UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
FORM 20-F
☐
|
REGISTRATION STATEMENT PURSUANT TO SECTION 12(b) OR (g) OF THE SECURITIES EXCHANGE ACT OF 1934
|
|
|
|
|
OR
|
|
|
|
☒
|
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
|
|
|
|
|
For the fiscal year ended December 31, 2021
|
|
|
|
OR
|
|
|
|
☐
|
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
|
|
|
|
|
OR
|
|
|
|
☐
|
SHELL COMPANY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
|
|
|
|
|
Commission file number 001-36625
CYBERARK SOFTWARE LTD.
(Exact name of Registrant as specified in its charter)
ISRAEL
(Jurisdiction of incorporation or organization)
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
Petach-Tikva 4951040, Israel
(Address of principal executive offices)
Donna Rahav
Chief Legal Officer
Telephone: +972 (3) 918-0000
CyberArk Software Ltd.
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
Petach-Tikva 4951040, Israel
(Name, telephone, e-mail and/or facsimile number and address of company contact person)
Securities registered or to be registered pursuant to Section 12(b) of the Act:
Title of each class
|
Trading Symbol(s)
|
Name of each exchange on which registered
|
Ordinary shares, par value NIS 0.01 per share
|
CYBR
|
The Nasdaq Stock Market LLC
|
Securities registered or to be registered pursuant to Section 12(g) of the Act: None.
Securities for which there is a reporting obligation pursuant to Section 15(d) of the Act: None.
Indicate the number of outstanding shares of each of the issuer’s classes of capital or common stock as of the close of the period covered by the annual report: As of December 31, 2021, the registrant had outstanding 40,041,870 ordinary shares, par value NIS 0.01 per share.
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.
Yes ☒ No ☐
If this report is an annual or transition report, indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934.
Yes ☐ No ☒
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.
Yes ☒ No ☐
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).
Yes ☒ No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large accelerated filer ☒
|
Accelerated filer ☐
|
Non-accelerated filer ☐
|
|
|
Emerging growth company ☐
|
If an emerging growth company that prepares its financial statements in accordance with U.S. GAAP, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☒
Indicate by check mark which basis of accounting the registrant has used to prepare the financial statements included in this filing:
U.S. GAAP ☒
|
International Financial Reporting Standards as issued by the
|
Other ☐
|
|
International Accounting Standards Board ☐
|
|
If “Other” has been checked in response to the previous question, indicate by check mark which financial statement item the registrant has elected to follow.
Item 17 ☐ Item 18 ☐
If this is an annual report, indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).
Yes ☐ No ☒
CYBERARK SOFTWARE LTD.
FORM 20-F
ANNUAL REPORT FOR THE FISCAL YEAR ENDED DECEMBER
31, 2021
TABLE OF CONTENTS
|
1 |
|
1 |
|
|
|
2 |
|
|
2 |
|
|
2 |
|
|
26 |
|
|
37 |
|
|
37 |
|
|
55 |
|
|
74 |
|
|
76 |
|
|
77 |
|
|
77 |
|
|
85 |
|
|
86 |
|
|
|
87 |
|
|
87 |
|
|
87 |
|
|
87 |
|
|
88 |
|
|
88 |
|
|
89 |
|
|
89 |
|
|
89 |
|
|
89 |
|
|
89 |
|
|
89 |
|
|
|
89 |
|
|
89 |
|
|
90 |
INTRODUCTION
In this annual report, the terms “CyberArk,” “we,” “us,” “our”
and “the Company” refer to CyberArk Software Ltd. and its subsidiaries.
This annual report includes statistical, market and industry data and forecasts, that we obtained from
publicly available information and independent industry publications and reports that we believe to be reliable sources. These publicly
available industry publications and reports generally state that they obtain their information from sources that they believe to be reliable,
but they do not guarantee the accuracy or completeness of the information. Although we believe that these sources are reliable, we have
not independently verified the information contained in such publications. Certain estimates and forecasts involve uncertainties and risks
and are subject to change based on various factors, including those discussed under the headings “Special Note Regarding Forward-Looking
Statements” and “Item 3.D. Risk Factors” in this annual report.
Throughout this annual report, we refer to various trademarks, service marks and trade names that we use
in our business. The “CyberArk” design logo is the property of CyberArk Software Ltd. CyberArk® is our registered trademark
in the United States and many other countries. We have several other trademarks, service marks and pending applications relating to our
solutions. In particular, although we have omitted the “®” and “™” trademark designations in this annual
report from each reference to our Privileged Access Security (PAS) solutions, including Privileged Access Manager, Vendor Privileged Access
Manager, Privileged Session Manager (PSM), Enterprise Password Vault (EPV), Privilege Cloud, CyberArk DNA (Discovery and Audit), Privileged
Threat Analytics (PTA), Endpoint Privilege Manager (EPM), Sensitive Information Management (SIM) and Cloud Entitlements Manager; Dynamic
Privileged Access, Secret Managements Solutions, including Conjur Secrets Manager Enterprise, Conjur Secrets Manager Open Source, Credential
Providers, Secretless and Secretless Broker; Access Management Solutions, including CyberArk Workforce Identity, CyberArk Customer Identity
and Secure Web Sessions, and C3 Alliance, all rights to
such names and trademarks are nevertheless reserved. Other trademarks and service marks appearing in this annual report are the property
of their respective holders.
SPECIAL
NOTE REGARDING FORWARD-LOOKING STATEMENTS
In addition to historical facts, this annual report contains forward-looking statements within the meaning
of Section 27A of the U.S. Securities Act of 1933, as amended, (the “Securities Act”), Section 21E of the U.S. Securities
Exchange Act of 1934, as amended, (the “Exchange Act”), and the safe harbor provisions of the U.S. Private Securities Litigation
Reform Act of 1995. These forward-looking statements are subject to risks and uncertainties, and include information about possible or
assumed future results of our business, financial condition, results of operations, liquidity, plans and objectives. In some cases, you
can identify forward-looking statements by terminology such as “believe,” “may,” “estimate,” “continue,”
“anticipate,” “intend,” “should,” “plan,” “expect,” “predict,”
“potential,” or the negative of these terms or other similar expressions. The forward-looking statements are based on our
beliefs, assumptions and expectations of future performance. There are important factors that could cause our actual results, levels of
activity, performance or achievements to differ materially from the results, levels of activity, performance or achievements expressed
or implied by the forward-looking statements, including, but not limited to:
|
• |
changes to the drivers of our growth and our ability to adapt our solutions to IT security market demands; |
|
• |
the transition of our business to a subscription model that began in 2021 and our ability to complete our transition goals in the
time frame expected; |
|
• |
our sales cycles and multiple pricing and delivery models; |
|
• |
unanticipated product vulnerabilities or cybersecurity breaches of our, or our customers’ or partners’
systems; |
|
• |
an increase in competition within the Privileged Access Management and Identity Security markets; |
|
• |
our ability to hire, train, retain and motivate qualified personnel; |
|
• |
our ability to sell into existing and new customers and industry verticals; |
|
• |
risks related to our compliance with privacy and data protection laws and regulations; |
|
• |
our history of incurring net losses and our ability to achieve profitability in the future; |
|
• |
the duration and scope of the COVID-19 pandemic and its impact on global and regional economies and the resulting effect on the demand
for our solutions and on our expected revenue growth rates and costs; |
|
• |
our ability to find, complete, fully integrate or achieve the expected benefits of additional strategic acquisitions; |
|
• |
our reliance on third-party cloud providers for our operations and SaaS solutions; |
|
• |
our ability to expand our sales and marketing efforts and expand our channel partnerships across existing and new geographies;
|
|
• |
risks related to sales made to government entities; |
|
• |
regulatory and geopolitical risks associated with our global sales and operations (including the current conflict between Russia
and Ukraine) and changes in regulatory requirements or fluctuations in currency exchange rates; |
|
• |
the ability of our products to help customers achieve and maintain compliance with government regulations or industry standards;
|
|
• |
risks related to intellectual property claims or our ability to protect our proprietary technology and intellectual property rights;
|
|
• |
risks related to stock price volatility or activist shareholders; |
|
• |
any failure to retain our “foreign private issuer” status or the risk that we may be classified, for U.S. federal income
tax purposes, as a “passive foreign investment company”; |
|
• |
risks related to our Convertible Notes, including the potential dilution to existing shareholders and our ability to raise the funds
necessary to pay amounts due under our Convertible Notes; |
|
• |
our expectation to not pay dividends on our ordinary shares for the foreseeable future; and |
|
• |
risks related to our incorporation and location in Israel. |
In addition, you should consider the risks provided under “Item 3.D. Risk Factors” in this
annual report.
You should not rely upon forward-looking statements as predictions of future events. Although we believe
that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that future results, levels of activity,
performance and events and circumstances reflected in the forward-looking statements will be achieved or will occur. Except as required
by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this annual report,
to conform these statements to actual results or to changes in our expectations.
PART I
ITEM 1. |
IDENTITY OF DIRECTORS, SENIOR MANAGEMENT AND ADVISERS |
Not applicable.
ITEM 2. |
OFFER STATISTICS AND EXPECTED TIMETABLE |
Not applicable.
A.
Selected Financial Data
Not applicable.
B.
Capitalization and Indebtedness
Not applicable.
C.
Reasons for the Offer and Use of Proceeds
Not applicable.
D.
Risk Factors
Risks Related to Our Business and Our Industry
The IT security market is rapidly evolving within the increasingly
challenging cyber threat landscape. If our solutions fail to adapt to market changes and demands, sales may not continue to grow or may
decline.
We offer identity security solutions that safeguard privileged accounts’ credentials and secrets,
secure access across both human and non-human identities, and manage entitlements to cloud environments. If customers do not recognize
the benefit of our solutions as a critical layer of an effective security strategy, our revenues may decline,
which could cause our share price to decrease in value. Security solutions such as ours, which aim to disrupt cyberattacks by insiders
and external perpetrators that have penetrated an organization’s IT environment, represent a security layer designed to respond
to advanced threats and provide more rigorous compliance standards and audit requirements. However, advanced cyber attackers are skilled
at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive data and technology assets,
including those of IT and cybersecurity providers, as demonstrated by the 2020 attack on SolarWinds and the 2021 Apache Log4J vulnerabilities.
We expect that our customers, and thereby our solutions, will face new and increasingly sophisticated methods of attack, particularly
given the increasing complexity of IT environments and the proliferation of privileged access across identities. We face significant challenges
in ensuring that our solutions effectively identify and respond to sophisticated attacks while avoiding disruption to our customers’
businesses. As a result, we must continually modify and improve our products and services in response to market and technology trends
and evolvement, including obtaining interoperability with existing or newly introduced technologies and systems, to ensure we are meeting
market needs and continuing to provide valuable solutions that can be deployed in a variety of IT environments, including cloud and hybrid.
We cannot guarantee that we will be able to anticipate future market needs and opportunities, or be able
to develop or acquire product enhancements or new products or services to meet such needs or opportunities in a timely manner or at all.
Additionally, we cannot guarantee that we will be able to comply with new regulatory requirements (see “—The dynamic regulatory
environment around privacy and data protection may limit our offering or require modification of our products and services, which could
limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject
to investigations, litigation, or enforcement actions alleging that we fail to comply with the regulatory requirements, which could harm
our operating results and adversely affect our business.”). Furthermore, new technologies and solutions that may make our solutions
obsolete may be introduced into the market, lowering the demand for our products and reducing our sales. Even if we are able to anticipate,
develop and commercially introduce new features and products and ongoing enhancements to our existing products, there can be no assurance
that such enhancements or new solutions will achieve widespread market acceptance. Delays in developing, completing or delivering new
or enhanced solutions could cause our offerings to be less competitive, impair customer acceptance of our solutions and result in delayed
or reduced revenue and share price decline.
We are transitioning our business to a subscription model.
If we fail to successfully manage our licensing and business model transition, including not expanding our existing customer base and
retaining sufficient subscription or maintenance and support service renewal rates, our revenues, operating results and share price may
be adversely affected.
We began transitioning our business to a subscription model in January 2021. Our transition goal is to
achieve at least 85% of our sales through subscriptions, for both SaaS and self-hosted offerings, and to change business processes, systems
and organizational structure to support and grow our subscription customers. Our strategy requires considerable investments across the
entire organization with significant changes to our go-to-market and research and development organizations and activities, as well as
adjustments in our operations, reporting and financial resources. We have no assurance that these investments and changes will result
in the desired growth in our subscription revenue, nor be favorably accepted by our existing customers. As we execute our strategy, we
expect our perpetual license revenue to continue to rapidly decline and our maintenance and support revenue to gradually decline over
the coming years. While we expect the majority of our existing customers to expand their deployment leveraging subscription offerings
(whether self-hosted or SaaS) and new customers to purchase subscriptions at an increased rate, certain customers may view these changes
unfavorably and terminate their engagement with us, or they may still desire perpetual licenses, which may cause fluctuations in our financial
performance and our sales transition timeline to be delayed.
With our transition to a subscription model, we will become significantly more dependent on renewals to
meet our revenue, profitability and cash flow from operating activities targets. Customer subscription renewal rates may decline or fluctuate
due to a number of factors, including offering pricing, implementation and adoption rates of our solutions, reductions in customer spending
levels or customer activity due to economic downturns or other market uncertainty, competitive offerings and customer satisfaction with
our solutions and related services and support. In addition, we, along with our service providers and channel partners, may not be able
to provide adequate services that are responsive, satisfy our customers’ expectations and resolve issues that they encounter with
our solutions. Even with adequate support, our customers are ultimately responsible for effectively using our solutions and ensuring that
their users are properly trained in the use of our solutions and complementary security products, methodologies and processes. Customers
may become dissatisfied with our solutions and their implementation, and decide not to renew, which may have a material and adverse effect
on our business and results of operations.
We may face additional complications or risks in connection with our transition to a subscription model,
including the following:
o |
our revenues may fluctuate as a result of variations in our booking mix from the different licensing and delivery models and the
corresponding timing of revenue recognition – ratably for SaaS subscriptions and the maintenance portion of self-hosted subscriptions,
and upon delivery for perpetual licenses and the license portion of self-hosted subscriptions. For example, if our customers continue
to prefer to buy our solutions as a subscription at a greater rate than we anticipate, our recognized revenues may lag our expectations
and guidance; |
o |
since fiscal year 2020, we have incurred net losses with declining operating margins, and we expect our operating and net income
losses to continue to increase, and our cash flow from operations to decline (see “—We have incurred net losses, and may not
be able to generate sufficient revenue to achieve and sustain profitability.”); |
o |
the introduction of new product offerings and solutions may result in longer sales cycles, lost opportunities or less predictable
revenues if our new or existing customers, prospects and partners are less receptive of such advancements (including a transition to SaaS
in order to receive certain functionalities) or require a longer period to assess and select the solutions appropriate to them;
|
o |
the introduction of more SaaS offerings may lead to extended presale periods due to, among others, comprehensive product and security
reviews and requirements by customers, extensive contract negotiations and more stringent compliance and operational obligations (such
as those related to data protection); |
o |
our sales force may struggle with selling multiple pricing, licensing and delivery models to customers, prospects and partners, which
may extend sales cycles, reduce the likelihood of sales closing, or lead to increased turnover rates and lower headcount; |
o |
our research and development teams may find it difficult to deliver functionality and drive innovation across multiple code bases
on a timely basis; and |
o |
customer demand for migration from self-hosted solutions to SaaS may happen faster than we anticipate, in which case we might not
be able to meet this demand and associated scalability requirements. |
Our quarterly results of operations may fluctuate for a variety
of reasons. We may, as a result, fail to meet publicly announced financial guidance or other expectations about our business, which could
cause our ordinary shares to decline in value.
We began transitioning our business to a subscription model in January 2021, offering our customers multiple
software and delivery models. It may be difficult to predict the mix of the subscription and perpetual bookings and the mix of self-hosted
and SaaS subscriptions in any given quarter, which could impact our financial results and cause us to fail to meet publicly announced
financial guidance or other expectations. We recognize revenue differently based on the composition of the selected offering. Specifically,
we recognize revenue from perpetual licenses upon their delivery and the license portion of self-hosted subscriptions upon the commencement
of the subscription period. By contrast, we recognize revenue from SaaS subscriptions and from maintenance services for perpetual licenses
or self-hosted subscription ratably, over the period of the subscription or maintenance contract. This may cause trends in revenue recognition
to lag those in sales, potentially causing us to fall short of investor expectations for revenue even while meeting or exceeding periodic
sales targets. Accordingly, our transition to a subscription model could continue to reduce our overall revenue growth rates, operating
margins and cash flow from operating activities in the near term.
