amount of 0.00% Convertible Senior Notes due 2024, or the Convertible Notes. The sale of the Convertible Notes may affect our earnings per share figures, as accounting procedures may require that we include in our calculation of earnings per share the number of ordinary shares into which the Convertible Notes are convertible. The Convertible Notes may be converted, under the conditions and at the premium specified in the Convertible Notes, into cash and our ordinary shares, if any (subject to our right to pay cash in lieu of all or a portion of such shares). If our ordinary shares are issued to the holders of the Convertible Notes upon conversion, there will be dilution to our shareholders’ equity and the market price of our ordinary shares may decrease due to the additional selling pressure in the market. Any downward pressure on the price of our ordinary shares caused by the sale or potential sale of ordinary shares issuable upon conversion of the Convertible Notes could also encourage short sales by third parties, creating additional downward pressure on our share price.

In addition, in connection with the pricing of the Convertible Notes, we entered into privately negotiated capped call transactions, or the Capped Call Transactions, with certain of the purchasers of the Convertible Notes. The Capped Call Transactions cover, collectively, the number of our ordinary shares underlying the Convertible Notes, subject to anti-dilution adjustments substantially similar to those applicable to the Convertible Notes. The cost of the Capped Call Transactions was approximately $53.6 million. The Capped Call Transactions are expected generally to reduce the potential dilution to the ordinary shares upon any conversion of the Convertible Notes and/or offset any cash payments we are required to make in excess of the principal amount upon conversion of the Convertible Notes under certain events described in the Capped Call Transactions. We are subject to the risk that one or more of the counterparties to the Capped Call Transactions may default, or otherwise fail to perform, or may exercise certain rights to terminate, their obligations under the Capped Call Transactions. Our exposure will depend on many factors but, generally, our exposure will increase if the market price or the volatility of our common stock increases. Upon a default, a failure to perform or a termination of obligations by a counterparty to the Capped Call Transactions, we may suffer adverse tax consequences or experience more dilution than we currently anticipate with respect to our ordinary shares.

Furthermore, the indenture for the Convertible Notes will prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the Convertible Notes. These and other provisions in the indenture could deter or prevent a third party from acquiring us even when the acquisition may be favorable.

We currently anticipate that we will be able to rely on and to implement certain clarifications from the applicable Tax Authorities, with respect to the administration of our Israeli withholding tax obligations in relation to considerations to be paid to the holders of the Convertible Notes upon their future conversion and settlement. Unexpected failure to ultimately obtain such anticipated clarifications from the Israeli Tax Authorities could potentially result in increased Israeli withholding tax gross-up costs.

We may not have the ability to raise the funds necessary to settle conversions of the Convertible Notes, repurchase the Convertible Notes upon a fundamental change or repay the Convertible Notes in cash at their maturity, and our future debt may contain limitations on our ability to pay cash upon conversion or repurchase of the Convertible Notes.

Holders of the Convertible Notes will have the right under the indenture governing the Convertible Notes to require us to repurchase all or a portion of their Convertible Notes upon the occurrence of a fundamental change before the applicable maturity date, at a repurchase price equal to 100% of the principal amount of such Convertible Notes to be repurchased, plus accrued and unpaid interest, excluding the applicable fundamental change repurchase date, if any. Moreover, we will be required to repay the Convertible Notes in cash at their maturity, unless earlier converted, repurchased or redeemed. We may not have enough available cash or be able to obtain financing at the time we are required to make such repurchases of the Convertible Notes and/or repay the Convertible Notes upon maturity.

In addition, we have the right to elect to settle conversions of the Convertible Notes in cash. Although we entered into the Capped Call Transactions which are expected generally to offset any cash payments we are required to make in excess of the principal amount upon conversion of the Convertible Notes (subject to a cap), we may not ultimately receive such cash payments from the counterparties to the Capped Call Transactions in case of a default, a failure to perform or a termination of obligations by a relevant counterparty.

27


Our ability to repurchase or to pay cash upon conversion of Convertible Notes may be limited by law, regulatory authority or agreements governing our future indebtedness. Our failure to repurchase the Convertible Notes at a time when the repurchase is required by the indenture or to pay cash upon conversion of the Convertible Notes or at maturity as required by the indenture would constitute a default under the indenture. A default under the indenture or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the payment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Convertible Notes or to pay cash upon conversion of the Convertible Notes or at maturity.

We may lose our foreign private issuer status, which would then require us to comply with the rules and regulations applicable to U.S. domestic issuers and cause us to incur significant legal, accounting and other expenses.

Since a majority of our voting securities are either directly or indirectly owned of record by residents of the United States, we would lose our foreign private issuer status if any of the following were to occur: (i) the majority of our executive officers or directors were U.S. citizens or residents, (ii) more than 50 percent of our assets were located in the United States, or (iii) our business was administered principally in the United States.

As part of our business strategy, we continue to organically globalize our business operations and evaluate acquiring or making investments in complementary companies, including companies predominately located in the United States. If we were to acquire a U.S. company in the future, it could put us at heighted risk of losing our foreign private issuer status. Although we have elected to comply with certain U.S. regulatory provisions, our loss of foreign private issuer status would make such provisions mandatory. The regulatory and compliance costs to us under U.S. securities laws as a U.S. domestic issuer may be significantly higher. We may also be required to modify certain of our policies to comply with good governance practices associated with U.S. domestic issuers. Such conversion and modifications will involve additional costs. In addition, we would lose our ability to rely on Nasdaq exemptions from certain corporate governance requirements that are available to foreign private issuers. As a result, we expect that a loss of foreign private issuer status would increase our legal and financial compliance costs. We also expect that if we were required to comply with the rules and regulations applicable to U.S. domestic issuers, it would make it more difficult and expensive for us to obtain director and officer liability insurance, and we could be required to accept reduced coverage or incur substantially higher costs to obtain coverage.

If we sell our ordinary shares in future financings, ordinary shareholders could experience immediate dilution and, as a result, the market price of our ordinary shares may decline.

We may from time to time issue additional ordinary shares at a discount from the current trading price of our ordinary shares. As a result, our ordinary shareholders would experience immediate dilution upon our issuance of any ordinary shares at such discount. In addition, as opportunities present themselves, we may enter into equity or debt financings or similar arrangements in the future, including the issuance of additional convertible debt securities, preferred shares or ordinary shares. If we issue ordinary shares or securities convertible into ordinary shares, holders of our ordinary shares could experience dilution.

If we are unable to satisfy the requirements of Sections 404(a) and 404(b) of the Sarbanes-Oxley Act of 2002 or if our internal control over financial reporting is not effective, investors may lose confidence in the accuracy and the completeness of our financial reports and the trading price of our ordinary shares may be negatively affected.

Pursuant to Section 404(a) of the Sarbanes-Oxley Act of 2002, or Sarbanes-Oxley Act, we are required to furnish a report by management on the effectiveness of our internal control over financial reporting. Additionally, pursuant to Section 404(b) of the Sarbanes-Oxley Act, we must include an auditor attestation on our internal control over financial reporting.

28


To maintain the effectiveness of our disclosure controls and procedures and our internal control over financial reporting, we expect that we will need to continue to enhance existing, and implement new, financial reporting and management systems, procedures and controls to manage our business effectively and support our growth in the future. The process of evaluating our internal control over financial reporting requires an investment of substantial time and resources, including by our Chief Financial Officer and other members of our senior management. As a result, this process may divert internal resources and take a significant amount of time and effort to complete. Additionally, as part of management assessments of the effectiveness of our internal control over financial reporting required by Section 404(a), our management may conclude that our internal control over financial reporting is not effective due to our failure to cure any identified material weakness or otherwise, which would require us to employ remedial actions to implement effective controls. If we identify material weaknesses in our internal control over financial reporting, if we are unable to comply with the requirements of Section 404(a) or 404(b) in a timely manner or to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion or issues an adverse opinion in its attestation as to the effectiveness of our internal control over financial reporting required by Section 404(b), investors may lose confidence in the accuracy and completeness of our financial reports and the trading price of our ordinary shares could be negatively affected. We could also become subject to investigations by Nasdaq, the SEC or other regulatory authorities, which could require additional financial and management resources.

Irrespective of compliance with Sections 404(a) and 404(b), any failure of our internal control over financial reporting could have a material adverse effect on our stated results of operations and harm our reputation. In order to implement changes to our internal control over financial reporting triggered by a failure of those controls, we could experience higher than anticipated operating expenses, including higher independent auditor fees during and after the implementation of these changes.

As a public company we may become subject to further compliance obligations, which may strain our resources and divert management’s attention.

Changing laws, regulations and standards in the United States relating to corporate governance and public disclosure and other matters may be implemented in the future, which may increase our legal and financial compliance costs, make some activities more time consuming and divert management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to practice, regulatory authorities may initiate legal proceedings against us and our business may be harmed. Being a publicly traded company in the United States and being subject to U.S. rules and regulations may make it more expensive for us to obtain directors and officers liability insurance, and we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. For example, during our last renewal, the cost of our directors and officers insurance policy premiums substantially increased in light of certain changes in the market for such policies. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee, and qualified executive officers. In accordance with the provisions of the Companies Law, approval of our directors and officers insurance is limited to the terms of our duly approved compensation policy, unless otherwise approved by our shareholders.

Our U.S. shareholders may suffer adverse tax consequences if we are classified as a “passive foreign investment company.”

Generally, if for any taxable year, after the application of certain look-through rules, 75% or more of our gross income is passive income, or at least 50% of the average quarterly value of our assets (which may be measured in part by the market value of our ordinary shares, which is subject to change) are held for the production of, or produce, passive income (as defined in the relevant provisions of the Internal Revenue Code of 1986, as amended (the Code)), we would be characterized as a “passive foreign investment company,” or PFIC, for U.S. federal income tax purposes under the Code. Based on our market capitalization and the nature of our income, assets, and business, we believe that we will not be classified as a PFIC for the taxable year that ended December 31, 2019. However, PFIC status is determined annually and requires a factual determination that depends on, among other things, the composition of our income, assets and activities in each taxable year, and can only be made annually after the close of each taxable year. Furthermore, because the value of our gross assets is likely to be determined in part by reference to our market capitalization, a decline in the value of our ordinary shares may result in our becoming a PFIC. Accordingly, there can be no assurance that we will not be considered a PFIC for any taxable year. If we are a PFIC for any taxable year during which a U.S. Holder (as defined in “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences”) holds our ordinary shares, certain adverse U.S. federal income tax consequences could apply to such U.S. Holder. Prospective U.S. Holders should consult their tax advisors regarding the potential application of the PFIC rules to them. See “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences—Passive Foreign Investment Company Considerations.”

29


If a United States person is treated as owning at least 10% of our ordinary shares, such holder may be subject to adverse U.S. federal income tax consequences.

If a U.S. person is treated as owning (directly, indirectly or constructively) at least 10% of the value or voting power of our ordinary shares, such person may be treated as a “U.S. shareholder” with respect to each controlled foreign corporation (CFC) in our group (if any). Under current law, if our group includes one or more U.S. subsidiaries (as has been the case for 2019), certain of our non-U.S. subsidiaries could be treated as CFCs regardless of whether or not we are treated as a CFC. A U.S. shareholder of a CFC may be required to report annually and include in its U.S. taxable income its pro rata share of such CFC’s “Subpart F income,” “global intangible low taxed income” and investments in U.S. property by CFCs, regardless of whether we make any distributions. An individual who is a U.S. shareholder with respect to a CFC generally would not be allowed certain tax deductions or foreign tax credits that would be allowed to a U.S. shareholder that is a U.S. corporation. Failure to comply with these reporting obligations may subject a U.S. shareholder to significant monetary penalties and may prevent the statute of limitations with respect to such U.S. shareholder’s U.S. federal income tax return for the year for which reporting was due from starting. We cannot provide any assurances that we will be able to assist holders of ordinary shares in determining whether any of our non U.S. subsidiaries is treated as a CFC or whether any holder of ordinary shares should be treated as a U.S. shareholder with respect to any such CFC or furnish to any U.S. shareholders information that may be necessary to comply with the aforementioned reporting and tax paying obligations. The United States Internal Revenue Service provided very limited guidance on situations in which investors may rely on publicly available alternative information to comply with their reporting and tax paying obligations with respect to foreign controlled CFCs. U.S. investors are strongly advised to consult their own tax advisors regarding the potential application of these rules to their investment in our ordinary shares.

We do not intend to pay dividends on our ordinary shares for the foreseeable future so any returns will be limited to changes in the value of our ordinary shares.

We have never declared or paid any cash dividends on our ordinary shares. We currently anticipate that we will retain future earnings for the development, operation, and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to shareholders will therefore be limited to the increase, if any, of our share price, which may or may not occur.

Risks Relating to Our Incorporation and Location in Israel

Our headquarters, substantially all of our research and development activities and other significant operations are located in Israel and, therefore, our results may be adversely affected by political, economic and military instability in Israel.

Our headquarters and principal research and development facilities are located in Israel. In addition, a large number of our key employees and certain directors are residents of Israel. Accordingly, political, economic and military conditions in Israel may directly affect our business. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries. In recent years, these have included hostilities between Israel and Hezbollah in Lebanon and Hamas in the Gaza strip, both of which resulted in rockets being fired into Israel causing casualties and disruption of economic activities. In addition, Israel faces threats from more distant neighbors, including, in particular, Iran. Our commercial insurance does not cover losses that may occur as a result of an event associated with the security situation in the Middle East. In addition, the Israeli government’s commitment to covering the reinstatement value of direct damages caused by terrorist attacks or acts of war, could be eliminated or may not be sufficient to compensate us fully for damages incurred. Any losses or damages incurred by us could have a material adverse effect on our business. Any armed conflict involving Israel could adversely affect our operations and results of operations.

30


Further, our operations could be disrupted by the obligations of personnel to perform military service. As of December 31, 2019, we had 499 employees based in Israel, certain of which may be called upon to perform up to 54 days in each three-year period (and in the case of non-officer commanders or officers, up to 70 or 84 days, respectively, in each three-year period) of military reserve duty until they reach the age of 40 (and in some cases, depending on their specific military profession up to 45 or even 49 years of age) and, in certain emergency circumstances, may be called to immediate and unlimited active duty. Our operations could be disrupted by the absence of a significant number of employees related to military service, which could materially adversely affect our business and results of operations.

Several countries, principally in the Middle East, restrict doing business with Israel and Israeli companies, and additional countries may impose restrictions on doing business with Israel and Israeli companies whether as a result of hostilities in the region or otherwise. In addition, there have been increased efforts by activists to cause companies and consumers to boycott Israeli goods based on Israeli government policies. Such actions, particularly if they become more widespread, may adversely impact our ability to sell our products. Any hostilities involving Israel or any interruption or curtailment of trade between Israel and its present trading partners, or a significant downturn in the economic or financial condition of Israel, could adversely affect our business, financial condition and results of operations. We may also be targeted by cyber terrorists specifically because we are an Israeli company.

Israel is experiencing a level of unprecedented political instability. The Israeli government has been in a transitionary phase since December 2018, when the Israeli Parliament, or the Knesset, first resolved to dissolve itself and call for new general elections. During the last twelve months, Israel held general elections three times – in April and September of 2019 and in March of 2020. The Knesset, has not passed a budget for the year 2020, and certain government ministries, which may be critical to the operation of our business, are without necessary resources and may not receive sufficient funding moving forward. In the event that the current political stalemate is not resolved during 2020, our ability to conduct our business effectively may be adversely affected.

The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes.

We were granted Approved Enterprise status under the Israeli Law for the Encouragement of Capital Investments, 5719-1959, or the Investment Law. We elected the alternative benefits program, pursuant to which income derived from the Approved Enterprise program is tax-exempt for two years and enjoys a reduced tax rate of 10.0% to 25.0% for up to a total of eight years, subject to an adjustment based on the percentage of foreign investors’ ownership. We were also eligible for certain tax benefits provided to Benefited Enterprises under the Investment Law. In March 2013, we notified the Israel Tax Authority that we apply the new tax Preferred Enterprise regime under the Investment Law instead of our Approved Enterprise and Benefited Enterprise. Accordingly, we are eligible for certain tax benefits provided to Preferred Enterprises under the Investment Law. If we do not meet the conditions stipulated in the Investment Law and the regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be canceled, and we would be required to repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary penalties). Starting from 2017, we are eligible for the Technological Preferred Enterprise regime, a sub-category of the Preferred Enterprise regime, which grants enhanced tax benefits to enterprises with significant research and development activities. Further, in the future these tax benefits may be reduced or discontinued. If these tax benefits are reduced, cancelled or discontinued, our Israeli taxable income would be subject to regular Israeli corporate tax rates which would harm our financial condition and results of operation. Additionally, if we increase our activities outside of Israel through acquisitions, for example, our expanded activities might not be eligible for inclusion under future Israeli tax benefit regimes. See “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations and Government Programs—Law for the Encouragement of Capital Investments, 5719-1959.”

31


We may become subject to claims for remuneration or royalties for assigned service invention rights by our employees.

We enter into assignment-of-invention agreements with our employees pursuant to which such individuals agree to assign to us all rights to any inventions created in the scope of their employment or engagement with us. A significant portion of our intellectual property has been developed by our employees during the course of their employment by us. Under the Israeli Patent Law, 5727-1967, inventions conceived by an employee during the scope of his or her employment with a company are regarded as “service inventions” which belong to the employer, absent a specific agreement between the employee and employer giving the employee service invention rights. Although our employees have agreed to assign to us service invention rights, as a result of uncertainty under Israeli law with respect to service invention rights and the efficacy of related waivers, including with respect to remuneration and its extent, we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required to pay additional remuneration or royalties to our current and/or former employees, or be forced to litigate such claims, which could negatively affect our business.

Provisions of Israeli law and our articles of association may delay, prevent or otherwise impede a merger with or an acquisition of us, even when the terms of such a transaction are favorable to us and our shareholders.

Our articles of association contain certain provisions that may delay or prevent a change of control. These provisions include that our directors (other than external directors, if applicable) are elected on a staggered basis, and therefore a potential acquirer cannot readily replace our entire board of directors at a single annual general shareholder meeting. In addition, Israeli corporate law regulates acquisitions of shares through tender offers and mergers, requires special approvals for transactions involving directors, officers or significant shareholders and regulates other matters that may be relevant to such types of transactions. See “Item 10.B. Articles of Association—Acquisitions under Israeli Law” for additional information.