A meaningful portion of our quarterly revenues is typically generated through transactions of significant
size, and purchases of our solutions and services often occur at the end of each quarter. We also experience quarterly and annual seasonality
in our sales, demonstrated by increased sales in the third month of each quarter relative to the first two months, and increased sales
in the fourth quarter of each year. The timing in which SaaS deals close may further exacerbate the seasonality impact on reported revenues
due to the ratable recognition. In addition, our sales cycle can be intensively competitive and last several quarters from proof of concept
to the actual sale and initial delivery of our solutions to our customers. The sales cycle can be even longer, less predictable and more
resource-intensive for larger sales, or with customers implementing complex digital transformation strategies or facing a complex set
of compliance and user requirements. Customers may require additional internal committee or executive approvals, extensive security reviews,
longer product trial periods and prolonged contract negotiation before making a final purchase, all of which has intensified with the
increased volume of SaaS transactions, which are subject to even greater scrutiny.
At times, sales have occurred in a quarter that was either earlier than, or subsequent to, the anticipated
quarter, and some sale opportunities that were expected to close did not close at all. A failure to close a large transaction in a particular
quarter may adversely impact our revenues in that quarter and, in case of a large subscription transaction pending, may adversely impact
our revenues and cash flow in the subsequent quarter and remainder of the year. Closing an exceptionally large transaction in a certain
quarter may disproportionately increase our revenues in that quarter, which may make it more difficult for us to meet growth rate expectations
in subsequent quarters. Furthermore, even if we close a sale during a given quarter, we may be unable to recognize the revenues derived
from such sale during the same period due to our revenue recognition policy. As a result of the foregoing factors, the timing of closing
sales cycles and the associated revenue from such sales can be difficult to predict and may cause us to miss our guidance or fall short
of market expectations. This may result in the decline of the price of our ordinary shares.
In addition, our results of operations may continue to vary as a result of a number of other factors, many
of which may be outside of our control or difficult to predict, including:
o |
our ability to attract new customers and to retain existing customers by and through renewals of maintenance services and subscriptions
(see “—If we are unable to acquire new customers or sell additional products and services to our existing customers, our future
revenues and operating results will be harmed.”); |
o |
the amount and timing of our operating costs and cash collection, which may vary also as a result of fluctuations in foreign currency
exchange rates or changes in taxes or other applicable regulations (see “—We are exposed to fluctuations in currency exchange
rates, which could negatively affect our financial condition and results of operations.”); |
o |
the rate at which our customers fully deploy their purchased solutions, and our ability to sell additional solutions and services
to current customers; |
o |
effects from the COVID-19 pandemic or other public health crises, and the global economic changes caused by it (see “—The
COVID-19 pandemic, measures taken in response to it and the resulting global economic environment have adversely affected, and may
adversely affect in the future, our business, financial condition, and results of operations.”); |
o |
the ability of our support and customer success operations to keep pace with sales to new and existing customers and the expansion
of our solution portfolio and to satisfy customer demands for consultancy and professional services; |
o |
our ability to successfully expand our business globally; |
o |
the release timing and success of new product and service introductions by us or our competitors or any other change in the competitive
landscape of the cybersecurity market, including consolidation among our competitors; |
o |
the introduction of new accounting pronouncements or changes in our accounting policies or practices; |
o |
changes in our pricing policies or those of our competitors; and |
o |
the size and discretionary nature of our prospective and existing customers’ IT budgets. |
Any of these factors, individually or in the aggregate, may result in significant fluctuations in our financial
and other operating results. These fluctuations could result in our failure to meet our operating plan or the expectations of investors
or analysts for any given period. Such failures may cause the market price of our ordinary shares to substantially decrease.
Our reputation and business could be harmed due to real or perceived
vulnerabilities in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain
our solutions, resulting in loss of customers, enforcement actions, lawsuits or financial losses.
Security products, solutions and services such as ours are complex in development, design and deployment
and may contain errors, bugs, misconfigurations or vulnerabilities, that are potentially incapable of being remediated or detected until
after their deployment, if at all. Any real or perceived errors, bugs, design failures, defects, vulnerabilities, misconfigurations in
our solutions or their accompanying documentation, or untimely or insufficient remediation thereof, could cause our solutions not to meet
their specifications or security standards. The affected solutions may not fulfil their primary security functions, falsely identify threats
or create new security threats, and be vulnerable to security attacks.
There is no guarantee that our products would be free of flaws or vulnerabilities at all times and we may
not correct all known vulnerabilities or errors, promptly or at all.
Further, our solutions serve as mission-critical applications in our customers’ operational environments,
allowing them to manage access and privileges in their systems and networks. Any breach, interruption or shut down of our solutions could
significantly damage customers’ internal and external operations, and therefore we may suffer significant reputational, financial
and legal adverse impact. Potential vulnerabilities or deficiencies associated with a product developed or obtained through an acquisition
could also deteriorate our solutions’ security and expose our customers to additional risk (see “—We may fail to fully
execute, integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our
business, dilute shareholder value and adversely affect our results of operations.”).
Several of our solutions are made available to our customers as SaaS. Delivering software as a service
involves storage and transmission of customers’ proprietary information, including personal data, related to their assets, employees
and users. Security breaches, bugs, vulnerabilities, defects or improper configuration of our solutions, cloud accounts or production
and development environments (including those embedded in third-party technology used in our products or by our customers) could result
in loss or alteration of, or unauthorized access to this data and compromise of our networks or our customers’ networks secured
by our SaaS solutions. Any such incident, whether or not caused by us, could result in significant liability for us and negative business
repercussions.
Our solutions not only reinforce but also rely on the common security concept of placing multiple layers
of security controls throughout an IT environment. The failure of our customers, channel partners, managed service providers, subcontractors
or similar entities to correctly implement or effectively manage and maintain our solutions and the environments in which they are utilized,
or to consistently implement and utilize generally accepted and comprehensive, multi-layered security measures and processes, may lessen
the efficacy of our solutions, in whole or in part. These entities may also independently develop or change existing application programming
interfaces (APIs) that we provide or other customizable components in an incorrect or insecure manner. Such failures or actions may lead
to security breaches and data loss, which could result in a perception that our solutions or services failed and associated negative business
implications. In addition, we are expected to provide a high level of transparency regarding vulnerabilities in our products, which, once
conveyed, may increase our customers’ exposure to a security breach until they properly implement the relevant fix. Further, our
failure to provide our customers and channel partners with adequate services or accurate product documentation and training related to
the use, implementation and maintenance of our solutions, could lead to claims against us.
Similarly, and as demonstrated by the 2020 attack on SolarWinds, a failure by a provider like us to effectively
secure and detect threats within our own resources and networks, such as development or customer-serving production environments, could
lead to threat actors compromising our customers’ environments through a breach or exploitation of our products or services (see
“—If our internal IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security
incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially
adversely affected.”). As demonstrated by the 2021 Apache Log4j vulnerabilities, a similar effect could arise from the use of compromised
third-party open-source software in our products or by our vendors, which could expose our solutions, networks and environments –
and thereby our customers – to additional vulnerabilities.
As we increase our developers’ workforce globally to meet our business goals, including by engaging
external developers or through mergers and acquisitions, the risk of errors, misconfigurations, vulnerabilities or intentional misconduct,
may be heightened due to governance difficulties and limited centralized oversight. In addition, difficulties or delays in hiring and
retaining personnel may impact the resources available to us for continuous improvement of our product security posture and therefore,
increase this risk (see “—The tight global labor market has created difficulty to attract and retain qualified personnel,
has increased wages and compensation, and has increased employee turnover across industries. If we are unable to hire, retain and
motivate qualified personnel, our business will suffer.”).
An actual or perceived error, bug, misconfiguration, vulnerability, cyberattack or other security breach,
regardless of whether the vulnerability or breach is actually attributable to the failure of our products, SaaS solutions or the related
services we provide, could adversely affect the market’s perception of the efficacy of our solutions and our industry standing.
Such circumstances could cause current or potential customers to look to our competitors for alternatives to our solutions and subject
us to negative media attention, reputational harm, lawsuits, regulatory investigations and other government inquiries, indemnity claims
and financial losses, as well as the expenditure of significant financial resources to, among other actions, analyze, correct or eliminate
any vulnerabilities. Provisions in our agreements that attempt to limit our liability towards our customers, channel partners and relevant
third parties may not withstand legal challenges, and certain liabilities may not be limited or capped. Additionally, any insurance coverage
we have may not adequately cover all claims asserted against us and may leave a significant portion of such claims to be directly covered
by us. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all.
We face intense competition from a wide variety of IT security vendors
operating in different market segments and across diverse IT environments, which may challenge our ability to maintain or improve our
competitive position or to meet our planned growth rates.
The IT security market in which we operate is characterized by intense competition, constant innovation,
rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies
that offer a broad array of IT security products and that employ different approaches and delivery models to address these evolving threats.
Our primary competitors consist of companies that offer Privileged Access Management solutions, such as
BeyondTrust Corporation, Delinea Inc. (formerly ThycoticCentrify) and One Identity LLC, as well as companies that offer identity security
and DevOps solutions, such as Okta Inc., Microsoft Corporation and HashiCorp, Inc. In addition, due to changes in the manner that organizations
utilize IT assets and the security solutions applied to them, we may face competition from cloud providers such as Amazon Web Services,
Google Cloud Platform and Microsoft Azure, that offer embedded capabilities to manage identity security and privileged access.
IT security spending is spread across a wide variety of solutions and strategies, including, for example,
endpoint, network and cloud security, vulnerability management and identity and access management. Organizations continually evaluate
their security priorities and investments and may allocate their IT security budgets to other solutions and strategies and may not adopt
or expand use of our solutions. Accordingly, we may also compete for budgetary reasons, to a certain extent, with additional vendors that
offer threat protection solutions in adjacent or complementary markets to ours, such as Palo Alto Networks and CrowdStrike Holdings, Inc.
As the identity and access and Privileged Access Management markets have matured and continue to grow significantly
over recent years, it may become more attractive for new competitors, including both large security vendors and startups, or vendors in
adjacent markets to enter our market, further increasing direct technology and pricing competition which could negatively impact our sales
or market share.
Our competitors may enjoy potential competitive advantages over us, such as:
o |
greater name recognition, a longer operating history and a larger customer base; |
o |
larger sales and marketing budgets and resources; |
o |
broader distribution and established relationships with channel partners, advisory firms and customers; |
o |
increased effectiveness in protecting, detecting and responding to cyberattacks; |
o |
greater or localized resources for customer support and provision of services; |
o |
greater speed at which a solution can be deployed and implemented; |
o |
greater resources to make acquisitions; |
o |
lower pricing and attractive packaging; |
o |
greater operational flexibility and less stringent accounting, auditing and legal standards, applicable to privately held companies;
|
o |
larger intellectual property portfolios; and |
o |
greater financial, technical and other resources. |
Our current and potential competitors may also establish cooperative relationships or alliances among themselves
or with third parties that may further enhance their resources and capabilities. We may also face increased competition following an acquisition
by our competitors of new lines of business that compete with solutions that we offer or from security vendors or other companies in adjacent
markets extending their solutions into privilege access management or identity and access management (as relevant). Our collaborative
efforts with our technology partners could also change if they elect to develop and market solutions that compete with our solutions,
thus increasing the competitive landscape, while adversely affecting our partnership efforts and their resale and marketing of our products.
The tight global labor market has created difficulty to attract
and retain qualified personnel, has increased wages and compensation, and has increased employee turnover across industries. If
we are unable to hire, retain and motivate qualified personnel, our business will suffer.
Our future success, productivity, revenue growth, profitability and cash flow from operating activities
depend, in part, on our ability to continue to timely attract and retain highly skilled personnel. The tight global labor market has created
an incredibly intense hiring environment, resulting in us experiencing increased difficulty in attracting and retaining qualified personnel.
Since we require a highly skilled workforce in order to successfully compete in an increasingly competitive cybersecurity market, we have
experienced and may continue to experience difficulty in hiring, high employee turnover, and considerable costs and productivity as well
as time to market losses. Global compensation inflation in the market may impact our ability to retain our existing personnel or attract
new personnel which, over time, may impact our productivity, ability to meet customers’ expectation and overall profitability levels.
Many corporations and startup companies have greater resources and compensation tools at their disposal for talent acquisition, which
may not be available at our Company. Our compensation relies partially on different equity vehicles (such as RSUs or ESPP). Volatility
within the stock market or inability of our stock to perform may affect our employee attrition and ability to attract new talent. Our
inability to attract or retain qualified personnel or delays in hiring such personnel may seriously harm our performance, business and
financial condition and results of operations. Furthermore, if we hire employees who previously worked for our competitors, we may be
subject to allegations that such employees have been improperly solicited or divulged proprietary or other confidential information, which
could subject us to potential liability and litigation.
In order to meet our business goals and address the challenges of the labor market, we are expanding our
workforce to additional regions globally, including by engaging external service providers. If we fail to manage this expansion in a manner
that preserves the key aspects of our corporate culture, the quality of our solutions may suffer, which could negatively affect our brand
and reputation and harm our ability to retain and attract customers and employees.
If we are unable to acquire new customers or sell additional products
and services to our existing customers, our future revenues and operating results will be harmed.
Our success and continued growth will depend, in part, on our ability to acquire a sufficient number of
new customers while maintaining and expanding our revenues from existing customers, by renewing contracts for our solutions and selling
incremental or new solutions to existing customers. If we are unable to succeed in such efforts, we will likely be unable to generate
revenue growth at desired or projected rates. In addition, competition in the industry may lead us to acquire fewer new customers or result
in us providing more favorable commercial terms to new or existing customers. Macro-economic effects may also affect our ability to maintain
our customer base and expand it, and the COVID-19 pandemic and its associated global response may also make establishing relationships
and new supplier expertise among potential customers more challenging (see “—The COVID-19 pandemic, measures globally taken
in response to it and the resulting economic environment have adversely affected, and may adversely affect in the future, our business,
financial condition, and results of operations.”).
As we expand our market reach to gain new business, including entering the Access Management market and
securing DevOps environments, we may experience difficulties in gaining traction and raising awareness among potential customers regarding
the critical role that our solutions play in securing their organizations or in establishing a market leadership position and obtaining
industry analyst recognition, or may face more competitive pressure in such markets. As a result, it may be difficult for us to add new
customers to our customer base, retain our existing customers and generate increased growth from sales of these solutions.
With our ongoing introduction of new solutions to meet market demands, our sales, research and development,
support and customer success and IT teams may have difficulties selling, supporting and maintaining multiple license models and code bases.
These may lead to lower rates of software sales, longer sales cycles, customer dissatisfaction, lower renewal rates and a reduction in
our ability to sell add-on business to customers or gain new customers. Further, as part of the natural lifecycle of our solutions, we
may determine that certain products will be reaching their end of development or end of life and will no longer be supported or receive
updates and security patches. Failure to effectively introduce new solutions or manage our product lifecycles could lead to increased
expenses, existing customer dissatisfaction and contractual liabilities.
Further, any changes in compliance standards or audit requirements that reduce the priority for the types
of controls, security, monitoring and analysis that our solutions provide would adversely impact demand for our solutions. Additional
factors that impact our ability to acquire new customers or sell additional products and services to our existing customers include the
consumption of their past purchases, a reduction in the perceived need for IT security, the size of our prospective and existing customers’
IT budgets, the utility and efficacy of our existing and new offerings, whether proven or perceived, changes in our pricing or licensing
models that may impact the size of new business transactions, a downgrade of our recognized industry leadership position by industry analysts
and general economic conditions. These factors may have a material negative impact on future revenues and operating results.
If our internal IT network systems, or those of our third-party
providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation,
financial condition and operating results could be materially adversely affected.