Furthermore, Israeli tax considerations may make potential transactions unappealing to us or to our shareholders whose country of residence does not have a tax treaty with Israel exempting such shareholders from Israeli tax. For example, Israeli tax law does not recognize tax-free share exchanges to the same extent as U.S. tax law. With respect to mergers involving an exchange of shares, Israeli tax law allows for tax deferral in certain circumstances but makes the deferral contingent on the fulfillment of a number of conditions, including, in some cases, a holding period of two years from the date of the transaction during which sales and dispositions of shares of the participating companies are subject to certain restrictions. Moreover, with respect to certain share swap transactions, the tax deferral is limited in time, and when such time expires, the tax becomes payable even if no disposition of the shares has occurred. These provisions of Israeli law and our articles of association could have the effect of delaying or preventing a change in control in us and may make it more difficult for a third-party to acquire us, even if doing so would be beneficial to our shareholders, and may limit the price that investors may be willing to pay in the future for our ordinary shares.

It may be difficult to enforce a judgment of a U.S. court against us, our officers and directors or the Israeli auditors named in this annual report in Israel or the United States, to assert U.S. securities laws claims in Israel or to serve process on our officers and directors and these auditors.

We are incorporated in Israel. The majority of our directors and executive officers, and the Israeli auditors listed in this annual report reside outside of the United States, and most of our assets and most of the assets of these persons are located outside of the United States. Therefore, a judgment obtained against us, or any of these persons, including a judgment based on the civil liability provisions of the U.S. federal securities laws, may not be collectible in the United States and may not be enforced by an Israeli court. It also may be difficult for our shareholders to effect service of process on these persons in the United States or to assert U.S. securities law claims in original actions instituted in Israel. Israeli courts may refuse to hear a claim based on an alleged violation of U.S. securities laws reasoning that Israel is not the most appropriate forum in which to bring such a claim. In addition, even if an Israeli court agrees to hear a claim, it may determine that Israeli law and not U.S. law is applicable to the claim. If U.S. law is found to be applicable, the content of applicable U.S. law must be proven as a fact by expert witnesses, which can be a time consuming and costly process. Certain matters of the procedure will also be governed by Israeli law. There is little binding case law in Israel that addresses the matters described above. As a result of the difficulty associated with enforcing a judgment against us in Israel, our shareholders may not be able to collect any damages awarded by either a U.S. or foreign court.

32


The rights and responsibilities of our shareholder are, and will continue to be, governed by Israeli law which differs in some material respects from the rights and responsibilities of shareholders of U.S. corporations.

The rights and responsibilities of the holders of our ordinary shares are governed by our articles of association and by Israeli law. These rights and responsibilities differ in some material respects from the rights and responsibilities of shareholders in U.S. corporations. In particular, a shareholder of an Israeli company has a duty to act in good faith and in a customary manner in exercising its rights and performing its obligations towards the company and other shareholders, and to refrain from abusing its power in the company, including, among other things, in voting at a general meeting of shareholders on matters such as amendments to a company’s articles of association, increases in a company’s authorized share capital, mergers and acquisitions and related party transactions requiring shareholder approval. In addition, shareholders have a general duty to refrain from discriminating against other shareholders and a shareholder who is aware that it possesses the power to determine the outcome of a shareholder vote or to appoint or prevent the appointment of a director or chief executive officer in the company has a duty of fairness toward the company with regard to such vote or appointment. There is limited case law available to assist us in understanding the nature of this duty or the implications of these provisions. These provisions may be interpreted to impose additional obligations and liabilities on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations. See “Item 6.C. Board Practices — Approval of Related Party Transactions under Israeli Law—Fiduciary Duties of Directors and Executive Officers.”

ITEM 4.INFORMATION ON THE COMPANY

A.History and Development of the Company

Our History

CyberArk Software Ltd. was founded in 1999 with the vision of protecting high-value business data and pioneered our Digital Vault technology, which is the foundation of our primary platform. That same year, we began offering our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provided a secure platform for our customers’ employees to share sensitive files. We believe our early innovation in vaulting technology enabled us to evolve into a company that provides a comprehensive security solution built for privileged access management. In 2005, we introduced our Privileged Access Security Solution, which has become our leading offering and reflects our emphasis on protecting privileged access across an organization. In September 2014, we listed our ordinary shares on Nasdaq. In 2015, we acquired Viewfinity, Inc., a provider of Windows least privilege management and application control software, as well as Cybertinel Ltd., a cybersecurity company specializing in cyber threat detection technology. In May 2017, we acquired Conjur Inc., a provider of DevOps security software, and in March 2018, we acquired Vaultive, Ltd., a cloud security provider. Based on our continued innovation, today we are the leader in privileged access management, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline.

We are a company limited by shares organized under the laws of the State of Israel. We are registered with the Israeli Registrar of Companies. Our registration number is 51-229164-2. Our principal executive offices are located at 9 Hapsagot St., Park Ofer B, POB 3143, Petach-Tikva, 4951040, Israel, and our telephone number is +972 (3) 918-0000. Our website address is www.cyberark.com. Information contained on, or that can be accessed through, our website is not part of this annual report and is not incorporated by reference herein. We have included our website address in this annual report solely for informational purposes. Our SEC filings are available to you on the SEC’s website at http://www.sec.gov. This site contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC. The information on that website is not part of this annual report and is not incorporated by reference herein. Our agent for service of process in the United States is CyberArk Software, Inc., located at 60 Wells Avenue, Newton, MA 02459, and our telephone number is (617) 965-1544.

Principal Capital Expenditures

Our cash capital expenditures for fiscal years 2017, 2018 and 2019 amounted to $6.8 million, $8.6 million and $7.0 million, respectively. Capital expenditures consist primarily of investments in leasehold improvements for our office space and the purchase of furniture, computers and related equipment. We anticipate our capital expenditures in fiscal year 2020 to not exceed 2% of revenue. We anticipate our capital expenditures in 2020 will be financed with cash on hand and cash provided by operating activities.

33


B.Business Overview

We are the global leader in privileged access management, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. Our software solutions are focused on protecting privileged accounts, credentials and secrets used by human and machine identities, which are consistently sought-after by cyber attackers to accomplish their goals. Privileged accounts and secrets are pervasive and act as the “keys to the IT kingdom,” providing complete access to, and control of, IT infrastructure, applications, DevOps tools, and critical business data, whether located on-premises or in the cloud. In the hands of an external attacker or malicious insider, privileged credentials allow attackers to take control of and disrupt an organization’s infrastructure and applications, steal confidential information and commit financial fraud. Our comprehensive solutions proactively protect credentials, isolate and monitor sessions, detect and respond to privileged threats, provide secrets management for commercial off the shelf applications and applications built using DevOps methodologies, and secure privileged access on the endpoint. Our customers use our innovative solutions to introduce a critical security layer to protect against, detect and respond to cyber attacks before they strike vital systems, compromise sensitive data and disrupt business operations.

Organizations worldwide are experiencing an unprecedented increase in the sophistication, scale and frequency of cyber attacks. The challenge this presents is intensified by digital transformation initiatives and cloud migration strategies, which companies are implementing to differentiate themselves from the competition and drive down costs. This in turn is driving the growing adoption of modern technologies such as cloud computing, container and micro-service-based cloud native application architectures leveraging DevOps methodologies, and Robotic Process Automation. Although these technologies deliver tremendous business benefits, they have resulted in increasingly complex and distributed IT environments with a significantly larger attack surface. Organizations have historically relied upon perimeter-based threat protection solutions such as network and web security tools as the predominant defense against cyber attacks, yet these traditional solutions have a limited ability to stop today’s advanced threats. Many organizations are still in the early stages of adapting their security strategies to address this new threat environment and are evolving their approaches based on the assumption that their network perimeter has been or will be breached. They are therefore increasingly implementing privileged access management for human and machine identities as a critical layer of protection to disrupt attacks against their on-premises and cloud-based assets before they result in the loss of confidential information or other serious damage. Regulators are also mandating rigorous compliance with new laws that call for heavy fines for not protecting the security and privacy of customer’s personally identifiable information.

We believe that the implementation of a privileged access management solution is the most critical component of an effective security strategy. Privileged accounts, credentials and secrets represent some of the most vulnerable aspects of an organization’s IT infrastructure and application stack since they are used by human and non-human users to access an organization’s most sensitive systems and data. Privileged accounts are used by system administrators, third-party remote vendors, Software as a Service (SaaS) administrators, DevOps teams and business users, and they exist in nearly every connected device, server, hypervisor, container, operating system, database, application and endpoint. Credentials and secrets are also used by machine identities for application to application interactions such as IT management, security, DevOps, and Robotic Process Automation software. Due to the broad access and control they provide, privileged access exploitation is a critical stage of the cyber attack lifecycle. The typical cyber attack involves an attacker effecting an initial breach to steal credentials, moving laterally through the IT infrastructure to identify valuable targets, escalating privileges to access target systems, and exfiltrating, or stealing, the desired information.

Our solutions can be deployed in traditional on-premises data centers, public, private or hybrid cloud environments. Our innovative software solutions are the result of 20 years of research and expertise, combined with valuable knowledge we have gained from working with our diverse population of customers and from our acquisitions of Viewfinity, Cybertinel, Conjur, and Vaultive.

The CyberArk Privileged Access Security solution provides the most comprehensive approach to securing privileged credentials on-premises and in the cloud, from every endpoint and application, and throughout the DevOps pipeline. The Core Privileged Access Security offering provides risk-based credential protection, session isolation and monitoring to detect and prevent attacks involving privileged access. This solution can be extended with least privilege control for Linux, Unix, and Windows servers as well as domain control protection. CyberArk also provides application credential and DevOps secrets management with Application Access Manager and protection of privilege on endpoints with Endpoint Privilege Manager. CyberArk supports standard deployment methodologies (on-premises, hybrid, and in the cloud) with perpetual, term-based and subscription licensing options.

34


CyberArk also has the industry’s most complete SaaS portfolio for privileged access management with CyberArk Privilege Cloud, Endpoint Privilege Manager, and Alero. CyberArk Privilege Cloud securely stores, rotates, and isolates credentials used by human and machine identities and offers comprehensive session management. Endpoint Privilege Manager is available for on-premises and SaaS deployments. Alero is a new SaaS based solution that CyberArk introduced in 2019 to secure privileged remote vendor access.

Our solution complements cloud, Robotic Process Automation, IT management, and security and solutions provided by other vendors in two significant ways: first, by securing privileged access used by these solutions and second, through the sharing of valuable information between the solutions, for improved detection, protection and response in the event of a cyber attack.

In April 2016, we announced the launch of the C3 Alliance, CyberArk’s global technology partner program, which brings together enterprise software, IT, Security and cloud providers to build on the power of privileged access security to better protect customers from cyber threats. The program establishes a product integration foundation with our C3 Alliance technology partners for the benefit of our mutual customers. We launched the CyberArk Marketplace in April 2018 to provide a trusted platform for customers to easily find and deploy integrations from the C3 Alliance, partners, and community members.

As of December 31, 2019, we had more than 5,300 customers, including more than 50% of the Fortune 500 companies and more than 35% of the Global 2000 companies. We define a customer to include a distinct entity, division or business unit of a company. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies. We sell our solutions through a high touch hybrid model that includes direct sales, channel sales, managed security service providers, as well as advisory firm partners. This provides us with significant opportunities to grow our current customer base. Further, the relationships developed with our channel and advisory firms allow us to benefit from their global reach and maintain close relationships with our customers. Additionally, we continue to enhance our product offerings and go-to-market strategy by establishing technology alliances within the IT infrastructure and security vendor ecosystem.

Industry Background

The growth of privileged access management market is driven by three primary drivers. The first is the need for organizations to defend themselves against sophisticated attacks. Organized crime, malicious insiders and nation states exploit unsecured privileged access to carry out their attacks. The 2019 Verizon Data Breach Report found that privilege misuse was a top three pattern in breaches in financial services and insurance, healthcare, manufacturing, public administration, and retail. The second driver relates to digital transformation. The digitization of business creates a larger digital landscape full of opportunities for engagement, but also greater exposure to threats. New digital technologies require expanding privileged access for both humans and machines that needs to be secured. Hybrid and multi-cloud adoption drive the need for centralized solutions that help secure privileged access enterprise-wide. The third driver is compliance. Industry regulations such as Sarbanes Oxley (SOX), Payment Card Industry Data Security Standard (PCI), SWIFT Customer Security Controls Framework, Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and security frameworks such as National Institute of Standards (NIST) and the Center for Internet Security (CIS) all have stringent requirements to uphold strong privileged access management security controls to maintain data privacy and sovereignty.

35


Our Solutions

Our solutions secure organizations’ high-value data and critical IT assets by providing proactive protection against external and internal cyber threats and enabling real-time detection and neutralization of attacks involving privileged access.

image00002.jpg

Our solutions consist of Core Privileged Access Security for risk-based credential security and session management with advanced add-on options for least privilege server and domain controller protection. Customers can also purchase Application Access Manager for secrets management for commercial off-the-shelf and custom applications, including cloud-native applications built using DevOps tools. Application Access Manager is a new offering introduced in early 2019 that combines the former Application Identity Manager and Conjur Enterprise. Conjur continues to be available to developers as open source software. CyberArk offers least privilege and credential theft protection for Windows and Mac workstations with Endpoint Privilege Manager. CyberArk Alero provides Zero Trust access, biometric multi-factor authentication and just-in-time provisioning and is delivered as a SaaS solution. We also offer over 200 certified joint solutions with leading cloud, security, and IT management providers via our C3 Alliance program.

Core Privileged Access Security

CyberArk’s Core Privileged Access Security offering includes risk-based credential security and session management to protect against attacks involving privileged access. This offering includes CyberArk’s industry leading vault for credential protection; session management; and analytics to detect and proactively respond to privileged access threats. We began selling these three products together as Core Privileged Access Security starting in January 2018. CyberArk’s Core Privileged Access Security solution can be deployed in an on-premises data center, in a hybrid cloud or a public cloud environment either as a perpetual or as a subscription term based license. In addition, Core Privilege Access Security is available as a SaaS solution with the CyberArk Privilege Cloud. CyberArk Privilege Cloud is ideal for commercial and smaller enterprise customers who are implementing privileged access management projects and includes credential protection and session management.

The Core Privileged Access Security solution secures and rotates passwords, credentials, and SSH keys to prevent the malicious use of privileged access by external attackers and malicious insiders. The solution manages, secures, and automatically rotates privileged credentials based on an organization’s security policies; and enforces granular access controls and workflows to protect who can access which credentials and when. Automated processes reduce the time it takes to manually track and update privileged credentials to meet audit and compliance standards.

The solution also secures, isolates, controls and monitors privileged user sessions to critical Unix, Linux, and Windows-based systems, databases, virtual machines, network devices, mainframes, websites, SaaS applications, cloud platforms, DevOps tools and more. It provides a single-access control point, helps prevent malware from jumping to a target system through the isolation of end users, and records every keystroke and mouse click for continuous monitoring. Detailed session recordings and the ability to search, locate, and alert on sensitive events without having to filter through logs simplifies compliance audits and accelerates forensic investigations. Real-time monitoring helps provide continuous protection for privileged access as well as automatic suspension and termination of privileged sessions if any activity presents a high-level of risk to the organization.

36


Native access to supported targets simplifies adoption by end users while enabling organizations to maintain a strong security posture. With the acquisition of Vaultive in March 2018 and the launch of Privileged Session Manager for Cloud in October 2018, CyberArk now offers native access for web-based applications, including support for leading cloud platforms, PaaS providers, SaaS, and social media applications. Along with Privileged Session Manager for Cloud, the solution also supports native access for Windows users via any RDP client application and Linux/Users through an SSH client such as PuTTY.

Lastly, the Core Privileged Access Security offering enables organizations to detect, alert and respond to anomalous privileged activity indicating an in-progress attack. The solution collects a targeted set of data from multiple sources, including the CyberArk Digital Vault, SIEM and the network. A combination of machine learning, behavioral analysis, and statistical and deterministic algorithms enables organizations to detect indications of compromise early in the attack lifecycle by identifying malicious privileged access activity across on-premises and cloud environments.

The Core Privileged Access Security offering can be extended to secure least privilege on Linux, Unix, and Windows servers, protect domain controllers, and secure remote privileged access.

Least Privilege Server Protection. The CyberArk Core Privileged Access Security offering allows privileged users to use administrative commands from their native Linux/Unix and Windows sessions while eliminating unneeded root access or admin rights. This solution provides unified and correlated logging of all super user activity linking it to a personal username while providing the freedom needed to perform job functions. Granular access control is enforced while continuously monitoring all administrative commands executed by super users based on their role and task.

Domain Controller Protection. CyberArk offers an ultra-light weight Windows agent that performs network behavior analytics to detect a range of potential threats including suspected credential theft, lateral movement and privilege escalation on domain controllers. It provides the ability to enforce granular controls for least privilege and application control on domain controllers and to detect a variety of in-progress Kerberos attacks including Golden Ticket, Overpass-the-Hash and Privilege Attribute Certificate (PAC) manipulation.

Secure Remote Vendor Access to CyberArk Core Privileged Access Security with CyberArk Alero. CyberArk Alero combines Zero Trust access, biometric multi-factor authentication and just-in-time provisioning into one SaaS-based solution. Alero ensures that remote vendors only access what they need by fully integrating with CyberArk Core Privileged Access Security for full audit, recording and remediation capabilities. Alero is designed to provide fast, easy and secure privileged access to remote vendors who need access to critical internal systems. By not requiring VPNs, agents or passwords, Alero removes operational overhead for administrators and makes organizations more secure.

Application Access Manager

CyberArk Application Access Manager is designed to provide comprehensive privileged access, credential, and secrets management for widely used application types and non-human identities. Application Access Manager enables organizations to avoid the need to store privilege credentials, passwords, keys, etc., within applications and instead easily and securely access the required credentials from the CyberArk Vault. To simplify the usage of Application Access Manager, CyberArk offers the widest eco-system of validated application integrations for securing privileged access.

For securing commercial off-the-shelf solutions, Application Access Manager can be used to provide and manage the credentials that third-party tools and solutions such as security tools, RPA, automation tools, IT management, etc. need to complete their jobs. Securing application credentials for popular commercial off-the-shelf applications is available via CyberArk Privilege Cloud.

For cloud-native applications built using DevOps methodologies – Application Access Manager provides a secrets management solution tailored specifically to the unique requirements of native-cloud and DevOps environments. The solution integrates with a wide range of DevOps tools such as Ansible, Jenkins, Puppet; PaaS/Container orchestration platforms such as Red Hat OpenShift, Pivotal Cloud Foundry, and Kubernetes, whether running on-premises, hybrid or on multiple cloud platforms. To better meet the needs of the developer community securing credentials used by applications in cloud-native and DevOps environments, an open source version of Application Access Manager is available as Conjur Open Source at www.conjur.org.

37


Additionally, for internally developed traditional applications, Application Access Manager can be used to protect business-system data and simplify operations by eliminating hardcoded credentials from internally developed applications and scripts. The solution supports a broad range of application environments and platforms, including application servers, Java, .Net, scripting running on a variety of platforms and operating systems including Unix/Linux, Windows and OS.