The security and integrity of our IT network systems and the product security of our third-party providers
is critical to our ability to deliver products and services to customers as well as to run internal operations. While we operate certain
of these network systems, we also rely on third party providers across an array of technologies and services that enable us to conduct,
monitor and/or protect our business operations. For example, we rely on third parties to host our SaaS products (see “—We
increasingly rely on third-party providers of cloud infrastructure services to deliver our SaaS solutions to customers, and any disruption
of or interference with our use of these services could adversely affect our business.”) and support our customer relationship management
and financial operation services (provided by our Enterprise Resource Planning system). In addition, in the ordinary course of business,
we and our third-party providers collect, process and store sensitive data, including proprietary and personal data belonging to us and
others.
We acknowledge that the threat landscape is broad and that threats are persistent. Being a prominent Israeli
security company that provides solutions centered on privileged access security and identity management, we are and will remain an attractive
target for cyber attackers and malicious actors, including insiders, as well as cyber terrorists, sophisticated criminal groups or nation-state
affiliated actors. We experience cyberattacks, security incidents and attempts to gain access to our internal IT network systems, physical
facilities, our data or our customers’ networks or data. Attackers are increasingly sophisticated and utilize tools and techniques
that are designed to circumvent controls, avoid detection, and remove or obfuscate forensic evidence. Malicious third parties or insiders
may also attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords or
other information or otherwise compromise the security of our or our customers’ networks or data. Our solutions’ operation
relies at times on third party, open-source software in our products, networks and environments, which could also serve as an attack vector.
The shift to a remote working environment due to the COVID-19 pandemic, expanded the attack surface for cyberattacks. Cyberattacks against
our Company may also be caused by breaches by our contractors, channel partners, supply chain network, vendors and other third parties
associated with us, among others, due to their inability to prioritize or properly implement cybersecurity and compliance programs and
products or to properly train and staff personnel, or due to human error. In addition, the risk for a cyberattack on our networks and
environments, may be heightened if we fail to identify or remediate any deficiencies in the products, procedures, and policies of companies
that we acquire (see “—We may fail to fully execute, integrate, or realize the benefits expected from acquisitions, which
may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.”).
We and our third-party providers may also be subject to information technology system failures or network
disruptions caused by a variety of factors, including pandemics, natural disasters, climate change (such as increased frequency and storm
severity or drought), accidents, power disruptions, telecommunications failures, acts of terrorism, wars (including an escalation of the
conflict between Russia and Ukraine), computer viruses and malware (such as ransomware), or other events or disruptions. System redundancy
and other continuity measures may be ineffective or inadequate, and our business continuity and disaster recovery planning may not be
sufficient for all eventualities. Cyberattacks, security breaches and other incidents could result in significant damage to our market
position and lead to costly remediation requirements, indemnity claims, legal claims (including class action litigation), regulatory investigations
and fines or penalties, as well as the loss of proprietary and confidential data, trade secrets and customers (see “—The dynamic
regulatory environment around privacy and data protection may limit our offering or require modification of our products and services,
which could limit our ability to attract new customers and support our current customers and increase our operational expenses. We could
also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with the regulatory requirements,
which could harm our operating results and adversely affect our business.”). An actual or perceived failure, disruption, or breach
of our network or privileged account security in our systems could adversely affect the market perception of our products and services,
or of our expertise in this field. Moreover, if critical business functions or services from third party providers are breached and become
unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms, our ability
to manage our operations could be interrupted, our contractual service level commitments could be breached, and our ability to provide
timely and adequate maintenance and support services to our customers could be impacted. Any of the foregoing events could have a material
and adverse effect on our operations, reputation, financial condition and operating results and expenses.
With the increase in the likelihood and severity of potential security breaches and the increase in cybersecurity
insurance premiums for our customers, negotiations may require us to assume higher liabilities with regards to security and data breaches.
In addition, we are unable to ensure that any limitations of liability provisions in our contracts with respect to our information security
operations or our product liability would be enforceable or adequate or would otherwise protect us from any liabilities or damages with
respect to any particular claim (including in cases where existing customers purchase new solutions based on previously agreed contractual
terms), or that we would be able to adequately recover damages from third parties associated with us, who were involved in a security
incident. Additionally, any insurance coverage we may have may not adequately cover any of these claims asserted against us or any related
damage and may leave a significant portion of such claims to be directly covered by us. If any of the foregoing were to occur, our business
may suffer extensive costs, our sales may be reduced and our share price may be negatively impacted.
The dynamic regulatory environment around privacy and data protection
may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and
support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement
actions alleging that we fail to comply with the regulatory requirements, which could harm our operating results and adversely affect
our business.
Federal, state and international bodies continue to adopt, enact, and enforce new laws and regulations,
as well as industry standards and guidelines, addressing cybersecurity, privacy, data protection and the collection, processing, storage,
cross-border transfer and use of personal information.
We are subject to diverse laws and regulations relating to data privacy, including but not limited to the
EU General Data Protection Regulation 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and
Accountability Act as amended by the Health Information Technology for Economic and Clinical Health Act (HIPAA), the U.K. Data Protection
Act 2018, national privacy laws of EU Member States and other laws relating to privacy, data protection, and cloud computing. These laws
are evolving rapidly, as exemplified by the recent adoption by the European Commission of a new set of Standard Contractual Clauses, the
prospect of a new European “ePrivacy Regulation” (to replace the existing “ePrivacy Directive,” Directive 2002/58
on Privacy and Electronic Communications) and the forthcoming California Privacy Rights Act. Compliance with these laws, as well as efforts
required to understand and interpret new legal requirements, require us to expend significant capital and other resources. We could be
found to not be in compliance with obligations, or suffer from adverse interpretations of such legal requirements either as directly relating
to our business or in the context of legal developments impacting our customers or other businesses, which could impact our ability to
offer our products or services, impact operating results, or reduce demand for our products or services.
Compliance with privacy and data protection laws and contractual obligations may require changes in services,
business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing
with firms that are not subject to these laws and regulations. For example, GDPR and the UK compliance regime impose several stringent
requirements for controllers and processors of personal data and increase our obligations such as, requiring robust disclosures to individuals,
establishing an individual data rights regime, setting timelines for data breach notifications, imposing conditions for international
data transfers, requiring detailed internal policies and procedures and limiting retention periods. Ongoing compliance with these and
other legal and contractual requirements may necessitate changes in services and business practices, which may lead to the diversion of
engineering resources from other projects.
As a company that focuses on identity security with a foundation in privilege access management, our customers
may rely on our products and services as part of their own efforts to comply with security control obligations under GDPR and other laws
and contractual commitments. If our products or services are found insufficient to meet these standards in the context of an investigation
into us or our customers, or we are unable to engineer products that meet these standards, we could experience reduced demand for our
products or services. There is also increased international scrutiny of cross-border transfers of data, including by the EU for personal
data transfers to countries such as the United States, following recent case law and regulatory guidance. This increased scrutiny, as
well as evolving legal and other regulatory requirements around the privacy or cross-border transfer of personal data could increase our
costs, restrict our ability to store and process data as part of our solutions, or, in some cases, impact our ability to offer our solutions
or services in certain jurisdictions.
Enactment of further privacy laws in the United States, at the state or federal level, or introduction
of new services or products that are subject to additional regulations, as well as ensuring compliance of solutions that we obtained through
acquisitions, may require us to expend considerable resources to fulfill regulatory obligations, and could carry the potential for significant
financial or reputational exposure to our business, delay introduction to the market and affect adoption rates.
Claims that we or our service providers have breached our contractual obligations or failed to comply with
applicable privacy and data protection laws, even if we are not found liable, could be expensive and time-consuming to defend and could
result in adverse publicity that could harm our business. In addition to litigation, we could face regulatory investigations, negative
market perception, potential loss of business, enforcement notices and/or fines (which, for example, under GDPR / UK regime can be up
to 4% of global turnover for the preceding financial year or €20 / £17.5 million, whichever is higher).
We have incurred net losses and may not be able to generate sufficient
revenue to achieve and sustain profitability.
We have incurred net losses of US $5.8 million and US $83.9 million in each of the years ended December
31, 2020 and 2021, respectively, and anticipate our cash flow from operating activities will continue to decline as we continue our transition
to a subscription model. Our ability to generate cash flow from operating activities as a subscription company will depend on the combination
of our success in retaining high renewal rates with our customers, expanding sales with our existing customers, generating sales from
new customers and executing and collecting annual or multi-year contracts which are paid for up front. We cannot be certain we will achieve
the required renewal rates, increased sales from existing and new customers nor generate or collect from the contract terms for the sales
which will improve our cash flow from operating activities. In addition, due to our continued investment in the growth of our business,
we expect our operating expenses to increase over the next several years as we hire additional personnel, retain existing personnel in
a competitive market and continue to develop features and applications for our solutions. Any failure to increase our revenue could prevent
us from achieving profitability or maintaining or increasing cash flow from operating activities on a consistent basis. In addition, we
may have difficulty achieving profitability under U.S. GAAP due to share-based compensation expense and other non-cash charges. If we
are unable to navigate these challenges as we encounter them, our business, financial condition, and operating results may suffer.
The COVID-19 pandemic, measures taken in response to it and the
resulting global economic environment have adversely affected, and may adversely affect in the future, our business, financial condition,
and results of operations.
The COVID-19 pandemic, its continuing effects, and the diverse measures taken in response by governments
and businesses worldwide to contain its spread, have placed constraints on the operations of businesses, decreased consumer mobility and
activity, and caused significant global economic volatility. In light of the uncertain and evolving nature of the pandemic and the economic
environment, we have taken precautionary measures intended to reduce the risk of virus infection to our employees and our customers and
to address our ability to execute on our operating plans. Such circumstances and uncertainties have adversely affected our business,
workforce and results of operations - primarily in 2020 - as well as that of our customers, suppliers and partners globally, and
may have a negative impact over the foregoing in the future. Our business has been affected in various ways, including our ability
to closely and effectively engage with customers, changes to customer purchase patterns and to our sales and marketing operations, and
our ability to timely hire new employees or successfully retain certain existing employees.
There is considerable uncertainty regarding the duration, scope and severity of the pandemic or its effects
on us and our customers, channel partners, managed service providers or subcontractors, which can result in extended customer sales cycles,
reduced demand for our solutions, lower renewal rates, delayed spending on our solutions, smaller deal sizes, lower revenue from
new customers, impairment of our ability to collect accounts receivable, reduced payment frequencies, and attrition and availability of
employees. Any of the foregoing may have a material adverse impact on our business and results of operations.
Prolonged economic uncertainties or downturns in certain regions
or industries could materially adversely affect our business.
Our business depends on our current and prospective customers’ ability and willingness to invest
money in IT security, which in turn is dependent upon their overall economic health. Negative economic conditions in the global economy
or certain regions, including conditions resulting from financial and credit market fluctuations exchange rate fluctuations, or inflation,
could cause a decrease in corporate spending on cybersecurity software. Other matters that influence consumer confidence and spending,
including COVID-19 and its reverberating economic consequences, political unrest, public health crises, terrorist attacks, armed conflicts
(such as the conflict between Russia and Ukraine) and natural disasters could also negatively affect our customers’ spending on
our products and services. Our international operations involve risks that could increase our expenses, adversely affect our operating
results, and require increased time and attention of our management. A significant portion of our business operations are concentrated
in core geographic areas and if they were to experience economic downturns, this could severely affect our business operations. In addition,
some of our business operations depend on emerging markets that are less resilient to fluctuations in the global economy. In 2021, we
generated 50.5% of our revenues from the United States, 32.5% of our revenues from Europe, the Middle East and Africa and 17.0% from the
rest of the world, which includes countries from the Asia Pacific and Japan region, the Latin America region and Canada.
In addition, a significant portion of our revenue is generated from customers in the financial services
industry, including banking and insurance. Negative economic conditions may cause customers generally, and in that industry in particular,
to reduce their IT spending. Customers may delay or cancel IT projects perceived to be discretionary, choose to focus on in-house development
efforts or seek to lower their costs by renegotiating subscription renewals or maintenance and support agreements. Further, customers
or channel partners may be more likely to make late payments in worsening economic conditions, which could lead to increased collection
efforts and require us to incur additional associated costs to collect expected revenues. If the economic conditions of the general economy
or industries in which we operate worsen from present levels, our results of operation could be adversely affected.
We may fail to fully execute, integrate, or realize the benefits
expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value and adversely
affect our results of operations.
As part of our business strategy and in order to remain competitive, we continue to evaluate acquiring
or making investments in complementary companies, products or technologies. We may not be able to find suitable acquisition candidates
or complete such acquisitions on favorable terms. We may incur significant expenses, divert employee and management time and attention
from other business-related tasks and our organic strategy and incur other unanticipated complications while engaging with potential target
companies where no transaction is eventually completed. If we do complete acquisitions, we may not ultimately strengthen our competitive
position or achieve our goals or expected growth, and any acquisitions we complete could be viewed negatively by our customers, analysts
and investors, or experience unexpected competition from market participants. Any integration process may require significant time and
resources. We may not be able to manage the process successfully and may experience a decline in our profitability as we incur expenses
prior to fully realizing the benefits of the acquisition. We could expend significant cash and incur acquisition related costs and other
unanticipated liabilities associated with the acquisition, the product or the technology, such as contractual obligations, potential security
vulnerabilities of the acquired company and its products and services and potential intellectual property infringement. In addition, any
acquired technology or product may not comply with legal or regulatory requirements and may expose us to regulatory risk and require us
to make additional investments to make them compliant. Further, we may not be able to provide the same support service levels to the acquired
technology or product that we generally offer with our other products.
We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast
the financial impact of an acquisition transaction, including accounting charges and tax liabilities. Further, the issuance of equity
or securities convertible to equity to finance any such acquisitions could result in dilution to our shareholders and the issuance of
debt could subject us to covenants or other restrictions that would impede our ability to manage our operations. We could become subject
to legal claims following an acquisition or fail to accurately forecast the potential impact of any claims. Any of these issues could
have a material adverse impact on our business and results of operations.
We increasingly rely on third-party providers of cloud infrastructure
services to deliver our SaaS solutions to customers, and any disruption of or interference with our use of these services could adversely
affect our business.
Our SaaS solutions are hosted by third-party providers of cloud infrastructure services (“Cloud Service
Providers”), primarily Amazon Web Services (AWS). We do not have control over the operations or the facilities of Cloud Service
Providers that we use and Cloud Service Providers have also in the past experienced and may in the future experience cyberattacks. If
any of the services provided by the Cloud Service Providers fail or become unavailable due to extended outages, cyberattacks interruptions
or because they are no longer available on commercially reasonable terms or prices, we may be unable to deliver our committed uptime under
our service level agreements, our revenues could be reduced, our reputation could be damaged, we could be exposed to legal liability and
incur additional expenses, and our ability to manage our finances and our processes for managing sales of our offerings could be interrupted.
If we are unable to renew our agreements with our Cloud Service Providers on commercially reasonable terms, or an agreement is prematurely
terminated, or we need to add new Cloud Services Providers to increase capacity and uptime, we could experience interruptions, downtime,
delays, and additional expenses related to transferring to and providing support for these new platforms. Any of the above circumstances
or events may harm our reputation and brand, reduce the availability or usage of our platform and impair our ability to attract new users,
any of which could adversely affect our business, financial condition and results of operations.
If we fail to maintain successful relationships with our channel
partners, or if our channel partners fail to perform, our ability to market, sell and distribute our solutions will be limited, and our
business, financial condition and results of operations will be harmed.
We rely on our channel partners to market, sell, support and implement our solutions. We expect that indirect
sales through our channel partners will continue to account for a significant percentage of our revenue. In the year ended December 31,
2021, we generated approximately 74% of our revenues from sales to channel partners, such as distributors, systems integrators, value-added
resellers, managed security service providers and marketplaces, and we expect that channel partners will represent a substantial portion
of our revenues for the foreseeable future. Further, we cooperate with advisory firms in marketing our solutions and providing implementation
services to our customers, in both direct and indirect sales. Our agreements with channel partners are non-exclusive, meaning our partners
may offer customers IT security products from other companies, including products that compete with our solutions.