Endpoint Protection

Endpoint Privilege Manager. CyberArk Endpoint Privilege Manager secures privileges on the endpoint (Windows servers, Windows desktops and Mac desktops) and helps contain attacks early in their lifecycle. It enables revocation of local administrator rights, while minimizing impact on user productivity, by seamlessly elevating privileges for authorized applications or tasks. Application control, with automatic policy creation, allows organizations to prevent malicious applications from executing, and runs unknown applications in a restricted mode. This, combined with credential theft protection, helps prevent malware such as ransomware from gaining a foothold and contains attacks on the endpoint. CyberArk Endpoint Privilege Manager is available through on-premises and SaaS deployments.

Our Services

Maintenance and Support

Our customers typically purchase one year or, to a lesser extent, three years, of software maintenance and support, in conjunction with their initial purchase of perpetual licenses for our products. Thereafter, they can renew such maintenance and support for additional one or three-year periods. These two alternative maintenance and support periods are common in the software industry. Customers pay for each alternative in full at the beginning of their terms. The substantial majority of our contracts sold are for a one-year term. For example, for the years 2017 through 2019 approximately 80% of the renewal contracts were for a one-year term.

Our global customer support organization has expertise in our software and how it interacts with complex IT environments. When sales are made to customers directly, we typically also provide any necessary maintenance and support pursuant to a maintenance and support contract directly with the customer. We typically provide all levels of support directly to our customers. However, when sales are made through channels, the channel partner may provide the first and second level support, and we typically provide third level support if the issue cannot be resolved by the channel partner.

Our maintenance and support program provides customers the right to software bug repairs, the latest system enhancements and updates on an if-and-when available basis during the maintenance period, and access to our technical support services. Our technical support services are provided via our online support center, which enables customers to submit new support queries and monitor the status of open and past queries. Our online support system also provides customers with access to our CyberArk Knowledge Base, an online user-driven information repository that provides customers the ability to address their own queries. Additionally, we offer email and telephone support during business hours to customers that purchase a standard support package and 24/7 availability to customers that purchase our 24/7 support package.

Professional Services

Our products are designed to allow customers to download, install and deploy them on their own or with training and professional assistance. CyberArk solutions are highly configurable and many customers will select either one of our many trained channel partners or our CyberArk Security Services team to provide expert professional services. Our Security Services team can be contracted to assist customers in planning, installing and configuring our solution to meet the needs of their security and IT environment, and provide technical account management services. Our Security Services team provides ongoing consulting services regarding best practices in privileged access management, and recommended ways to implement our solutions to meet specific customer requirements. Additionally, they share best practices associated with privileged access security to educate customers and partners on such best practices through virtual classroom, live face-to-face, or self-paced classes.

38


Our Technology

Our comprehensive solutions rely on a set of proprietary technologies that provide a high level of security, scalability and reliability. The core technologies included in our solutions are as follows.

Shared Technology Platform. Our shared technology platform is the foundation of the CyberArk Privileged Access Security Solution and includes our secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine. Our Digital Vault is an encrypted server that only responds to preset vault protocols to promote security throughout an organization’s network. CyberArk solutions use the Digital Vault to safely store, audit and manage passwords, privileged credentials and secrets, policy information and privileged account session data. Our proprietary vault protocol technology enables distributed deployments across global networks for central management and auditing while providing enterprise-wide global coverage. Our Web Management Interface provides a single, user-friendly interface for customers to set, manage and monitor privileged access security policies across an entire organization in a matter of minutes while allowing for granular level exceptions to meet the organization’s specific operational needs. Organizations can also leverage REST APIs to automate privileged access security tasks and quickly integrate CyberArk solutions with existing security, operations and DevOps tools. Our Master Policy Engine and Discovery Engine enable organizations to understand the scope of privileged access risk and help ensure that all privileged activity is accounted for by automatically discovering new privileged accounts or changes to existing accounts.

Secure Digital Vault Technology. Our proprietary Digital Vault technology provides a highly secure, isolated environment, independent of other software, and is engineered with multiple layers of security. Our Digital Vault provides a data encryption mechanism that eliminates the need for encryption key management by the end user, while each object in our Digital Vault is encrypted with its own unique encryption key. To ensure security throughout the network, our Digital Vault communicates within an organization’s network and over the internet through a proprietary and highly protected Vault Protocol, enabling an organization to implement the centrally managed Privileged Access Security Solution with products located in multiple datacenters and geographic locations. Our Digital Vault provides an additional level of protection by preventing the vault administrator from accessing or discovering protected data stored within it. In addition, our Digital Vault database is embedded, isolated and self-managed as part of our Digital Vault software, thereby blocking database administrator access to our Digital Vault database to further eliminate threats. Our Privileged Access Security Solution’s additional products use the highly secured Digital Vault to safely store, audit and manage passwords, privileged credentials, policy information and privileged access session data.

Sophisticated Threat Analytics Algorithms. Our team of cyber experts and development engineers has developed proprietary algorithms that are at the core of our privileged analytics and threat detection solution. These algorithms were developed using our deep understanding of cybersecurity and cyber attack techniques, together with over a decade of rich experience in analyzing privileged access activities. Our solution uses these proprietary algorithms to construct a behavioral profile for privileged users within an organization and continuously updates the profile based on normal changes in behavior. Once a behavioral profile is established, the threat analytics algorithms provide the ability to look for deviations from that profile in order to identify anomalies in user behavior. It then scores each individual anomaly and determines the level of threat based on the correlation of such anomalous events. Additionally, agents can be deployed to analyze and to detect Kerberos-based attacks against domain controllers in real-time. These attacks are particularly dangerous since they enable attackers to gain unrestricted access and control to the entire IT infrastructure. Alerts with full details of the incident, including the probability of malicious intent, can be raised immediately, allowing an organization’s incident response team to review the potential threat and take action when necessary.

Strong Application Authentication and Credential Management. The Application Access Manager architecture allows an organization to eliminate hard-coded application credentials, such as passwords and encryption keys, from applications and scripts. Our secure, proprietary technology permits authentication of an application during run-time, based on any combination of the application’s signature, executable path or IP address, and operating system user. Following application authentication, the authenticated application uses a secure application programming interface, or API, to request privileged account credentials during run-time and, based on the application permissions in our Privileged Access Security Solution, up-to-date credentials are provided to the application. To ensure business continuity, and high availability and performance even within complex and distributed network environments, our advanced product architecture provides a secure local credentials cache on the application server, eliminating the dependency on network availability and traffic during a run-time application credential request. Our proprietary architecture provides even higher value in application server environments, allowing an organization to eliminate application credentials without the need to perform any code changes or impacting application availability.

39


Privileged Session Recording and Controls. Our innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s IT systems from end-user desktops, while monitoring and recording the privileged session activities. Our proprietary architecture provides a highly secure, proxy-based solution that does not require agent installation on the target systems and provides a single-access control point to the target systems. The architecture blocks direct communication between an end-user’s desktop and a target system, thus preventing potential malware on the desktop from infiltrating the target system. This architecture further ensures that privileged credentials will remain protected and will not be exposed to the end-user or reach the desktop. CyberArk session monitoring solutions support native connectivity to Windows and other graphical platforms via native RDP tools, and Linux/Unix using native SSH tools. Additionally, following the acquisition of Vaultive the solution provides native access to SaaS applications, cloud consoles, DevOps tools, social media platforms and more. Native access not only streamlines the connection process and workflow, but more importantly it unifies and enforces organizational security policy across disparate targets. Comprehensive recording capabilities provide the ability to record every keystroke and mouse click on the privileged session, and also provide DVR-like recordings with search, locate and alert capabilities. Risk scoring can be applied to each recorded session, automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize workloads based on risk.

Strong Endpoint Security. Following the acquisition of Viewfinity, Inc. in 2015, we began offering endpoint agent technology, which provides policy-based privilege management, application control and credential theft protection capabilities. The agent is able to detect privileged commands, and application installation or invocation on the endpoint, and to validate whether it is permissible by the organization’s security policy, otherwise blocking the operation or allowing it to run in a restricted mode (via application whitelisting, blacklisting and greylisting). Having users operate in a least privilege mode together with our agent-based technology effectively reduces the attack surface that attackers or malware can exploit. The solution leverages third party threat and reputation information to enrich the policy and black-list definitions to further strengthen controls and block bad or malicious applications based on such security intelligence.

Secure Remote Vendor Access. The cloud-based, multifactor authentication provided with Alero leverages the biometric capabilities from smartphones which in turn allows authorized remote vendors simple just-in-time secure privileged access. Once authenticated, all privileged sessions are automatically recorded for full audit and monitored in real-time. Alero integrates Zero Trust access, biometric multi-factor authentication, just-in-time provisioning and full integration with CyberArk Core Privileged Access Security for full visibility and audit for administrators, into one single SaaS solution.

Our Customers

As of December 31, 2019, we had more than 5,300 customers, including more than 50% of the Fortune 500 companies and more than 35% of the Global 2000 companies. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies.

Our business is not dependent on any particular customer. No customer or channel partner accounted for more than 10% of our revenues in the last three years. Our diverse global footprint is evidenced by the fact that in 2019, we generated 53.9% of our revenues from customers in the United States, 29.9% from the EMEA region and 16.2% from the rest of the world, including countries in North and South America other than the United States and countries in the Asia Pacific region.

Sales and Marketing

Sales

We believe that our hybrid sales model, which combines the leverage of high touch, channel sales with the account control of direct sales, has played an important role in the growth of our customer base to date. We maintain a highly trained sales force that is responsible for developing and closing new business, the management of relationships with our channel partners and the support and expansion of relationships with existing customers. Our sales organization is organized by geographic regions, consisting of the Americas, EMEA and Asia Pacific and Japan regions. As of December 31, 2019, our global network of channel partners consisted of more than 400 resellers, distributors and managed service providers. Our channel partners generally complement our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers and introducing new products to existing customers and offering post-sale professional services and technical support. In 2019, we generated approximately 35% of our revenues from direct sales from our field offices located throughout the world. Approximately 45% of our sales in the United States are direct while the substantial majority of our sales in the EMEA and APJ regions and the rest of the world are through channel partners. We work with many global systems integration partners and several leading regional security value added resellers, such as Optiv Security Inc., Computacenter PLC, Orange S.A. Business Services (Orange Cyberdefense), Atos, M.Tech, , Netpoleon Solutions, and Edvance. These companies were each among our top 15 channel partners in 2018 and 2019 by revenues and we have derived a meaningful amount of revenues from sales to each of them during the last two years. Further, we work with advisory firms such as Deloitte, KPMG and Accenture in marketing our solutions and providing implementation services to our customers. We also have a joint business relationship contract with PricewaterhouseCoopers LLP in which we may engage in co-marketing and associated co-delivery of solutions and implementation services.

40


Our sales cycle varies by size of the customer, the number of products purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks for incremental sales to existing customers to many months for sales to new customers or large deployments. We also typically experience seasonality in our sales, particularly demonstrated by increased sales in the last month of a quarter and the last quarter of the year. To support our broadly dispersed global channel and customer base, as of December 31, 2019, we had sales personnel in 37 countries. We plan to continue investing in our sales organization to support both the growth of our channel partners and our direct sales organization.

Marketing

Our marketing strategy is focused on building our brand strength, communicating the benefits of our solutions, developing leads and increasing sales to existing customers. We market ourselves as the global leader in privileged access management, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. We execute our strategy by leveraging a combination of internal marketing professionals and a network of channel partners to communicate the value proposition and differentiation for our products, generating qualified leads for our sales force and channel partners. Our marketing efforts also include public relations in multiple regions and extensive content development available through our website. We are focused on ongoing thought-leadership campaigns to reinforce our positioning as the privileged access management leader. Our marketing team is expanding its efforts by investing in analytics-driven lead development, stronger global coordination, quick response to current events and proactive and consistent communication with market analysts.

Research and Development

Continued investment in research and development is critical to our business. Our research and development efforts are focused primarily on improving and continuing to enhance existing products and services, as well as developing new products, features and functionality to meet market needs. We believe the timely development of new products and capabilities is essential to maintaining our competitive position. We regularly release new versions of our software which incorporate new features and enhancements to existing ones. We also maintain a dedicated CyberArk Labs team that researches reported advanced cyber attacks, the attackers’ techniques and post-exploit methods that lead to new security development initiatives for our products, and provides thought-leadership on new product capabilities and targeted attack mitigation.

As of December 31, 2019, we had 349 employees focused on research and development. We conduct our research and development activities primarily in Israel. We believe this provides us with access to world class engineering talent. Our research and development expenses were $42.4 million, $57.1 million, and $72.5 million in 2017, 2018 and 2019, respectively.

Intellectual Property

We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protect our technology and the related intellectual property.

41


As of December 31, 2019, we had 33 issued patents in the United States, and 72 pending U.S. patent applications. We also had 7 issued patents and 23 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications.

The inventions for which we have sought patent protection relate to current and future elements of our products and technology. The following list of products identifies some of those with patent-protected features but other products may also be protected by one or more patents: Digital Vault, Discovery & Audit tool, Privileged Threat Analytics, Privileged Session Manager, Endpoint Privilege Manager and Application Access Manager.

We generally enter into confidentiality agreements with our employees, consultants, service providers, resellers and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. These agreements and measures may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology.

Our industry is characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. In particular, leading companies in the security industry have extensive patent portfolios. As our market position continues to grow, we believe that competitors will be more likely to try to develop products that are similar to ours and that may infringe our proprietary rights. It may also be more likely that competitors or third parties will claim that our products infringe their proprietary rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners, users or customers, whom our standard license and other agreements may obligate us to indemnify against such claims under certain circumstances. Successful claims of infringement or misappropriation by a third party could prevent us from developing, distributing, licensing, using certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected.

Competition

The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.

Our current competitors include BeyondTrust Corporation, Broadcom Inc. (which acquired CA Technologies), One Identity LLC, and Thycotic Software Ltd., in the access and identity management market, some of which may offer solutions at lower price points. Further, we may face competition due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, such as the provision of privileged account security functionalities as part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. Limited IT budgets may also result in competition with providers of other advanced threat protection solutions such as McAfee, LLC, Palo Alto Networks, Splunk Inc., and NortonLifeLock, Inc. (formerly known as Symantec Corporation acquired by Broadcom Inc.). We also may compete, to a certain extent, with vendors that offer products or services in adjacent or complementary markets to privileged access management, including identity management vendors and cloud platform providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

The principal competitive factors in our market include:

the breadth and completeness of a security solution;

reliability and effectiveness in protecting, detecting and responding to cyber attacks;

42


analytics and accountability at an individual user level;

ability of customers to achieve and maintain compliance with compliance standards and audit requirements;

strength of sale and marketing efforts, including advisory firms and channel partner relationships;

global reach and customer base;

scalability and ease of integration with an organization’s existing IT infrastructure and security investments;

brand awareness and reputation;

innovation and thought leadership;

quality of customer support and professional services;

speed at which a solution can be deployed and implemented; and

price of a solution and cost of maintenance and professional services.

We believe we compete favorably with our competitors on the basis of these factors. However, some of our current competitors may enjoy potential competitive advantages, such as greater name recognition, longer operating history, larger market share, larger existing user base and greater financial, technical and other resources.

Properties

Our corporate headquarters are located in Petach Tikva, Israel in an office consisting of approximately 139,100 square feet to which we moved in September 2017. The current lease expires in June 2022 with an extension option for two successive one year periods. Our U.S. headquarters are located in Newton, Massachusetts in an office consisting of approximately 32,463 square feet. The lease expires in June 2026 with an extension options for the entire premises through 2034. We maintain additional offices in the U.K. and Singapore along with certain regional sales offices in France, Germany, Australia, Japan, Italy, Netherlands, Spain, Denmark, Poland, India, Kiev and Turkey. We believe that our facilities are sufficient to meet our current needs and that if we require additional space to accommodate our growth, we will be able to obtain additional facilities on commercially reasonable terms.

Internal Cybersecurity

As we offer privileged access management solutions and services, we are sensitive to potential cyber attacks that may result in unauthorized access to our information and potentially that of our customers. We are also aware that, being an Israeli company, we may be targeted by cyber terrorists and state actors. Any actual or perceived breach of our networks, systems or data may have an adverse impact on the market perception of our solutions and services and may expose us to potential liability.

For more information regarding the risks involved with cybersecurity, see “Item 1A. Risk Factors—Our reputation and business could be harmed based on real or perceived shortcomings, defects or vulnerabilities in our solutions or the provision of our services, or due to the failure of our customers, channel partners, managed security service providers, or subcontractors to correctly implement, manage and maintain our solutions, resulting in loss of existing or new customers, lawsuits or financial losses” and “—If our internal IT network system, or those of third parties, is compromised by cyber attackers or other data thieves, or by a critical system failure, our reputation, financial condition and operating results could be materially adversely affected.”

We are focused on continuously implementing and maintaining technologies and solutions to assist in the prevention of potential cyber attacks, as well as protective measures and contingency plans in the event of an actual attack. We maintain cybersecurity risk management policies and procedures, including internal controls, audits and disclosure protocols for handling and responding to cybersecurity events. These policies and procedures include internal notifications and engagements and, as necessary, cooperation with law enforcement. Our controls are designed to limit and monitor access to our systems, networks and data, prevent inappropriate or unauthorized access or modification, and monitor for threats or vulnerability. We conduct periodic trainings for our employees, including on phishing, malware and other cybersecurity risks and we have mechanisms in place designed to promote rapid internal reporting of potential or actual cybersecurity breaches.

43


We have also made significant investments in technical and organizational measures to establish and manage compliance with laws and regulations governing our data protection activities (such as GDPR), which enhance our data protection and cybersecurity. Furthermore, we monitor cybersecurity risks, certifications or assessments at our third-party cloud infrastructure providers and other IT service providers and reevaluate those contractual relationships as appropriate.

The audit committee of our board periodically reviews our cybersecurity risks and controls with senior management, keeping our board informed of key issues. We periodically review and modify our cybersecurity risk management policies and procedures to reflect changes in technology, the regulatory environment, industry and security practices and other business needs.

Government Regulations

For information regarding the material effects of government regulations, see “—Industry Background” above, “Item 3. Key Information—D. Risk Factors—Regulatory data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support our current customers, thus reducing our revenues, harming our operating results and adversely affecting our business,” “—Our business may be materially affected by changes to fiscal and tax policies. Potentially negative or unexpected tax consequences of these policies, or the uncertainty surrounding their potential effects, could adversely affect our results of operations and share price,” “—We are subject to governmental trade, export and import controls that could subject us to liability in the event of non-compliance or impair our ability to compete in international markets and “The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes,” and “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations and Government Programs.”