If our channel partners do not effectively market and sell our solutions or choose to use greater efforts
to market and sell their own products and services or the products and services of our competitors or adjacent security solutions, our
ability to grow our business will be adversely affected. Further, new channel partners require training and may take several months or
more to achieve productivity. The loss of key channel partners, the inability to replace them or the failure to recruit additional channel
partners, due to a variety of factors, including introduction of new partner program terms, could materially and adversely affect our
results of operations. Our reliance on channel partners could also subject us to lawsuits or reputational harm if, for example, a channel
partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our solutions or violates applicable
laws, and may further result in termination of such partner’s agreement and potentially curb future revenues associated with this
channel partner. If we are unable to maintain our relationships with channel partners or otherwise develop and expand our indirect sales
channel, or if we are unable to train our channel partners to independently sell, install and support our solutions, or if our channel
partners fail to perform, our business, financial condition and results of operations could be adversely affected.
A portion of our revenues is generated by sales to government entities,
which are subject to a number of challenges and risks, such as increased competitive pressures, administrative delays and additional approval
requirements.
A portion of our revenues is generated by sales to U.S. and foreign federal, state and local governmental
agency customers, and we may in the future increase sales to government entities. Selling to government entities can be highly competitive,
expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will complete a sale,
or imposing terms of sale which are less favorable than the prevailing market terms. Government demand and payment for our products and
services may be impacted by public sector budgetary cycles and funding authorizations, funding reductions, government shutdowns or delays,
adversely affecting public sector demand for our products. The foregoing may be intensified due to the effects of COVID-19. Additionally,
for purchases by the U.S. government, the government may require certain products to be manufactured, maintained or developed in the United
States and other high-cost locations, and we may not manufacture, maintain or develop all products in locations that meet the requirements
of the U.S. government. Finally, some government entities require products such as ours to be certified by industry-approved security
agencies as a pre-condition of purchasing them. We have initiated the process, and have begun incurring costs, to obtain authorization
from the Federal Risk and Authorization Management Program (“FedRAMP”), for certain SaaS products. The grant of such certifications
depends on the then-current requirements of the certifying agency and our ability to meet them. We cannot be certain that any certificate
will be granted, remain in effect or renewed, or that we would be able to satisfy the technological and other requirements to maintain
certifications. The loss of any of our current product certificates, or the failure to obtain new ones, could result in the imposition
of various penalties, reputational harm, loss of existing customers, or could deter new and existing customers from purchasing our solutions,
additional products or our services, any of which could adversely affect our business, operating results or financial condition.
We are exposed to fluctuations in currency exchange rates, which
could negatively affect our financial condition and results of operations.
Our functional and reporting currency is the U.S. dollar. In 2021, the majority of our revenues were denominated
in U.S. dollars and the remainder primarily in euros and British pounds sterling. In 2021, the majority of our cost of revenues and operating
expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in euros and British pounds sterling.
Our foreign currency-denominated expenses consist primarily of personnel, marketing programs, rent and other overhead costs. Since the
portion of our expenses generated in NIS and British pounds sterling is greater than our revenues in NIS and British pounds sterling,
respectively, any appreciation of the NIS or the British pounds sterling relative to the U.S. dollar could adversely impact our operating
income. In addition, since the portion of our revenues generated in euros is greater than our expenses incurred in euros, any depreciation
of the euro relative to the U.S. dollar would adversely impact our operating income. We estimate that a 10% strengthening or weakening
in the value of the NIS against the U.S. dollar would have decreased or increased, respectively, our operating income by approximately
$11.6 million in 2021. We estimate that a 10% strengthening or weakening in the value of the euro against the U.S. dollar would have increased
or decreased, respectively, our operating income by approximately $2.3 million in 2021. We estimate that a 10% strengthening or weakening
in the value of the British pounds sterling against the U.S. dollar would have decreased or increased, respectively, our operating income
by approximately $0.9 million in 2021. These estimates of the impact of fluctuations in currency exchange rates on our historic results
of operations may be different from the impact of fluctuations in exchange rates on our future results of operations since the mix of
currencies comprising our revenues and expenses may change. We evaluate periodically the various currencies to which we are exposed and
take hedging measures to reduce the potential adverse impact from the appreciation or the depreciation of our non U.S. dollar-denominated
operations, as appropriate. We expect that the majority of our revenues will continue to be generated in U.S. dollars with the balance
primarily in euros and British pounds sterling for the foreseeable future, and that a significant portion of our expenses will continue
to be denominated in NIS, U.S. dollars, British pounds sterling and in euros. We cannot provide any assurances that our hedging activities
will be successful in protecting us from adverse impacts from currency exchange rate fluctuations. In addition, we have monetary assets
and liabilities that are denominated in non-U.S. dollar currencies. For example, starting January 1, 2019, in accordance with a then newly
introduced lease accounting standard, we were required to present a significant NIS linked liability related to our operational leases
in Israel. As a result, significant exchange rate fluctuations could have a negative effect on our net income. See “Item 11—Quantitative
and Qualitative Disclosures About Market Risk—Foreign Currency Risk.”
If we do not effectively expand, train and retain our sales, customer
success and marketing personnel, we may be unable to fully transition to a subscription model, acquire new customers or sell additional
products and services to existing customers, and our business will suffer.
We depend significantly on our sales force and go-to-market organization to attract new customers and expand
sales to existing customers. Our ability to grow our revenues depends in part on our success in recruiting, training and retaining sufficient
numbers of sales, customer success and marketing personnel to support our growth. The number of our sales, customer success and marketing
personnel increased from 772 as of December 31, 2020 to 941 as of December 31, 2021. We expect to continue to expand our sales,
customer success and marketing personnel significantly and face a number of challenges in achieving our hiring, retention and integration
goals (see “—The tight global labor market has created difficulty to attract and retain qualified personnel, has increased
wages and compensation, and has increased employee turnover across industries. If we are unable to hire, retain and motivate qualified
personnel, our business will suffer.”). The training and integration of a large number of sales, customer success and marketing
personnel in a short time requires the allocation of significant internal resources. Based on our past experience, it takes an average
of approximately six to nine months before a new sales force member operates at target performance levels. We may not be able to recruit
at our anticipated rate or achieve or maintain our target performance levels with large numbers of new sales personnel as quickly as we
have done in the past, which may materially and adversely impact our projected growth rate. In addition, significant turnover in our sales,
customer success or marketing organizations, may impact our ability to retain and expand our customers, obtain new customers or deliver
on our revenue, profitability or cash flow generation goals.
If our products fail to help our customers achieve and maintain
compliance with certain government regulations and industry standards, our business and results of operations could be materially and
adversely affected.
We generate a substantial portion of our revenues from our products and services that enable our customers
to achieve and maintain compliance with certain government regulations and industry standards, and we expect that to continue for the
foreseeable future. Governments and other customers may require our products to comply with certain privacy, security or other certifications
and standards with respect to those solutions utilized by them as a control demonstrating compliance with government regulations and industry
standards. We have maintained a SOC 2 certification for multiple products since 2019. Additionally, we have maintained the ISO 27001 annual
certification since April 2017. We are in the process of having several of our Privilege Access Management solutions evaluated for the
international Common Criteria certification by the Netherlands Scheme for Certification in the Area of IT Security (NSCIB). We have also
initiated the process, and have begun incurring costs, to obtain authorization from the Federal Risk and Authorization Management Program
(FedRAMP), for certain SaaS products. However, we are unable to guarantee that we will achieve FedRAMP authorization in a timely manner,
or at all. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or
our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers,
or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.
Additionally, industry standards may change with little or no notice, including changes that could make
them more or less onerous for businesses. If we are unable to adapt our solutions to changing government regulations and industry standards
in a timely manner, or if our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence
in our products and could switch to products offered by our competitors. In addition, if government regulations and industry standards
related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their
businesses and may be less willing to purchase our products and services. In either case, our sales and financial results would suffer
(see also “—The dynamic regulatory environment around privacy and data protection may limit our offering or require modification
of our products and services, which could limit our ability to attract new customers and support our current customers and increase our
operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with
the regulatory requirements, which could harm our operating results and adversely affect our business.”).
We are subject to a number of regulatory and geopolitical risks
associated with global sales and operations, which could materially affect our business.
We are a global company subject to varied and complex laws, regulations and customs. The application of
these laws and regulations to our business is often unclear, subject to interpretation and may at times conflict. Compliance with these
laws and regulations may involve significant costs or require changes in our business practices that result in reduced revenue and profitability.
Furthermore, business practices in the global markets that we serve may differ from those in the United States and may require us to include
non-standard terms in customer contracts, such as extended payment or warranty terms. Further, there may be higher costs of doing business
globally, including costs incurred in maintaining office space, securing adequate staffing and localizing our contracts.
Additionally, our global sales and operations are subject to a number of risks, including the following:
o |
failure to fully comply with various, global data privacy and data protection laws (see “—The dynamic regulatory environment
around privacy and data protection may limit our offering or require modification of our products and services, which could limit our
ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to
investigations, litigation, or enforcement actions alleging that we fail to comply with the regulatory requirements, which could harm
our operating results and adversely affect our business.”); |
o |
continuing uncertainty of the long term economic, financial, regulatory, trade, tax and legal implications of the withdrawal of the
U.K. from the European Union (“Brexit”). Our U.K. subsidiary is the main entity for sales into Europe. In 2021, the revenues
generated by our U.K. subsidiary from the European Union countries (excluding the U.K.) accounted for 23% of our total global revenue.
Our London office is also our European headquarters and third largest office globally; |
o |
fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business (see “—We
are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.”);
|
o |
social, economic and political instability, war, civil disturbance or acts of terrorism, conflicts (including the current conflict
between Russia and Ukraine) and security concerns in general, and any wide-spread viruses or epidemics, such as COVID-19; |
o |
greater difficulty in enforcing contracts and managing collections, as well as longer collection periods; |
o |
noncompliance with specific anti-bribery laws, without limitation, the U.S. Foreign Corrupt Practices Act and the U.K Bribery Act
of 2010 and the heightened risk of unfair or corrupt business practices in certain geographies, which may include the improper or fraudulent
sales arrangements by us or by our channel partners or service providers that may impact financial results and result in restatements
of, or irregularities in, financial statements; |
o |
Certain of our activities and products are subject to U.S., Israeli, and possibly other export and trade control and economic sanctions
laws and regulations, which have and may additionally prohibit or restrict our ability to engage in business with certain countries and
customers. If the applicable requirements related to export and trade controls change or expand (such as in response to the Russia and
Ukraine conflict), if we change the encryption functionality in our products, or if we develop other products or export products from
additional jurisdictions, we may need to satisfy additional requirements or obtain specific licenses in order to continue to export our
products in the same global scope. Various countries also regulate the import or export of certain encryption products and other technologies
and services and have enacted laws that could limit our ability to distribute or implement our products in those countries. In addition,
applicable export control and sanctions laws and regulations may impact our ability to sell our products, directly or indirectly, to countries
or territories that are the target of comprehensive sanctions, or to prohibited parties; |
o |
unexpected changes in regulatory practices and foreign legal requirements, including uncertain tax obligations and effective tax
rates, which may result in recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates
and higher than anticipated earnings in jurisdictions where we have higher statutory rates, or changes in the valuation of our deferred
tax assets and liabilities; |
o |
compliance with, and the uncertainty of, laws and regulations that apply to our areas of business, including corporate governance,
anti-trust and competition, local and regional employment (including cross-border travel), employee and third-party complaints, limitation
of liability, conflicts of interest, securities regulations and other regulatory requirements affecting trade, local tariffs, product
localization and investment; |
o |
reduced or uncertain protection of intellectual property rights in some countries; and |
o |
management communication and integration problems resulting from cultural and geographic dispersion. |
These and other factors could harm our ability to generate future global revenues and, consequently, materially
impact our business, results of operations and financial condition. Non-compliance could also result in government investigations, fines,
damages, or criminal sanctions against us, our officers or our employees, prohibitions on the conduct of our business, and damage to our
reputation.
Intellectual property claims may increase our costs or require us
to cease selling certain products, which could adversely affect our financial condition and results of operations.
The IT security industry is characterized by the existence of a large number of relevant patents and frequent
claims and litigations regarding patent and other intellectual property rights. Leading companies in the IT security industry have extensive
patent portfolios. From time to time, third parties have asserted, and in the future may assert, their patent, copyright, trademark and
other intellectual property rights against us, our channel partners or our customers. Furthermore, we may be subject to indemnification
obligations with respect to third-party intellectual property rights pursuant to our agreements with our customers and channel partners.
Such indemnification provisions are customary for our industry. We cannot ensure that we will have the resources to defend against all
such claims. Successful claims of infringement or misappropriation by a third party against us or a third party that we indemnify, could
prevent us from distributing certain products or performing certain services or could require us to pay substantial damages (including,
for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have
willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions
that are alleged to infringe or misappropriate the intellectual property of others, to expend additional development resources to attempt
to redesign our products or services or otherwise to develop non-infringing technology, to enter into potentially unfavorable royalty
or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify our
customers and channel partners (and parties associated with them). The failure to obtain a license or the costs associated with any license
could cause our business, results of operations or financial condition to be materially and adversely affected. Defending against claims
of infringement, regardless of their validity, or being deemed to be infringing the intellectual property rights of others could be very
expensive and time consuming to defend, harm our reputation and impair our ability to innovate, develop, distribute and sell our current
and planned products and services.
If we are unable to adequately protect our proprietary technology
and intellectual property rights, our business could suffer substantial harm.
The success of our business depends on our ability to protect our proprietary technology, brands and other
intellectual property and to enforce our rights in that intellectual property. We attempt to protect our intellectual property under patent,
copyright, trademark and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other
methods, all of which offer only limited protection.
As of December 31, 2021, we had 113 issued patents in the United States and 50 pending U.S. patent
applications. We also had 47 issued patents and 25 applications pending for examination in non-U.S. jurisdictions, all of which are
counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.
The process of obtaining patent protection is expensive and time-consuming, and we may not be able to complete
all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way to the successful issuance of a
patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain
jurisdictions. Furthermore, it is possible that our patent applications may not be approved, that the scope of our issued patents will
be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages,
and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes
or litigation. Finally, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our
policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products)
to execute written agreements in which they assign to us their rights, if such exist, in potential inventions and other intellectual property
created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such
intellectual property. We cannot be certain that we have adequately protected our rights in every such agreement or that we have executed
an agreement with every such party. Finally, in order to benefit from the protection of patents and other intellectual property rights,
we must monitor and detect infringement and pursue infringement claims under certain circumstances in relevant jurisdictions. Litigating
claims related to the enforcement of intellectual property rights is very expensive and can be burdensome in terms of management time
and resources. Any litigation related to intellectual rights or claims against us could result in loss or compromise of our intellectual
property rights or could subject us to significant liabilities. As a result, we may not be able to obtain adequate protection or to effectively
enforce our issued patents or other intellectual property rights.
In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented
proprietary intellectual property and technology. Unauthorized parties, including our employees, consultants, service providers or customers,
may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter
into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners, subcontractors and customers,
and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards.
These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide
an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot be certain that
the steps taken by us will prevent misappropriation of our intellectual property or technology or infringement of our intellectual property
rights. In addition, the laws of some foreign countries where we sell our products do not protect intellectual property rights and technology
to the same extent as the laws of the United States, and these countries may not enforce these laws as diligently as government agencies
and private parties in the United States. If we are unable to protect our intellectual property, we may find ourselves at a competitive
disadvantage to others who do not incur the additional expense, time and effort to create the innovative products nevertheless benefiting
from such innovation due to misappropriation.
Our use of open-source software, third-party software and other
intellectual property may negatively affect our ability to offer our solutions and expose us to litigation or other risks.
We integrate certain open-source software components from third parties into our software, and we expect
to continue to use open-source software in the future. Some open-source software licenses require, among other things, that users who
distribute or make available as a service, open-source software with their own software products, add appropriate copyright notices and
disclaimers, publicly disclose all or part of the source code of the users’ developed software or make available any derivative
works of the open-source code under open-source license terms or at no cost. Our efforts to use the open-source software in a manner consistent
with the relevant license terms that would not require us to disclose our proprietary code or license our proprietary software at no cost
may not be successful. We may face claims by third parties seeking to enforce the license terms applicable to such open-source software,
including by demanding the release of our proprietary source code, or we may face termination of such licenses if the owner of the open-source
software asserts we are in breach of its license terms. In addition, if the license terms for the open-source code change or the license
is terminated, we may be forced to re-engineer our software or incur additional costs. In addition, open-source software typically comes
without warranties or indemnities from the owner, whereas we are expected to offer our customers both. Accordingly, if there were technical
problems with open-source software that we used in our products, or if such open-source software infringed third-party intellectual property
rights, we could have a warranty obligation or infringement indemnity obligation to our customer without a corresponding warranty or indemnification
obligation from the owner of the open-source software.
While we scan the open-source software that we use in our products and patch discovered vulnerabilities,
we have no assurance that they will be free from vulnerabilities or malicious code, as demonstrated in the 2021 Apache Log4J vulnerabilities.
The use of open-source software in our solutions may expose us, and our customers using our solutions, to additional vulnerabilities and
security breaches, which may result in significant adverse impacts to us and our customers (see “—Our reputation and business
could be harmed due to real or perceived vulnerabilities in our solutions or services or the failure of our customers or third parties
to correctly implement, manage and maintain our solutions, resulting in loss of customers, enforcement actions, lawsuits or financial
losses.”).
Further, some of our products and services include other software or intellectual property licensed from
third parties, and we also use software and other intellectual property licensed from third parties for our own business operations. This
exposes us to risks over which we may have little or no control. For example, a licensor may have difficulties keeping up with technological
changes or may stop supporting the software or other intellectual property that it licenses to us. There can be no assurance that the
licenses we use will be available on acceptable terms, if at all. In addition, a third party may assert that we or our customers are in
breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages
from us, or both. Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights
on favorable terms, or the need to engage in litigation regarding these matters, could result in delays in releases of new products, and
could otherwise disrupt our business, until equivalent technology can be identified, licensed or developed.
Risks Related to Our Ordinary Shares
Our share price may be volatile, and our shareholders may lose all
or part of their investment.
From January 2019 through January 2022, our ordinary shares have traded on the Nasdaq Global Select Market
(“Nasdaq”) at a price per share between a range of $69.15 and $201.68. In addition, the market price of our ordinary shares
could be highly volatile and may fluctuate substantially as a result of many factors, some of which are beyond our control, including,
but not limited to:
|
o |
actual or anticipated fluctuations in our results of operations and the results of other similar companies; |
|
o |
variance in our financial performance from the expectations of market analysts; |
|
o |
announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions
or expansion plans; |
|
o |
changes in the prices of our products and services or in our pricing models; |
|
o |
our involvement in litigation; |
|
o |
our sale of ordinary shares or other securities in the future; |
|
o |
market conditions in our industry; |
|
o |
changes in key personnel; |
|
o |
speculation in the press or the investment community; |
|
o |
the trading volume of our ordinary shares; |
|
o |
changes in the estimation of the future size and growth rate of our markets; |
|
o |
any merger and acquisition activities; and |
|
o |
general economic and market conditions. |
The price of our ordinary shares could also be affected by possible sales of our ordinary shares by investors
who view our Convertible Notes as a more attractive means of equity participation in our Company, and by hedging and arbitrage trading
activity that such investors may engage in.
In addition, the stock markets have experienced price and volume fluctuations. Broad market and industry
factors may materially harm the market price of our ordinary shares, regardless of our operating performance. In the past, following periods
of volatility in the market price of a company’s securities, securities class action litigation has often been instituted against
that company. If we were involved in any similar litigation, we could incur substantial costs and our management’s attention and
resources could be diverted, which could materially adversely affect our business.
Our business could be negatively affected as a result of the actions
of activist shareholders, and such activism could impact the trading value of our securities.
In recent years, U.S. and non-U.S. companies listed on securities exchanges in the United States have been
faced with governance-related demands from activist shareholders, unsolicited tender offers and proxy contests. Although as a foreign
private issuer we are not subject to U.S. proxy rules, responding to any action of this type by activist shareholders could be costly
and time-consuming, disrupting our operations and diverting the attention of management and our employees. Such activities could interfere
with our ability to execute our strategic plans. In addition, a proxy contest for the election of directors at our annual meeting would
require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and
our board of directors. The perceived uncertainties due to such actions of activist shareholders also could affect the market price of
our securities.
As a foreign private issuer whose ordinary shares are listed on
Nasdaq, we may follow certain home country corporate governance practices instead of otherwise applicable SEC and Nasdaq requirements
and are exempt from a number of requirements under U.S. securities laws. This may result in less protection for, or limit the information
available to, our shareholders.
As a foreign private issuer whose ordinary shares are listed on Nasdaq, we are permitted to follow certain
home country corporate governance practices instead of certain rules of Nasdaq. We currently follow Israeli home country practices with
regard to the quorum requirement for shareholder meetings and the requirements relating to distribution of our annual report to shareholders.
As permitted under the Israeli Companies Law, 5759-1999 (the “Companies Law”), our articles of association provide that the
quorum for any meeting of shareholders shall be at least two shareholders present in person or by proxy who hold at least 25% of the voting
power of our shares instead of 33 1/3% of our issued share capital (as prescribed by Nasdaq’s rules). Further, as permitted by the
Companies Law and in accordance with the generally accepted business practice in Israel, we do not distribute our annual report to shareholders
but make it available through our public website. We may in the future elect to follow Israeli home country practices with regard to other
matters such as director nomination procedures, separate executive sessions of independent directors and the requirement to obtain shareholder
approval for certain dilutive events (such as for the establishment or amendment of certain equity-based compensation plans, issuances
that will result in a change of control of the Company, certain transactions other than a public offering involving issuances of a 20%
or more interest in the Company and certain acquisitions of the stock or assets of another company). Accordingly, our shareholders may
not be afforded the same protection as provided under Nasdaq corporate governance rules. Following our home country governance practices
as opposed to the requirements that would otherwise apply to a U.S. company listed on Nasdaq may provide less protection than is accorded
to shareholders of domestic issuers. See “Item 16.G. Corporate Governance.”
As a foreign private issuer, we are exempt from a number of requirements under U.S. securities laws that
apply to public companies that are not foreign private issuers. In particular, we are exempt from the rules and regulations under the
Exchange Act related to the furnishing and content of proxy statements, and our officers, directors and principal shareholders are exempt
from the reporting and short-swing profit recovery provisions contained in Section 16 of the Exchange Act. In addition, we are not
required under the Exchange Act to file annual, quarterly and current reports and financial statements with the SEC, as frequently or
as promptly as domestic companies whose securities are registered under the Exchange Act. We are also exempt from the provisions of Regulation
FD, which prohibits issuers from making selective disclosure of material nonpublic information. Even though we intend to comply voluntarily
with Regulation FD, these exemptions and leniencies will reduce the frequency and scope of information and protections to which our shareholders
are entitled as investors. For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules applicable
to U.S. domestic companies, although pursuant to the Companies Law, we disclose the annual compensation of our five most highly compensated
office holders (as defined under the Companies Law) on an individual basis, including in this annual report. Because of these exemptions
for foreign private issuers, our shareholders do not have the same information generally available to investors holding shares in public
companies that are not foreign private issuers.
Our Convertible Notes may impact our financial results, result in
the dilution of existing shareholders, create downward pressure on the price of our ordinary shares, and restrict our ability to take
advantage of future opportunities.
In November 2019, we issued $575.0 million aggregate principal amount of 0.00% Convertible Senior Notes
due 2024 (the “Convertible Notes”). The sale of the Convertible Notes may affect our earnings per share figures, as accounting
procedures may require that we include in our calculation of earnings per share the number of ordinary shares into which the Convertible
Notes are convertible. The Convertible Notes may be converted, under the conditions and at the premium specified in the Convertible Notes,
into cash and our ordinary shares, if any (subject to our right to pay cash in lieu of all or a portion of such shares). If our ordinary
shares are issued to the holders of the Convertible Notes upon conversion, there will be dilution to our shareholders’ equity and
the market price of our ordinary shares may decrease due to the additional selling pressure in the market. Any downward pressure on the
price of our ordinary shares caused by the sale or potential sale of ordinary shares issuable upon conversion of the Convertible Notes
could also encourage short sales by third parties, creating additional downward pressure on our share price.
In addition, in connection with the pricing of the Convertible Notes, we entered into privately negotiated
capped call transactions (the “Capped Call Transactions”), with certain of the purchasers of the Convertible Notes. The Capped
Call Transactions cover, collectively, the number of our ordinary shares underlying the Convertible Notes, subject to anti-dilution adjustments
substantially similar to those applicable to the Convertible Notes. The cost of the Capped Call Transactions was approximately $53.6 million.
The Capped Call Transactions are expected generally to reduce the potential dilution to the ordinary shares upon any conversion of the
Convertible Notes and/or offset any cash payments we are required to make in excess of the principal amount upon conversion of the Convertible
Notes under certain events described in the Capped Call Transactions. We are subject to the risk that one or more of the counterparties
to the Capped Call Transactions may default, or otherwise fail to perform, or may exercise certain rights to terminate, their obligations
under the Capped Call Transactions. Our exposure will depend on many factors but, generally, our exposure will increase if the market
price or the volatility of our common stock increases. Upon a default, a failure to perform or a termination of obligations by a counterparty
to the Capped Call Transactions, we may suffer adverse tax consequences or experience more dilution than we currently anticipate with
respect to our ordinary shares.
Furthermore, the indenture for the Convertible Notes will prohibit us from engaging in certain mergers
or acquisitions unless, among other things, the surviving entity assumes our obligations under the Convertible Notes. These and other
provisions in the indenture could deter or prevent a third party from acquiring us even when the acquisition may be favorable.
We currently anticipate that we will be able to rely on and to implement certain clarifications from the
Israeli Tax Authorities, with respect to the administration of our Israeli withholding tax obligations in relation to considerations to
be paid to the holders of the Convertible Notes upon their future conversion and settlement. Unexpected failure to ultimately obtain such
anticipated clarifications from the Israeli Tax Authorities could under certain conditions potentially result in increased Israeli withholding
tax gross-up costs and implications.
We may not have the ability to raise the funds necessary to settle
conversions of the Convertible Notes, repurchase the Convertible Notes upon a fundamental change or repay the Convertible Notes in cash
at their maturity, and our future debt may contain limitations on our ability to pay cash upon conversion or repurchase of the Convertible
Notes.
Holders of the Convertible Notes will have the right under the indenture governing the Convertible Notes
to require us to repurchase all or a portion of their Convertible Notes upon the occurrence of a fundamental change before the applicable
maturity date, at a repurchase price equal to 100% of the principal amount of such Convertible Notes to be repurchased, plus accrued and
unpaid interest, excluding the applicable fundamental change repurchase date, if any. Moreover, we will be required to repay the Convertible
Notes in cash at their maturity, unless earlier converted, repurchased or redeemed. We may not have enough available cash or be able to
obtain financing at the time we are required to make such repurchases of the Convertible Notes and/or repay the Convertible Notes upon
maturity.
In addition, we have the right to elect to settle conversions of the Convertible Notes in cash. Although
we entered into the Capped Call Transactions which are expected generally to offset any cash payments we are required to make in excess
of the principal amount upon conversion of the Convertible Notes (subject to a cap), we may not ultimately receive such cash payments
from the counterparties to the Capped Call Transactions in case of a default, a failure to perform or a termination of obligations by
a relevant counterparty.
Our ability to repurchase or to pay cash upon conversion of Convertible Notes may be limited by law, regulatory
authority or agreements governing our future indebtedness. Our failure to repurchase the Convertible Notes at a time when the repurchase
is required by the indenture or to pay cash upon conversion of the Convertible Notes or at maturity as required by the indenture would
constitute a default under the indenture. A default under the indenture or the fundamental change itself could also lead to a default
under agreements governing our future indebtedness. If the payment of the related indebtedness were to be accelerated after any applicable
notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Convertible Notes or to pay cash
upon conversion of the Convertible Notes or at maturity.
We may lose our foreign private issuer status, which would then
require us to comply with the rules and regulations applicable to U.S. domestic issuers and cause us to incur significant legal, accounting
and other expenses.
Since a majority of our voting securities are either directly or indirectly owned of record by residents
of the United States, we would lose our foreign private issuer status if any of the following were to occur: (i) the majority of our executive
officers or directors were U.S. citizens or residents, (ii) more than 50 percent of our assets were located in the United States, or (iii)
our business was administered principally in the United States. Similarly, if we were to acquire a U.S. company in the future, it could
put us at heighted risk of losing our foreign private issuer status. Although we have elected to comply with certain U.S. regulatory provisions,
our loss of foreign private issuer status would make such provisions mandatory. In addition, we would lose our ability to rely on Nasdaq
exemptions from certain corporate governance requirements that are available to foreign private issuers. If we were to lose our foreign
private issuer status, the regulatory and compliance costs to us under U.S. securities laws as a U.S. domestic issuer may be significantly
higher.
If we are unable to satisfy the requirements of Sections 404(a)
and 404(b) of the Sarbanes-Oxley Act of 2002 or if our internal control over financial reporting is not effective, investors may lose
confidence in the accuracy and the completeness of our financial reports and
the trading price of our ordinary shares may be negatively affected.
Pursuant to Section 404(a) of the Sarbanes-Oxley Act of 2002 (“the Sarbanes-Oxley Act”),
we are required to furnish a report by management on the effectiveness of our internal control over financial reporting. Additionally,
pursuant to Section 404(b) of the Sarbanes-Oxley Act, we must include an auditor attestation on our internal control over financial reporting.
Our business transition into a subscription model affected our internal control over financial reporting,
and requires us to enhance existing, and implement new, financial reporting and management systems, procedures and controls in order to
address new risks raised from our business transition to a subscription model and to manage our business effectively and support our growth
in the future. If we identify material weaknesses in our internal control over financial reporting, if we are unable to comply with the
requirements of Section 404(a) or 404(b) in a timely manner or to assert that our internal control over financial reporting is effective,
or if our independent registered public accounting firm is unable to express an opinion or issues an adverse opinion in its attestation
as to the effectiveness of our internal control over financial reporting required by Section 404(b), investors may lose confidence in
the accuracy and completeness of our financial reports and the trading price of our ordinary shares could be negatively affected. We could
also become subject to investigations by Nasdaq, the SEC or other regulatory authorities, which could require additional financial and
management resources.
Our U.S. shareholders may suffer adverse tax consequences if we
are classified as a “passive foreign investment company.”
Generally, if for any taxable year, after the application of certain look-through rules, 75% or more of
our gross income is passive income, or at least 50% of the average quarterly value of our assets (which may be measured in part by the
market value of our ordinary shares, which is subject to change) are held for the production of, or produce, passive income (as defined
in the relevant provisions of the Internal Revenue Code of 1986, as amended (the “Code”)), we would be characterized as a
“passive foreign investment company” (“PFIC”), for U.S. federal income tax purposes under the Code. Based on our
market capitalization and the nature of our income, assets and business, we believe that we should not be classified as a PFIC for the
taxable year that ended December 31, 2021. However, PFIC status is determined annually and requires a factual determination that
depends on, among other things, the composition of our income, assets and activities in each taxable year, and can only be made after
the close of each taxable year. Furthermore, because the value of our gross assets is likely to be determined in part by reference to
our market capitalization, a decline in the value of our ordinary shares may result in our becoming a PFIC. Accordingly, there can be
no assurance that we will not be considered a PFIC for any taxable year. If we are a PFIC for any taxable year during which a U.S. Holder
(as defined in “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences”) holds our ordinary shares,
certain adverse U.S. federal income tax consequences could apply to such U.S. Holder. Prospective U.S. Holders should consult their
tax advisors regarding the potential application of the PFIC rules to them. See “Item 10.E. Taxation—Certain United States
Federal Income Tax Consequences—Passive Foreign Investment Company Considerations.”
If a U.S. person is treated as owning at least 10% of our ordinary
shares, such holder may be subject to adverse U.S. federal income tax consequences.