Legal Proceedings

See “Item 8.A. Financial Information—Consolidated Financial Statements and Other Financial Information—Legal Proceedings.”

C.Organizational Structure

The legal name of our company is CyberArk Software Ltd. and we are organized under the laws of the State of Israel.

The following table sets forth our key subsidiaries all of which are 100% owned directly or indirectly by CyberArk Software Ltd.:

Name of Subsidiary

Place of Incorporation

CyberArk Software, Inc.

Delaware, United States

Cyber-Ark Software (UK) Limited

United Kingdom

CyberArk Software (Singapore) PTE. LTD.

Singapore

CyberArk Software (DACH) GmbH

Germany

CyberArk Software Italy S.r.l.

Italy

CyberArk Software (France) SARL

France

CyberArk Software (Netherlands) B.V.

Netherlands

CyberArk Software (Australia) Pty Ltd.

Australia

CyberArk Software (Japan) K.K.

Japan

CyberArk Software Canada Inc.

Canada

CyberArk USA Engineering, LP

Delaware, United States

CyberArk Software (Spain), S.L.

Spain

44


D.Property, Plant and Equipment

See “Item 4.B.—Business Overview—Property” for a discussion of property, plant and equipment.

ITEM 4A.UNRESOLVED STAFF COMMENTS

Not applicable.

ITEM 5.OPERATING AND FINANCIAL REVIEW AND PROSPECTS

For discussion related to our financial condition, changes in financial condition, and the results of operations for the year ended December 31, 2017 and comparison of the years ended December 31, 2017 and 2018, see “Item 5. Operating and Financial Review and Prospects” in our annual report on Form 20-F for the fiscal year ended December 31, 2018 filed with the SEC on March 14, 2019.

Company Overview

We are a global leader in privileged access management, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. Our software solutions are focused on protecting privileged accounts, credentials and secrets, which are consistently sought-after by cyber attackers to accomplish their goals. Privileged accounts are pervasive and act as the “keys to the IT kingdom” providing complete access to, and control of, IT infrastructure (whether located on-premises or in the cloud), applications, DevOps tools, and critical business data. In the hands of an external attacker or malicious insider, privileged credentials allow attackers to take control of and disrupt an organization’s IT environment and industrial control systems, steal confidential information and commit financial fraud. Our comprehensive solutions provide risk-based credential and session management to detect and protect against attacks involving privileged access, secure secrets used by applications, and enforce privileged access security on the endpoint. Our customers use our innovative solutions to introduce a critical security layer to protect against, detect and respond to cyber attacks before they strike vital systems, compromise sensitive data and disrupt business operations.

We derive our revenues from licensing our cybersecurity software, selling maintenance and support contracts, and providing professional services to the extent requested by customers. Our license revenues consist primarily of revenues from sales of our Core Privileged Access Security Solution, Endpoint Privilege Manager and Application Access Manager. Our customers typically purchase one year and, to a lesser extent, three years, of maintenance and support in conjunction with their initial purchase of perpetual licenses for our products. Thereafter, they can renew such maintenance and support for additional one or three-year periods. Selling our SaaS solutions is also a growing part of our business.

We have experienced significant growth over the last several years, as evidenced by a compound annual growth rate in revenues of 28.8% from 2017 to 2019. We have also increased our number of employees and subcontractors from 1,015 as of December 31, 2017 to 1,380 as of December 31, 2019. We intend to continue to execute on our strategy of growing our business to meet the needs of our customers and to pursue opportunities in new and existing verticals, geographies and products. We intend to continue to invest in the development of our sales and marketing teams, with a particular focus on expanding our channel partnerships, targeting new customers, creating technology partnerships and solidifying relationships with existing customers.

We also plan to continue to invest in research and development in order to continue to develop technology to protect modern enterprises from privileged access security risk from hybrid to cloud-native environments.

During the years ended December 31, 2017, 2018 and 2019, our revenues were $261.7million, $343.2 million and $433.9 million, respectively, representing year-over-year growth of 31.1% and 26.4% in 2018 and 2019, respectively, and with maintenance and professional services comprising 43.9% and 45.2% of our revenues in 2018 and 2019, respectively. Our net income for the years ended December 31, 2017, 2018 and 2019 was $16.0 million, $47.1 million and $63.1 million, respectively.

45


Key Financial Metrics

We monitor several key financial metrics to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies. The key financial metrics that we monitor are as follows:

Year ended December 31,

2017

2018

2019

(in thousands)

Revenues

$

261,701

$

343,199

$

433,895

 

Gross profit

219,853

294,738

371,280

Non-GAAP gross profit(1)

226,355

303,651

381,999

 

Operating income

20,326

47,292

62,284

Non-GAAP operating income(1)

51,850

90,460

123,406

 

Net income

16,015

47,072

63,064

Non-GAAP net income(1)

41,895

76,523

107,901

 

Net cash provided by operating activities

80,737

130,125

141,710

Total deferred revenues (as of period-end)

105,235

149,534

190,355


(1)For a reconciliation of non-GAAP gross profit, non-GAAP operating income to operating income and of non-GAAP net income to net income, the most directly comparable GAAP measures, see “Item 3.A. Selected Financial Data.”

Revenues. We derive our revenues primarily from licensing our cybersecurity software, selling maintenance and support contracts, and providing professional services to the extent requested by customers. We review our revenues generally to assess the overall health of our business and our license revenues in particular to assess the adoption of our software and our growth in the markets we serve.

We consider our license revenues to be particularly important in assessing our results of operations because license fees impact both our short-term and long-term revenues. License purchases, whether by new customers or due to expansion by existing customers, impact our revenues favorably in the short-term because we recognize a large portion of license fees immediately upon delivery. License purchases further contribute significantly to our revenues in the long term because the size of our maintenance and support contracts is directly related to our licenses revenues, but revenues from maintenance and support contracts are recognized on a straight-line basis over the term of the related contract. This fact, coupled with the high renewal rate for our maintenance and support contracts, means that a meaningful portion of the revenues we report each period are recognized from deferred revenues generated by maintenance and support contracts entered into during previous quarters.

The amount that a customer pays for a license can vary from a few thousand dollars to many millions of dollars depending on its scope. We generally license our products on a price per user or price per server basis; however, our license agreements with a small number of our largest customers do not contain any limit on the number of users or servers in recognition of the size of the overall agreement. We also license certain of our products based on the number of concurrent sessions monitored or endpoints secured. As a result, we do not track, and are unable to track, the amount of license revenues we generate on per user or per server basis. We do, however, maintain internal price guidelines for different size transactions and, since our cost of license revenues is negligible, we generate incremental profit from every license. Although we are focused on growing our customer base, our revenues are a function of both the size of initial sales to new customers and the size of upsells or cross sells to existing customers. We seek to increase the number of large transactions that we enter into because they better leverage our operating expense base, and particularly our sales and marketing expenses, and also generate larger maintenance and support contracts to drive future revenues and margins.

46


Because the size of our maintenance and support contracts is directly related to our licenses revenues and because the rates that we charge for professional services fluctuate very little, the drivers of changes in these sources of revenues have to date been volume-based. Historically, there has been little fluctuation in price when we renew a contract for maintenance and support or for professional services. While the demand for professional services is expected to increase as our customers and license base grow, we expect that our channel partners will increase the amount of such services that they provide. Therefore, while we expect an increase in the dollar amount of our professional services revenue, we do not expect our professional services revenues to increase materially as a percentage of total revenues.

See “—Components of Statements of Operations—Revenues” for more information.

Non-GAAP Gross Profit, non-GAAP Operating Income and Non-GAAP Net Income. Non-GAAP gross profit, Non-GAAP operating income and non-GAAP net income are non-GAAP financial measures. We define non-GAAP gross profit, non-GAAP operating income and non-GAAP net income as gross profit, operating income and net income, respectively, which each exclude (i) share-based compensation expense and (ii) amortization of intangible assets related to acquisitions. Non-GAAP operating income also excludes (i) expenses related to acquisitions, and (ii) expenses related to facility exit and transitions costs. Non-GAAP net income also excludes (i) tax effects related to the non-GAAP adjustments set forth above, (ii) tax effects related to the impact to our deferred tax assets as a result of the Tax Act, (iii) intra-entity intellectual property transfer tax effects and (iv) amortization of debt discount and issuance costs.

We believe that providing non-GAAP gross profit, non-GAAP operating income and non-GAAP net income that exclude, as appropriate, share-based compensation expense, expenses related to acquisitions, amortization of intangible assets related to acquisitions, facility exit and transition costs, the tax effects related to these non-GAAP adjustments, intra-entity intellectual property transfer tax effects, non-cash interest expense related to the amortization of debt discount and issuance costs and the tax effects related to the impact to our deferred tax assets as a result of the Tax Act allows for more meaningful comparisons between our financial results from period to period. Share-based compensation expense has been, and will continue to be a significant recurring expense in our business and an important part of the compensation we provide to employees for the foreseeable future. Share-based compensation expense has varying available valuation methodologies, subjective assumptions and a variety of equity instruments that can impact a company’s non-cash expense. We also believe that expenses related to our acquisitions, amortization of intangible assets related to acquisitions, facility exit and transitions costs, intra-entity intellectual property transfer tax effects, non-cash interest expense related to the amortization of debt discount and issuance costs, tax effects related to the impact to our deferred tax assets as a result of the Tax Act and the tax effects related to the non-GAAP adjustments set forth above do not reflect the performance of our core business and would impact period-to-period comparability. Each of our non-GAAP financial measures is an important tool for financial and operational decision making and for evaluating our own financial results over different periods of time. In particular, these financial measures reflect our operating expenses, the largest of which is currently sales and marketing. Accordingly, we assess the effectiveness of our sales and marketing efforts in part by considering whether increases in such expenditures are reflected in increased revenues and increased non-GAAP operating income and non-GAAP net income. The material factors driving changes in these financial measures are discussed under the subheading “—Comparison of Period to Period Results of Operations.” as well as under “Item 3.A. Selected Financial Data.”