If a U.S. person is treated as owning (directly, indirectly or constructively) at least 10% of the value
or voting power of our ordinary shares, such person may be treated as a “U.S. shareholder” with respect to each controlled
foreign corporation (“CFC”), in our group (if any). If our group includes one or more U.S. subsidiaries (as has been the case
for 2021), certain of our non-U.S. subsidiaries will be treated as CFCs regardless of whether or not we are treated as a CFC. A U.S. shareholder
of a CFC may be required to report annually and include in its U.S. taxable income its pro rata share of such CFC’s “Subpart
F income,” “global intangible low taxed income” and investments in U.S. property by CFCs, regardless of whether we make
any distributions. An individual who is a U.S. shareholder with respect to a CFC generally would not be allowed certain tax deductions
or foreign tax credits that would be allowed to a U.S. shareholder that is a U.S. corporation. Failure to comply with these reporting
obligations may subject a U.S. shareholder to significant monetary penalties and may prevent the statute of limitations with respect to
such U.S. shareholder’s U.S. federal income tax return for the year for which reporting was due from starting. We cannot provide
any assurances that we will be able to assist holders of ordinary shares in determining whether any of our non U.S. subsidiaries is treated
as a CFC or whether any holder of ordinary shares should be treated as a U.S. shareholder with respect to any such CFC or furnish to any
U.S. shareholders information that may be necessary to comply with the aforementioned reporting and tax paying obligations. The United
States Internal Revenue Service provided limited guidance on situations in which investors may rely on publicly available alternative
information to comply with their reporting and tax paying obligations with respect to foreign controlled CFCs. U.S. investors are strongly
advised to consult their own tax advisors regarding the potential application of these rules to their investment in our ordinary shares.
Changes in tax law relating to multinational corporations could
adversely affect our tax position.
There can be no assurance that our effective tax rate will not increase over time as a result of changes
in corporate income tax rates or other changes in the tax laws in the jurisdictions in which we operate. Any changes in tax laws could
have an adverse impact on our financial results. Corporate tax reform, base-erosion efforts and tax transparency continue to be high priorities
in many tax jurisdictions where we have business operations. As a result, policies regarding corporate income and other taxes in numerous
jurisdictions are under heightened scrutiny, and tax reform legislation is being proposed or enacted in a number of jurisdictions.
For example, there is growing pressure in many jurisdictions and from multinational organizations such
as the Organization for Economic Cooperation and Development (“OECD”) and the EU to amend existing international taxation
rules in order to align the tax regimes with current global business practices. Specifically, in October 2015, the OECD published its
final package of measures for reform of the international tax rules as a product of its Base Erosion and Profit Shifting (“BEPS”)
initiative, which was endorsed by the G20 finance ministers. Many of the initiatives in the BEPS package required and resulted in specific
amendments to the domestic tax legislation of various jurisdictions and to existing tax treaties. We continuously monitor these developments.
Although many of the BEPS measures have already been implemented or are currently being implemented globally (including, in certain cases,
through adoption of the OECD’s “multilateral convention” (to which Israel is also a party) to effect changes to tax
treaties which entered into force on July 1, 2018 and through the European Union’s “Anti Tax Avoidance” Directives),
it is still difficult in some cases to assess to what extent these changes will have on our tax liabilities in the jurisdictions in which
we conduct our business or to what extent they may impact the way in which we conduct our business or our effective tax rate due to the
unpredictability and interdependency of these potential changes. In January 2019, the OECD announced further work in continuation of the
BEPS project, focusing on two “pillars.” On October 8, 2021, 136 countries approved a statement known as the OECD BEPS Inclusive
Framework, which builds upon the OECD’s continuation of the BEPS project. The first pillar is focused on the allocation of taxing
rights between countries for in-scope large multinational enterprises (with revenue in excess of €20 billion and profitability of
at least 10%) that sell goods and services into countries with little or no local physical presence. We do not expect to be within the
scope of the first Pillar. The second pillar is focused on developing a global minimum tax rate of at least 15% applicable to in-scope
multinational enterprises (with revenue in excess of €750 million). Israel is one of the 136 jurisdictions that has agreed in principle
to the adoption of the global minimum tax rate, and it is unclear what would be the impact on Preferred Technological Enterprises currently
eligible for reduced corporate tax rate of 12%. Given these developments, it is generally expected that tax authorities in various jurisdictions
in which we operate may increase their audit activity and may seek to challenge some of the tax positions we have adopted. It is difficult
to assess if and to what extent such challenges, if raised, might impact and potentially increase our future effective tax rate.
We do not intend to pay dividends on our ordinary shares for the
foreseeable future so any returns will be limited to changes in the value of our ordinary shares.
We have never declared or paid any cash dividends on our ordinary shares. We currently anticipate that
we will retain future earnings for the development, operation, and expansion of our business and do not anticipate declaring or paying
any cash dividends for the foreseeable future. Any return to shareholders will therefore be limited to the increase, if any, of our share
price, which may or may not occur.
Risks Relating to Our Incorporation and Location in Israel
Our principal executive offices, most of our research and development
activities and other significant operations are located in Israel, and therefore, our results may be adversely affected by political,
economic and military instability in Israel.
Our principal executive offices and research and development facilities are located in Israel and therefore
may be influenced by regional instability and extreme security tension. Accordingly, political, economic and security conditions in Israel
and the surrounding region could directly affect our business. Any political instability, terrorism, armed conflicts, cyberattacks or
any other hostilities involving Israel or the interruption or curtailment of trade between Israel and its present trading partners could
adversely affect our operations. Additionally, we may also be targeted by cyber terrorists specifically because we are an Israeli company.
Ongoing and revived hostilities or other Israeli political or economic factors, could harm our operations and cause any future sales to
decrease.
Our commercial insurance does not cover losses that may occur as a result of events associated with war
and terrorism. Although the Israeli government currently covers the reinstatement value of direct damages that are caused by terrorist
attacks or acts of war, we cannot guarantee that this government coverage will be maintained or that it will sufficiently cover our potential
damages. Any losses or damages incurred by us could have a material adverse effect on our business.
Further, our operations could be disrupted by the obligations of personnel to perform military reserves
service. As of December 31, 2021, approximately 32% of our personnel are based in Israel, certain of whom may be called upon to perform
military reserve duty, which could materially adversely affect our business and results of operations.
Several countries restrict doing business with Israel and Israeli companies, and additional countries may
impose restrictions on doing business with Israel and Israeli companies whether as a result of hostilities in the region or otherwise.
In addition, there have been increased efforts by activists to cause companies and consumers to boycott Israeli goods based on Israeli
government policies. Such actions, if accelerated, could adversely affect our business, financial condition and results of operations.
The tax benefits that are available to us require us to continue
to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes.
We were granted Approved Enterprise status under the Israeli Law for the Encouragement of Capital Investments,
5719-1959 (the “Investment Law”). We elected the alternative benefits program, pursuant to which income derived from the Approved
Enterprise program is tax-exempt for two years and enjoys a reduced tax rate of 10.0% to 25.0% for up to a total of eight years, subject
to an adjustment based on the percentage of foreign investors’ ownership. We were also eligible for certain tax benefits provided
to Benefited Enterprises under the Investment Law. In March 2013, we notified the Israel Tax Authority that we apply the new tax Preferred
Enterprise regime under the Investment Law instead of our Approved Enterprise and Benefited Enterprise. Accordingly, we are eligible for
certain tax benefits provided to Preferred Enterprises under the Investment Law. If we do not meet the conditions stipulated in the Investment
Law and the regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be canceled,
and we would be required to repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary
penalties). Starting from 2017, we were recognized as eligible for the Technological Preferred Enterprise regime, a sub-category of the
Preferred Enterprise regime, which grants enhanced tax benefits to enterprises with significant research and development activities. In
the future these tax benefits may be reduced or discontinued. If these tax benefits are reduced, cancelled or discontinued, our Israeli
taxable income would be subject to regular Israeli corporate tax rates which would harm our financial condition and results of operation.
Additionally, if we increase our activities outside of Israel through acquisitions, for example, our expanded activities might not be
eligible for inclusion under future Israeli tax benefit regimes. See “Item 5. Operating and Financial Review and Prospects—Critical
Accounting Estimates—Law for the Encouragement of Capital Investments, 5719-1959.”
We may become subject to claims for remuneration or royalties for
assigned service invention rights by our employees.
We enter into assignment-of-invention agreements with our employees pursuant to which such individuals
agree to assign to us all rights to any inventions created in the scope of their employment or engagement with us. A significant portion
of our intellectual property has been developed by our employees during the course of their employment by us. Under the Israeli Patent
Law, 5727-1967, inventions conceived by an employee during the scope of his or her employment with a company are regarded as “service
inventions” which belong to the employer, absent a specific agreement between the employee and employer giving the employee service
invention rights. Although our employees have agreed to assign to us service invention rights, as a result of uncertainty under Israeli
law with respect to service invention rights and the efficacy of related waivers, including with respect to remuneration and its extent,
we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required
to pay additional remuneration or royalties to our current and/or former employees, or be forced to litigate such claims, which could
negatively affect our business.
As a public company incorporated in Israel we may become subject
to further compliance obligations and market trends or restrictions, which may strain our resources and divert management’s attention.
Being an Israeli publicly traded company in the United States and being subject to both U.S. and Israeli
rules and regulations may make it more expensive for us to obtain directors and officers liability insurance, and we may be required to
continue incurring substantially higher costs for reduced coverage. These factors could also make it more difficult for us to attract
and retain qualified members of our board of directors, particularly to serve on our audit committee, and qualified executive officers.
In accordance with the provisions of the Companies Law, approval of our directors and officers insurance is limited to the terms of our
duly approved compensation policy, unless otherwise approved by our shareholders.
Provisions of Israeli law and our articles of association may delay,
prevent or otherwise impede a merger with or an acquisition of us, even when the terms of such a transaction are favorable to us and our
shareholders.
Our articles of association contain certain provisions that may delay or prevent a change of control. These
provisions include that our directors (other than external directors, if applicable) are elected on a staggered basis, and therefore a
potential acquirer cannot readily replace our entire board of directors at a single annual general shareholder meeting. In addition, Israeli
corporate law regulates acquisitions of shares through tender offers and mergers, requires special approvals for transactions involving
directors, officers or significant shareholders and regulates other matters that may be relevant to such types of transactions.
Furthermore, Israeli tax considerations may make potential transactions unappealing to us or to our shareholders
whose country of residence does not have a tax treaty with Israel exempting such shareholders from Israeli tax. For example, Israeli tax
law does not recognize tax-free share exchanges to the same extent as U.S. tax law. With respect to mergers involving an exchange
of shares, Israeli tax law allows for tax deferral in certain circumstances but makes the deferral contingent on the fulfillment of a
number of conditions, including, in some cases, a holding period of two years from the date of the transaction during which sales and
dispositions of shares of the participating companies are subject to certain restrictions. Moreover, with respect to certain share swap
transactions, the tax deferral is limited in time, and when such time expires, the tax becomes payable even if no disposition of the shares
has occurred. These provisions of Israeli law and our articles of association could have the effect of delaying or preventing a change
in control in us and may make it more difficult for a third party to acquire us, even if doing so would be beneficial to our shareholders,
and may limit the price that investors may be willing to pay in the future for our ordinary shares.
It may be difficult to enforce a judgment of a U.S. court against
us, our officers and directors or the Israeli auditors named in this annual report in Israel or the United States, to assert U.S. securities
laws claims in Israel or to serve process on our officers and directors and these auditors.
We are incorporated in Israel, the majority of our directors and executive officers, and the Israeli auditors
listed in this annual report reside outside of the United States, and most of our assets and most of the assets of these persons are located
outside of the United States. Therefore, a judgment obtained against us, or any of these persons, including a judgment based on the civil
liability provisions of the U.S. federal securities laws, may not be collectible in the United States and may not be enforced by an Israeli
court. It also may be difficult for our shareholders to effect service of process on these persons in the United States or to assert U.S.
securities law claims in original actions instituted in Israel. Israeli courts may refuse to hear a claim based on an alleged violation
of U.S. securities laws reasoning that Israel is not the most appropriate forum in which to bring such a claim. In addition, even if an
Israeli court agrees to hear a claim, it may determine that Israeli law and not U.S. law is applicable to the claim. If U.S. law is found
to be applicable, the content of applicable U.S. law must be proven as a fact by expert witnesses, which can be a time consuming and costly
process. Certain matters of the procedure will also be governed by Israeli law. There is little binding case law in Israel that addresses
the matters described above. As a result of the difficulty associated with enforcing a judgment against us in Israel, our shareholders
may not be able to collect any damages awarded by either a U.S. or foreign court.
The rights and responsibilities of our shareholders are, and will
continue to be, governed by Israeli law which differs in some material respects from the rights and responsibilities of shareholders of
U.S. corporations.
The rights and responsibilities of the holders of our ordinary shares are governed by our articles of association
and by Israeli law. These rights and responsibilities differ in some material respects from the rights and responsibilities of shareholders
in U.S. corporations. In particular, a shareholder of an Israeli company has a duty to act in good faith and in a customary manner in
exercising its rights and performing its obligations towards the company and other shareholders, and to refrain from abusing its power
in the company, including, among other things, in voting at a general meeting of shareholders on matters such as amendments to a company’s
articles of association, increases in a company’s authorized share capital, mergers and acquisitions and related party transactions
requiring shareholder approval. In addition, shareholders have a general duty to refrain from discriminating against other shareholders
and a shareholder who is aware that it possesses the power to determine the outcome of a shareholder vote or to appoint or prevent the
appointment of a director or chief executive officer in the company has a duty of fairness toward the company with regard to such vote
or appointment. There is limited case law available to assist us in understanding the nature of this duty or the implications of these
provisions. These provisions may be interpreted to impose additional obligations and liabilities on holders of our ordinary shares that
are not typically imposed on shareholders of U.S. corporations. See “Item 6.C. Board Practices — Approval of
Related Party Transactions under Israeli Law—Fiduciary Duties of Directors and Executive Officers.”
ITEM 4. |
INFORMATION ON THE COMPANY |
|
A. |
History and Development of the Company |
Our History
CyberArk Software Ltd. was founded in 1999 with the vision of protecting high-value business data and pioneering
our Digital Vault technology. That same year, we began offering our first product, the Sensitive Information Management Solution (previously
called the Sensitive Document Vault), which provided a secure platform for our customers’ employees to share sensitive files. We
began with our early vaulting technology, which has enabled us to evolve into a company that provides a comprehensive solution to secure
identities anchored on Privileged Access Management. In 2005, we introduced our Privileged Access Management Solution, upon which we built
our leadership position in the Privileged Access Management market, providing a layer of security that protects high level and high value
access across an organization. In September 2014, we listed our ordinary shares on the Nasdaq Stock Market LLC (Nasdaq). In addition to
investing in organic research and development, in 2015 we began to execute a merger and acquisition strategy and acquired Viewfinity,
Inc., a provider of Windows least privilege management and application control software, as well as Cybertinel Ltd., a cybersecurity company
specializing in cyber threat detection technology. In May 2017, we acquired Conjur Inc., a provider of DevOps security software. In May
2020 we acquired IDaptive Holdings, Inc., an Identity as a Service (IDaaS) provider. Based on our organic investment in research and development
to drive new product releases and innovation, coupled with the incremental acquisitions of selected technologies and the execution of
our go-to-market strategy, today CyberArk is a global leader in Identity Security, centered on Privileged Access Management. We secure
access for any identity – human or machine – to help organizations secure critical business assets, protect their distributed
workforce and customers, and accelerate business in the cloud.
We are a company limited by shares organized under the laws of the State of Israel. We are registered with
the Israeli Registrar of Companies. Our registration number is 51-229164-2. Our principal executive offices are located at 9 Hapsagot
St., Park Ofer B, POB 3143, Petach-Tikva, 4951040, Israel, and our telephone number is +972 (3) 918-0000. Our website address is
www.cyberark.com. Information contained on, or that can be accessed through, our website is not part of this annual report and is not
incorporated by reference herein. We have included our website address in this annual report solely for informational purposes. Our SEC
filings are available to you on the SEC’s website at http://www.sec.gov. This site contains reports, proxy and information statements,
and other information regarding issuers that file electronically with the SEC. Our agent for service of process in the United States
is CyberArk Software, Inc., located at 60 Wells Avenue, Newton, MA 02459, and our telephone number is (617) 965-1544.
Principal Capital Expenditures
Our cash capital expenditures for fiscal years 2019, 2020 and 2021 amounted to $7.0 million, $7.2 million,
and $8.9 million, respectively. Capital expenditures consist primarily of investments in leasehold improvements for our office space,
purchases of furniture, computers and related equipment and internal use software capitalization. We anticipate our capital expenditures
in fiscal year 2022 to be less than 3% of revenues. We anticipate our capital expenditures in 2022 will be financed with cash on hand
and cash provided by operating activities.