Net Cash Provided by Operating Activities. We monitor net cash provided by operating activities as a measure of our overall business performance. Our net cash provided by operating activities is driven in large part by net income and from up-front payments for maintenance and support contracts and, to a lesser extent, professional services. Monitoring net cash provided by operating activities enables us to analyze our financial performance as it includes our deferred revenues and removes the non-cash effects of certain items such as depreciation, amortization and share-based compensation expense as well as deferred commission expenses, thereby allowing us to better understand and manage the cash needs of our business. The material factors driving changes in our net cash provided by operating activities are discussed under “—Liquidity and Capital Resources.”

Total Deferred Revenues. Our total deferred revenues consist of amounts that have been collected but that have not yet been recognized as revenues because they do not meet the applicable criteria. The substantial portion of our deferred revenues consists of the unrecognized portion of upfront payments associated with maintenance and support contracts. We monitor our total deferred revenues because they represent a significant portion of revenues to be recognized in future periods. Substantially all of the increase in our total deferred revenues has been from growth in our maintenance and support contracts which, in turn, is driven by growth of our license revenues. The material factors driving changes in our license revenues are discussed under “—Comparison of Period to Period Results of Operations.”

47


A.Operating Results

The following discussion and analysis should be read in conjunction with the section titled “Item 3.A. Selected Financial Data” of this annual report and our consolidated financial statements and the related notes contained elsewhere in this annual report. This discussion and analysis may contain forward-looking statements based upon current expectations that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth in “Item 3.D. Risk Factors” of this annual report. Our financial statements have been prepared in accordance with U.S. GAAP.

Components of Statements of Operations

Revenues

Our revenues consist of the following:

License Revenues. License revenues include perpetual and term-based licenses as well as the ratable portion from SaaS during the reported period. License revenues are generated primarily from sales of our Privileged Access Security, Application Access Manager and Endpoint Privilege Manager solutions. The substantial majority of our license revenues has been from sales of our Privileged Access Security solution. Customers can purchase our standard Core Privileged Access Security solution which provides risk-based credential security and session management with advanced add-on options for least privilege server protection and domain controller protection. Customers can also purchase Application Access Manager for secrets management for all application types, including DevOps, and Endpoint Privilege Manager for least privilege and credential theft protection for workstations. The standard Core Privileged Access Security solution is licensed per privileged user; the add-on advanced options for least privilege server protection and domain controller protection are licensed by target system. Endpoint Privilege Manager is also licensed by system. Application Access Manager has two different licensing approaches based on deployment model. The first model is licensed by agent for mission-critical applications like application servers that require the highest levels of performance and availability. The second model is agentless for more dynamic cloud native applications; for this model, Application Access Manager is licensed by calling system for smaller configurations and is licensed by site/region for larger installations.

Maintenance and Professional Services Revenues. Maintenance revenues are generated from maintenance and support contracts purchased by our customers in order to gain access to the latest software enhancements and updates on an ‘if and when available’ basis and to telephone and email technical support. We also offer professional services focused on both deployment and training of our customers to fully leverage the use of our products.

Geographic Breakdown of Revenues

The United States is our biggest market, with the balance of our revenues generated from the EMEA region and the rest of the world, which includes Canada, Central and South America, and the Asia Pacific and Japan region. The following table sets forth the geographic breakdown of our revenues by region for the periods indicated:

Year ended December 31,

2017

2018

2019

Amount

% of

Revenues

Amount

% of

Revenues

Amount

% of

Revenues

(in thousands)

United States

$

145,453

55.6

%

$

187,704

54.7

%

$

233,945

53.9

%

EMEA

81,778

31.2

%

112,086

32.7

%

129,730

29.9

%

Rest of World

34,470

13.2

%

43,409

12.6

%

70,220

16.2

%

 

Total revenues

$

261,701

100.0

%

$

343,199

100.0

%

$

433,895

100.0

%

48


Cost of Revenues

Our total cost of revenues consists of the following:

Cost of License Revenues. Cost of license revenues consists primarily of amortization of intangible assets, costs incurred by third-party software vendors, hosting costs and shipping costs associated with delivery of our software. We expect the absolute cost of license revenues to increase as our license revenues increase.

Cost of Maintenance and Professional Services Revenues. Cost of maintenance and professional services revenues primarily consists of personnel costs for our global customer support and professional services organization. Such costs consist of salaries, benefits, bonuses, share-based compensation and subcontractors’ fees. We expect the absolute cost of maintenance and professional services revenues to increase as our customer base grows and as we hire additional professional services and technical support personnel.

Gross Profit and Gross Margin

Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a percentage of total revenues. Our gross margin has historically fluctuated slightly from period to period as a result of changes in the mix of license revenues and maintenance and professional services revenues and we expect this pattern to continue.

Operating Expenses

Our operating expenses are classified into three categories: research and development, sales and marketing and general and administrative. For each category, the largest component is personnel costs, which consists of salaries, employee benefits (including commissions and bonuses) and share-based compensation expense. Operating expenses also include allocated overhead costs for facilities as well as depreciation and amortization. Allocated costs for facilities primarily consist of rent and office maintenance and utilities. We expect personnel and all allocated costs to continue to increase in absolute dollars as we hire new employees and add facilities to continue to grow our business.

Research and Development. Research and development expenses consist primarily of personnel costs attributable to our research and development personnel and consultants as well as allocated overhead costs and software and related expenses. We continue to expect that our research and development expenses will continue to increase in absolute dollars and at least in line with our revenue growth rate as we continue to grow our research and development headcount to further strengthen our technology platform and invest in the development of both existing and new products.

Sales and Marketing. Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, including variable compensation, as well as marketing and business development costs, travel expenses, allocated overhead costs and depreciation and amortization of intangibles assets. We expect that sales and marketing expenses will continue to increase in absolute dollars and at least in line with our revenue growth rate as we plan to expand our sales and marketing efforts globally. We continue to expect sales and marketing expenses will remain our largest category of operating expenses.

General and Administrative. General and administrative expenses consist primarily of personnel costs for our executive, finance, human resources, legal and administrative personnel. General and administrative expenses also include external legal, accounting and other professional service fees. We continue to expect that general and administrative expense will increase in dollars and at least in line with our revenue growth rate as we grow and expand our operations and operate as a public company, including higher corporate insurance, investor relations and accounting expenses, and the additional costs relating to our ongoing regulatory compliance efforts.

49


Financial Income (Expenses), Net

Financial income (expenses), net consists of mainly interest income, foreign currency exchange gains or losses, amortization of debt discount and issuance costs and foreign exchange forward transactions expenses. Interest income consists of interest earned on our cash, cash equivalents, short and long-term bank deposits and marketable securities. We expect interest income to vary depending on our average investment balances and market interest rates during each reporting period. Foreign currency exchange changes reflect gains or losses related to transactions denominated in currencies other than the U.S. dollar.

Taxes on Income

The ordinary corporate tax rate in Israel was 24.0% for 2017 and 23.0% for 2018 and 2019.

As discussed in greater detail below under “Israeli Tax Considerations and Government Programs”, we have been entitled for various tax benefits under the Investment Law. Under the Investment Law, our tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is 12.0%.

Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits, including accelerated deduction of research and development expenses, accelerated depreciation and amortization rates for tax purposes on certain intangible assets and deduction of public offering expenses in three equal annual installments.

Our non-Israeli subsidiaries are taxed according to the tax laws in their respective jurisdictions of residency. Due to our multi-jurisdictional operations, we apply significant judgment to determine our consolidated income tax position.

Comparison of Period to Period Results of Operations

The following table sets forth our results of operations in dollars and as a percentage of revenues for the periods indicated:

Year ended December 31,

2017(1)

2018

2019

Amount

% of

Revenues

Amount

% of

Revenues

Amount

% of

Revenues

($ in thousands)

Revenues:

License

$

147,640

56.4

%

$

192,514

56.1

%

$

237,879

54.8

%

Maintenance and professional services

114,061

43.6

150,685

43.9

196,016

45.2

 

Total revenues

261,701

100.0

343,199

100.0

433,895

100.0

%

 

Cost of revenues:

License

7,911

3.0

10,526

3.1

10,569

2.4

Maintenance and professional services

33,937

13.0

37,935

11.0

52,046

12.0

 

Total cost of revenues

41,848

16.0

48,461

14.1

62,615

14.4

 

Gross profit

219,853

84.0

294,738

85.9

371,280

85.6

 

Operating expenses:

Research and development

42,389

16.2

57,112

16.6

72,520

16.7

Sales and marketing

126,739

48.4

148,290

43.2

184,168

42.4

General and administrative

30,399

11.6

42,044

12.3

52,308

12.1

 

Total operating expenses

199,527

76.2

247,446

72.1

308,996

71.2

 

Operating income

20,326

7.8

47,292

13.8

62,284

14.4

Financial income, net

4,103

1.5

4,551

1.3

7,800

1.8