We are a global leader in Identity Security, centered on Privileged Access Management (PAM), with a focus
on protecting organizations against identity-oriented cyber threats. We secure access for any identity – human or machine –
to help organizations secure critical business assets, protect their distributed workforce and customers, and accelerate business in the
cloud. Our vision is to deliver an Identity Security Platform that contextually authenticates each identity, dynamically authorizes the
least amount of privilege required, secures credentials, and thoroughly audits the entire cycle.
As the market leader in Privileged Access Management, we are uniquely positioned to deliver on Identity
Security because our core competency is securing the “keys to the kingdom.” These “keys to the kingdom” provide
complete control of access to sensitive infrastructure and applications; in the hands of malicious insiders or external attackers, the
consequences to businesses can be devastating. With the rapid rise in mobile workers, hybrid and multi-cloud adoption, and digitalization
of the enterprise, physical and network security barriers are less relevant for securing data and assets than ever before. Compromised
identities and their associated privileges now represent the fastest attack path to an organization’s most valuable assets. As a
result, identity controls are now becoming the new security perimeter and are foundational to organizations rolling out Zero Trust strategies. Our
approach is unique as CyberArk recognizes that every identity can become privileged under certain conditions, and we offer the broadest
range of security controls to reduce that risk while delivering a high-quality experience to the end user. This includes securing workforce,
partner, and customer identities by replacing complex, patchworked, and siloed legacy access and privileged access management solutions
to improve security and operational efficiencies.
During 2021, we continued to add new customers and cross sell to existing customers directly and through
channels. As of December 31, 2021, we had approximately 7,500 customers, including more than 55% of Fortune 500 companies and more than
35% of Global 2000 companies. We define a customer to include a distinct entity, division, or business unit of a company. Our customers
include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy
and utilities, transportation, retail, technology, and telecommunications, as well as federal and local government agencies in multiple
countries. We sell our solutions through a high-touch hybrid model that includes direct sales, channel sales, managed security service
providers, as well as advisory firm partners.
In 2021, we began to actively shift to a subscription business model where we plan to primarily sell SaaS
and self-hosted subscriptions. Today, the majority of our new license sales are from subscriptions, and we expect perpetual licenses to
continue to decline as a percent of license sales.
Our Growth Strategy
The key elements of our long-term growth strategy include
|
• |
Strengthening our Identity Security leadership position by delivering ongoing
innovation. We intend to extend our leadership
position by enhancing our existing products and services, introducing new functionality and developing new solutions to address new use
cases. Our strategy includes both internal development and an active mergers and acquisition program where we acquire or invest in complementary
businesses or technologies. |
|
• |
Extending our global go-to-market reach. We sell our solutions through
a high-touch hybrid model that includes direct and indirect sales. We plan to expand our sales reach by adding new direct sales capacity,
expanding our indirect channels by deepening our relationships with existing partners and by adding new value-added resellers, system
integrators, managed security service providers and C3
Alliance partners. We are also expanding our routes to market to include cloud provider marketplaces. |
|
• |
Growing our customer base. The
global threat landscape, digitalization of the enterprise, cloud migration and the broad security skills shortage are contributing to
the need for Identity Security solutions. We believe that every organization, regardless of
size or vertical, needs Identity Security and we plan to pursue business with new customers in the enterprise and mid-market, or commercial,
segments of the market. |
|
• |
Expanding our relationships with existing customers. As
of December 31, 2021, we had approximately 7,500 customers. We have worked hard to develop strong relationships with our customers, and
our strategy includes our Customer Success team expanding these relationships by growing the number of users who access our solutions
and cross-selling additional products and services. |
|
• |
Driving strong adoption of our solutions and retaining our customer base. An
important part of our overall strategy, particularly for our SaaS and self-hosted subscription customers, is delivering fast time to value
from our solutions. We plan to deliver high levels of customer service and support and continue to invest in our Customer Success team
to help ensure that our customers are up and running quickly and derive benefit from our software, which we believe will result in higher
customer retention rates. |
|
• |
Attracting, developing and retaining a diverse and inclusive employee base.
A key pillar of our growth strategy is attracting, developing and retaining our employees. Our people are one of our most valuable
assets, and our culture is a key business differentiator for CyberArk. We value diversity and inclusion which allows for the exchange
of ideas, creates a strong community and helps ensure our employees are valued and respected. |
Industry Background
The growth of our market has several drivers based on multi-year trends, making securing the identities
and their associated privileges a main focus of product investment.
Digital Transformation and Shift Left: The digitalization of business
creates a larger digital landscape full of opportunities for improved engagement with customers, vendors and employees, but also greater
exposure to cyber threats. New digital technologies require expanded privileged access for both humans and machines that must be properly
secured. Hybrid and multi-cloud adoption drive the need for centralized solutions that help secure access of all types enterprise-wide.
This trend has greatly accelerated because of the COVID-19 pandemic forcing large portions of the workforce to work remotely and a much
larger portion of businesses to offer online options to stay viable.
Cloud Migration and SaaS Applications: Broad acceptance and adoption
of hybrid and cloud-based infrastructure, the level of speed and automation across IT environments, and an increasing reliance on SaaS
applications, are having a significant impact on how organizations approach security. Until a few years ago, organizations would typically
prioritize protection of their most critical systems and data, with a particular focus on protecting privileged access. “Privileged
users” were understood at the time to be mostly IT administrators accessing shared administrative accounts in systems and applications,
whereas in today’s cloud and SaaS environment, every identity can become privileged under certain conditions.
Any of the identities operating in a modern environment (such as employees, partners, IT Admins, DevOps
team members and developers, applications or robots, vendors, or customers) might have some level of privilege that, if improperly secured,
can provide an attack path into an organization’s most valuable assets. This trend is coupled with the rapid expansion and adoption
of hybrid and cloud infrastructure, applications and application programming interfaces (APIs), mobile and remote workers, and use of
third parties such as vendors. We now live in a world where the number, types, and interrelationships of identities have exploded, creating
new dimensions to the threat landscape.
In addition, the underlying environments are highly dynamic with much more ephemeral infrastructure where
compute capacity is easily scaled up or scaled down. The rates of change in these modern environments are exponentially faster,
and this requires organizations to implement more automation into their identity security controls for both traditional and cloud native
applications built using DevOps methodologies.
Zero Trust Security: A conventional security approach that relies
on perimeter-based security is relatively less effective and applicable in a modern environment, as organizations adopt cloud and SaaS
applications and as more of the workforce continues to work remotely. In parallel, it has become increasingly difficult to keep attackers
out of an organization’s network altogether. The expansion of the attack surface and prevalence of threats has led to a growing
application of a Zero Trust approach to security.
While traditional, perimeter-based security relies on a strategy of trying
to separate legitimate users from threat actors and assumes that systems and traffic within the corporate networks and datacenters can
be trusted, Zero Trust assumes that the threat actors have already established a network presence and have access to an organization’s
applications and systems. In a Zero Trust security model, organizations aim to have every identity authenticated and authorized before
granting it access and to do so on a continuous basis.
Zero Trust is not a single technology, but an approach that ensures every user’s identity is verified,
their device is validated, and their access is intelligently limited to just what they need – and taken away when they no longer
need it. CyberArk’s Identity Security solutions deliver a set of technologies that are foundational to adopting a Zero Trust approach.
Skills Gap: The skills gap in cyber security creates meaningful
challenges, not only for Chief Security Officers (CISOs), but also for implementing mission critical strategic initiatives. As cloud adoption
accelerates the speed of business, companies are relying more heavily on applications, technology and automation to compete. CISOs are
evaluating staffing requirements for adding new security tools and implementing new projects and business initiatives. To address the
staffing shortage and skills gap, organizations are looking at opportunities to consolidate vendors and increase the implementation of
automation to free up security and IT teams to focus on more value-added initiatives.
Governance and Compliance: Industry regulations such as Sarbanes
Oxley (SOX), Payment Card Industry Data Security Standard (PCI), SWIFT Customer Security Controls Framework, Health Insurance Portability
and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and security frameworks such as National Institute of Standards
(NIST) and the Center for Internet Security (CIS) all have stringent requirements to uphold strong Identity Security controls to maintain
data privacy and sovereignty. Interest in CyberArk’s Identity Security solutions is also being fueled by customers who are purchasing
cyber insurance policies and need to provide proof of implementation of proper Identity Security controls to obtain insurance coverage
and lower their premiums.
Our Solutions
Our Identity Security Platform provides a complete and flexible set of Identity Security capabilities across
three main solution areas: Privilege, Access, and DevSecOps.
Privilege
CyberArk’s Privileged Access Management solutions can be used to secure, manage, and monitor privileged
access. Privileged accounts can be found on endpoints, in applications, and from hybrid to multi-cloud environments.
|
• |
Privileged Access Manager. CyberArk Privileged Access Manager includes risk-based credential
security and session management to protect against attacks involving privileged access. CyberArk’s self-hosted Privileged Access
Manager solution (formerly known as Core PAS) can be deployed in a self-hosted data center or in a hybrid cloud or a public cloud environment,
either as a perpetual license or as a subscription. CyberArk’s Privileged Access Manager is also provided as a SaaS solution through
CyberArk Privilege Cloud. |
|
• |
Vendor Privileged Access Manager. CyberArk Vendor Privileged Access Manager combines Privileged
Access Manager and Remote Access (formerly known as Alero) to provide fast, easy and secure privileged access to third-party vendors who
need access to critical internal systems via CyberArk, without the need to use passwords. By not requiring VPNs or agents, Vendor Privileged
Access Manager removes operational overhead for administrators, makes it easier and quicker to deploy and improves organizational security.
|
|
• |
Endpoint Privilege Manager. CyberArk Endpoint Privilege Manager
is a SaaS solution that secures privileges on the endpoint (Windows servers, Windows desktops and Mac desktops) and helps contain attacks
early in their lifecycle. It enables revocation of local administrator rights, while minimizing impact on user productivity, by seamlessly
elevating privileges for authorized applications or tasks. Application control, with automatic policy creation, allows organizations to
prevent malicious applications from executing, and runs unknown applications in a restricted mode. This, combined with credential theft
protection, helps prevent malware such as ransomware from gaining a foothold and contains attacks on the endpoint. |
|
• |
Cloud Entitlements Manager. CyberArk Cloud Entitlements Manager
is a SaaS solution that reduces risks that arise from excessive privileges by implementing Least Privilege across cloud environments.
From a centralized dashboard, Cloud Entitlements Manager provides visibility and control of permissions across an organization’s
cloud landscape. Within this single display, Cloud Entitlements Manager offers automatically deployable remediations based on the principle
of Least Privilege, to help organizations strategically remove excessive permissions without disrupting cloud operations.
|
Access
We deliver robust Identity and Access Management as a Service (IDaaS) which provides a comprehensive Artificial
Intelligence (AI)-based and security-first approach to managing identities that is both adaptive and context-aware. CyberArk Identity
includes capabilities to secure both workforce and customer identities.
Workforce Identity offers:
|
• |
Adaptive Multi-factor Authentication (MFA). Adaptive MFA enables an enterprise to enforce
risk-aware and strong identity assurance controls within the organization. |
|
• |
Single Sign-On (SSO). SSO is the ability to use a single secure identity to access all applications
and resources within an organization. CyberArk Identity enables SSO for all types of users (workforce, partners, and consumers) to all
types of workstations, systems, VPNs, and applications both in the cloud and on-premises. |
|
• |
Secure Web Sessions. Secure Web Sessions records, audits and protects end-user activity within
designated web applications. The solution uses a browser extension on an end-user’s endpoint to monitor and segregate web apps that
are accessed through SSO and deemed sensitive by business application owners, enterprise IT and security administrators. |
|
• |
Application Gateway. With the CyberArk Identity Application Gateway service, customers can
enable secure remote access and expand SSO benefits to on-premises web apps — like SharePoint and SAP — without the complexity
of installing and maintaining VPNs. |
|
• |
Identity Lifecycle Management. This module enables CyberArk Identity customers to automate
the joiner, mover, and leaver processes within the organization. This automation is critical to ensure that privileges don’t accumulate,
and a user’s access is turned off as soon as the individual changes roles or leaves the organization. |
|
• |
Directory Services. Allows customers to use identity where they control it. In other words,
we do not force our customers to synchronize their on-premises Active Directory implementation with our cloud. Our cloud architecture
can work seamlessly with any existing directory, such as Active Directory, LDAP-based directories, and other federated directories. CyberArk
Identity also provides its own highly scalable and flexible directory for customers who choose to use it. |
Customer Identity offers authentication and authorization services,
MFA, directory, and user management to enable organizations to provide customers and partners with easy and secure access to websites
and applications.
In alignment with our Identity Security strategy, we sell packaged offerings that align with the requirements
of workforce users, privileged users, and external vendors. The workforce user offering includes credential vaulting and sharing, Adaptive
MFA, and SSO. The privileged users offering includes full credential management, session management, and Remote Access. The external vendor
offering aligns to the capabilities detailed above for Vendor Privileged Access Manager.
DevSecOps
Our capabilities in the area of DevSecOps are focused on securing secrets used by machine identities such
as applications, scripts, containers, DevOps tools, and third-party security solutions. Secrets Manager enables organizations to avoid
the need to store secrets within applications and instead allows them to easily and securely access the required credentials from the
CyberArk Vault. Secrets Manager supports traditional applications with its Credential Providers and dynamic applications with Conjur.
|
• |
Secrets Manager Credential Providers. Credential Providers can be used to provide and manage
the credentials used by third-party solutions such as security tools, RPA, and IT management software, and also supports internally developed
applications built on traditional monolithic application architectures. Credential Providers works with CyberArk’s on-premises and
SaaS based solutions. |
|
• |
Secrets Manager Conjur. For cloud-native applications built using DevOps methodologies, Conjur
Enterprise provides a secrets management solution tailored specifically to the unique requirements of these environments. We also provide
an open-source version to better meet the needs of the developer community. |
Our Technology
Our portfolio provides a complete and flexible set of Identity Security capabilities that leverage the
following core technologies:
Secure Digital Vault Technology. Our proprietary
Digital Vault technology provides a highly secure, isolated environment, independent of other software, and is engineered with multiple
layers of security. Our on-premises and SaaS PAM solutions use the highly secured Digital Vault to safely store, audit and manage passwords,
privileged credentials, policy information and privileged access session data.
Privileged Session Recording and Controls. Our
innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s IT systems from
end-user desktops, while monitoring and auditing privileged session activities. The architecture blocks direct communication between an
end-user’s desktop and a target system, thus preventing potential malware on the desktop from infiltrating the target system. This
architecture further ensures that privileged credentials will remain protected and will not be exposed to the end-user or reach the desktop.
CyberArk session monitoring solutions support native connectivity, whether from browser, native RDP or SSH tools, and via the CLI (Command
Line Interface). Risk scoring can be applied to each recorded session, automating the review of all privileged sessions and enabling auditors
to prioritize and deprioritize workloads based on risk.
Secure Remote Access. The cloud-based, multifactor
authentication provided with Remote Access leverages the biometric capabilities from smartphones which in turn allows authorized remote
vendors simple just-in-time secure privileged access. Once authenticated, all privileged sessions are automatically recorded for full
audit and monitored in real-time.
Strong Application Authentication and Credential Management.
The Secrets Manager (formerly Application Access Manager) architecture allows an organization to eliminate hard-coded application
credentials, such as passwords and encryption keys, from applications and scripts. Our secure, proprietary technology permits authentication
of an application during run-time, based on any combination of the application’s signature, executable path or IP address, and operating
system user. Following application authentication, the authenticated application uses a secure application programming interface (“API”),
to request privileged account credentials during run-time and, based on the application permissions in Privileged Access Manager, up-to-date
credentials are provided to the application.
Strong Endpoint Security. Our endpoint agent
technology provides policy-based privilege management, application control and credential theft protection capabilities. The agent detects
privileged commands, and application installation or invocation on the endpoint to validate whether it is permissible in accordance with
the organization’s security policy, otherwise blocking the operation or allowing it to run in a restricted mode. Having users operate
in a least privilege mode together with our agent-based technology effectively reduces the attack surface that attackers or malware can
exploit. The solution leverages third-party threat and reputation information to further strengthen controls and block bad or malicious
applications based on such security intelligence.
Adaptive Multi-factor Authentication. Our Adaptive
Multi-factor Authentication (MFA) enforces risk-aware and strong identity assurance controls within an organization. These controls include
a broad range of built-in authentication factors such as passwordless authenticators like Windows Hello and Apple TouchID, high assurance
authenticators like USB security keys, and our patented Zero Sign-on certificate-based authentication.
Single Sign-on. Our Single Sign-on (SSO) solution
facilitates the secure access to many different applications, systems, and resources while only requiring a single authentication. Our
SSO solution offers a modern identity provider supporting popular SSO protocols to any system or app that supports SAML, WS-Fed, OIDC
and OAuth2 as well as an extensive application catalog with out-of-the-box integration for thousands of applications.
Our Customers
As of December 31, 2021, we had approximately 7,500 customers, including more than 55% of Fortune
500 companies and more than 35% of Global 2000 companies. Our customers include leading organizations in a diverse set of industries,
including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications,
as well as government agencies.
Our business is not dependent on any particular customer. No customer or channel partner accounted for
more than 10% of our revenues in the last three years. Our diverse global footprint is evidenced by the fact that in 2021, we generated
50.5% of our revenues from customers in the United States, 32.5% from the EMEA region and 17.0% from the rest of the world, including
countries in North and South America other than the United States and countries in the Asia Pacific and Japan region.
Go-to-Market
Marketing
Our marketing strategy is focused on building our brand strength, communicating the benefits of our solutions,
developing leads, and increasing sales to existing customers. We market ourselves as the global leader in Identity Security. Centered
on Privileged Access Management, we provide comprehensive security solutions for any identity – human or machine – across
business applications, distributed workforces, hybrid cloud workloads, and throughout DevOps pipelines. The world’s leading organizations
trust CyberArk to help secure their most critical assets. We execute our strategy by leveraging a combination of internal marketing professionals
and a network of channel partners to communicate the value proposition and differentiation for our products, generating qualified leads
for our sales force and channel partners. Our marketing efforts also include public relations in multiple regions and extensive content
development available through our website. We are focused on ongoing thought-leadership campaigns to reinforce our positioning as the
Identity Security leader.
In 2021, our marketing investments and campaigns continued to address our customers’ and prospects’
“new normal” of remote work and online engagement versus in-person trade shows, regional events, and in-person meetings. For
example, in July 2021 we held our 15th annual Impact User
Conference entirely online. Additional adjustments included replacing in-person regional events with regional online experiences, as well
as increased investment and focus on digital marketing channels. We believe that just as parts of the new normal for our customers and
prospects will be permanent, our investments, experience, and focus on online events and digital marketing will become a permanent focus
of our marketing mix going forward.
Sales
We believe that our hybrid sales model, which combines the leverage of high-touch, channel sales with the
account control of direct sales, has played an important role in the growth of our customer base to date. We maintain a highly trained
sales force that is responsible for developing and closing new business, the management of relationships with our channel partners and
the support and expansion of relationships with existing customers. Our sales organization is organized by geographic regions, consisting
of the Americas, EMEA and Asia Pacific and Japan regions. As of December 31, 2021, our global network of channel partners consisted
of more than 450 resellers, distributors, and managed service providers. Our channel partners generally complement our sales efforts by
helping identify potential sales targets, maintaining relationships with certain customers and introducing new products to existing customers
and offering post-sale professional services and technical support. In 2021 we generated approximately 26% of our revenues from direct
sales from our field offices located throughout the world. Approximately 36% of our sales in the United States are direct while most
of our sales in the rest of the world, including the EMEA and Asia Pacific and Japan regions, are through channel partners. We work with
many global systems integration partners and several leading regional security value added resellers, such as Optiv Security Inc., Merlin
International, Computacenter United States Inc., Netpoleon, SHI, M.Tech and GuidePoint Security. These companies were each among our top
15 channel partners in 2020 and 2021 by revenues and we have derived a meaningful amount of revenues from sales to each of them during
the last two years. Further, we work with advisory firms such as Deloitte and KPMG in marketing our solutions and providing implementation
services to our customers. We also have a joint business relationship contract with PricewaterhouseCoopers LLP in which we may engage
in co-marketing and associated co-delivery of solutions and implementation services.
Through CyberArk’s C3
Alliance, our global technology partner program, we bring together enterprise software, IT, Security, and cloud providers to build on
the power of Identity Security to better protect customers from cyber threats. Our CyberArk Marketplace provides a trusted platform for
customers to easily find and deploy integrations from the C3
Alliance, partners, and community members.
Our sales cycle varies by size of the customer, the number of products purchased and the complexity of
the customer’s IT infrastructure, ranging from several weeks for incremental sales to existing customers to several months for large
deployments. We also typically experience seasonality in our sales, particularly demonstrated by increased sales in the last month of
a quarter and the last quarter of the year. To support our broadly dispersed global channel partners and customer base, as of December 31,
2021, we had sales personnel in 39 countries. We plan to continue investing in our sales organization to support both the growth of our
channel partners and our direct sales organization.
Professional and Support Services
Maintenance and Support
Our maintenance and support program provides all customers who purchase maintenance and support in conjunction
with their perpetual licenses, and customers who purchase self-hosted and SaaS subscriptions, the right to software bug repairs, the latest
software enhancements, and updates on an if-and-when available basis during the maintenance period or subscription term, and access to
our technical support services. Customers who purchase maintenance and support in conjunction with their initial perpetual license purchase
typically buy for one year or three years, and can subsequently continue to renew maintenance and support for additional one- or three-year
periods. These two alternative maintenance and support periods are common in the software industry. Customers typically pay for each alternative
in full at the beginning of their terms but in select situations can opt for annual payments.
Our technical support services are provided to perpetual and subscription customers via our online support
center, which enables customers to submit new support queries and monitor the status of open and past queries. Our online support system
also provides customers with access to our CyberArk Knowledge Base, an online user-driven information repository that provides customers
the ability to address their own queries. Additionally, we offer email and telephone support during business hours to customers that purchase
a standard support package and 24/7 availability to customers that purchase our 24/7 support or subscription package.
Our global customer support organization has expertise in our software and how it interacts with complex
IT environments. We typically provide all levels of support directly to our customers. However, when sales are made through channels,
the channel partner may provide the first and second level support, and we typically provide third level support if the issue cannot be
resolved by the channel partner.
Professional Services
Our products are designed to allow for online trials, or to allow customers to download, install and deploy
them on their own or with training and professional assistance. Our solutions are highly configurable, and many customers will select
either one of our many trained channel partners or our CyberArk Security Services team to provide expert professional services. Our Security
Services team can be contracted to assist customers in planning, installing, and configuring our solution to meet the needs of their security
and IT environment, and provide technical account management services. Our Security Services team provides ongoing consulting services
regarding best practices for achieving Identity Security, and recommended ways to implement our solutions to meet specific customer requirements.
Additionally, they share best practices associated with Identity Security to educate customers and partners on such best practices through
virtual classroom, live face-to-face, or self-paced classes. We also have Red Team services which specialize in adversary simulations
to test customers’ and prospects’ cloud and hybrid environments, DevOps pipelines and processes to help make their environment
more secure.
In 2021, we introduced new professional services solutions aimed at delivering faster time to value and
helping customers streamline the deployment of certain CyberArk SaaS products, while providing a resource to help to implement a phased
approach to a Privileged Access Management program, from planning, to pilot, to production.
We began to deliver the Blueprint for Privileged Access Management in 2020 and further broadened the Blueprint
to Identity Security in 2021. The most comprehensive program of its kind, CyberArk Blueprint is designed to help customers take a future-proof,
phased and measurable approach to reducing Identity Security risks. Based on the experience of the CyberArk Labs and Red Team (CyberArk
teams involved in cyber security research) and incident response engagements, nearly every targeted attack follows a similar pattern of
identity and privileged credential compromise. These patterns influenced CyberArk Blueprint’s three guiding principles, which are
foundational to the program: prevent credential theft; stop lateral and vertical movement; and limit privilege escalation and abuse. The
CyberArk Blueprint uses a simple, prescriptive approach based on these guiding principles to reduce risk across five stages of Identity
Security maturity. Customers benefit from being able to prioritize quick wins, progressively address advanced Identity Security use cases,
and align security controls to digital transformation efforts across hybrid environments.
Research and Development
Continued investment in research and development is critical to our business. Our research and development
efforts are focused primarily on improving and continuing to enhance existing products and services, as well as developing new products,
platforms, features and functionality to meet market needs. We believe the timely development of new products and capabilities is essential
to maintaining our competitive position. We regularly release new versions of our software which incorporate new features and enhancements
to existing features. We also maintain a dedicated CyberArk Labs team that researches reported cyber-attacks, the attackers’ techniques
and post-exploit methods that lead to new security development initiatives for our products and provides thought-leadership on new product
capabilities and targeted attack mitigation.
As of December 31, 2021, we had 643 employees focused on research and development. We conduct our
research and development activities primarily in Israel, as well as other locations such as the United States and India. We believe this
provides us with access to world class engineering talent. Our research and development expenses were $72.5 million, $95.4 million, and
$142.1 million in 2019, 2020, and 2021 respectively.
Intellectual Property
We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures
and contractual provisions to protect our technology and the related intellectual property.
As of December 31, 2021, we had 113 issued patents in the United States, and 50 pending
U.S. patent applications. We also had 47 issued patents and 25 applications pending for examination in non-U.S.
jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications
in the future.
The inventions for which we have sought patent protection relate to current and future elements of our
products and technology. The following list of products identifies some of those with patent-protected features, but other products may
also be protected by one or more patents: Privileged Access Security (PAS) solutions, including Privileged Access Manager, Vendor Privileged
Access Manager, Privileged Session Manager (PSM), Enterprise Password Vault (EPV), Privilege Cloud, CyberArk DNA (Discovery and Audit),
Privileged Threat Analytics (PTA), Endpoint Privilege Manager (EPM), Sensitive Information Management (SIM) and Cloud Entitlements Manager;
Secret Managements Solutions, including Conjur Secrets Manager Enterprise, Conjur Secrets Manager Open Source, Credential Providers, Secretless
and Secretless Broker; and Access Management Solutions, including CyberArk Workforce Identity and CyberArk Customer Identity.
We generally enter into confidentiality agreements with our employees, consultants, service providers,
resellers and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary
technology through certain procedural safeguards. These agreements and measures may not effectively prevent unauthorized use or disclosure
of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our
intellectual property or technology.
Our industry is characterized by the existence of many relevant patents and frequent claims and related
litigation regarding patent and other intellectual property rights. Leading companies in the security industry have extensive patent portfolios.
As our market position continues to grow, we believe that competitors will be more likely to try to develop products that are like ours
and that may infringe our proprietary rights. It may also be more likely that competitors or third parties will claim that our products
infringe their proprietary rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and
other intellectual property rights against us, our channel partners, users, or customers, whom our standard license and other agreements
may obligate us to indemnify against such claims under certain circumstances. Successful claims of infringement or misappropriation by
a third party could prevent us from developing, distributing, licensing, using certain products, performing certain services or could
require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and
increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require
us to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology;
enter into potentially unfavorable royalty or license agreements to obtain the right to use necessary technologies or intellectual property
rights; and to indemnify our customers and partners (and parties associated with them). Even if third parties may offer a license to their
technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any
license could cause our business, results of operations or financial condition to be materially and adversely affected.
Competition
The IT security market in which we operate is characterized by intense competition, constant innovation,
rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies
that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.
Our current competitors in the Privileged Access Management market include BeyondTrust Corporation, One
Identity LLC, and Delinea Inc. (formerly ThycoticCentrify), as well as companies that offer identity security and DevOps solutions, such
as Okta Inc., Microsoft Corporation and HashiCorp, Inc. In addition, we may face competition due to changes in the manner that organizations
utilize IT assets and the security solutions applied to them, such as the provision of Privileged Access Management functionalities as
part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. IT security spending
is spread across a wide variety of solutions and strategies, including, for example, endpoint, network and cloud security, vulnerability
management and identity and access management. Organizations continually evaluate their security priorities and investments and may allocate
their IT security budgets to other solutions and strategies and may not adopt or expand use of our solutions. Accordingly, we may also
compete for budgetary reasons, to a certain extent, with additional vendors that offer threat protection solutions in adjacent or complementary
markets to ours, such as Palo Alto Networks or CrowdStrike Holdings, Inc.
The principal competitive factors in our market include:
|
o |
the breadth and completeness of a security solution; |
|
o |
reliability and effectiveness in protecting, detecting and responding to cyber-attacks; |
|
o |
analytics and accountability at an individual user level; |
|
o |
ability of customers to achieve and maintain compliance with compliance standards and audit requirements; |
|
o |
strength of sale and marketing efforts, including advisory firms and channel partner relationships; |
|
o |
global reach and customer base; |
|
o |
scalability and ease of integration with an organization’s existing IT infrastructure and security investments; |
|
o |
brand awareness and reputation; |
|
o |
innovation and thought leadership; |
|
o |
quality of customer support and professional services; |
|
o |
speed at which a solution can be deployed and implemented; and |
|
o |
price of a solution and cost of maintenance and professional services. |
We believe we compete favorably with our competitors based on these factors. However,
some of our current competitors may enjoy one or some combination of potential competitive advantages, such as greater name recognition,
longer operating history, larger market share, larger existing user base and greater financial, technical, and operational capabilities.
Properties
Our corporate headquarters are in Petach Tikva, Israel in an office consisting of approximately 139,100
square feet to which we moved in September 2017. The current lease expires in September 2027 with an extension option for one successive
24-month period. Our U.S. headquarters are in Newton, Massachusetts in an office consisting of approximately 32,463 square feet.
The lease expires in June 2026 with an extension option for the entire premises through 2034. We maintain additional offices in other
locations, including in the U.K., Singapore, France, Germany, Australia, Japan and the Netherlands. We believe that our facilities
are sufficient to meet our current needs and that if we require additional space to accommodate our growth, we will be able to obtain
additional facilities on commercially reasonable terms.
Internal Cybersecurity
As we offer Identity Security solutions and services, we are sensitive to potential cyber-attacks that
may result in unauthorized access to our information, and potentially that of our customers. We are also aware that, being an Israeli
company, we may be targeted by cyber terrorists and nation-state actors. Any actual or perceived breach of our networks, systems or data
may have an adverse impact on the market perception of our solutions and services and may expose us to potential liability.
For more information regarding the risks involved with cybersecurity, see “Item 3.D. Risk Factors—
Our reputation and business could be harmed due to real or perceived vulnerabilities in our solutions or services or the failure of our
customers or third parties to correctly implement, manage and maintain our solutions, resulting in loss of customers, enforcement actions,
lawsuits or financial losses” and “—If our internal IT network systems, or those of our third-party providers, are compromised
by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and
operating results could be materially adversely affected.”
We are focused on continuously implementing and maintaining technologies and solutions to assist in the
prevention of potential cyber-attacks, as well as protective measures and contingency plans in the event of an actual attack. We maintain
cybersecurity risk management policies and procedures, including internal controls, audits and disclosure protocols for handling and responding
to cybersecurity events. These policies and procedures include internal notifications and engagements and, as necessary, cooperation with
law enforcement. Our controls are designed to limit and monitor access to our systems, networks, and data, prevent inappropriate or unauthorized
access or modification, and monitor for threats or vulnerabilities. We periodically review and modify our cybersecurity risk management
policies and procedures to reflect changes in technology, the regulatory environment, industry and security practices and other business
needs. We conduct periodic trainings for our employees, including on phishing, malware and other cybersecurity risks and we have mechanisms
in place designed to promote rapid internal reporting of potential or actual cybersecurity breaches.
We have also made significant investments in technical and organizational measures
to establish and manage compliance with laws and regulations governing our activities regarding protected data (such as GDPR), which enhance
our data protection and cybersecurity. Furthermore, we monitor cybersecurity risks, certifications or assessments at our third-party cloud
infrastructure providers and other IT service providers and reevaluate those contractual relationships as appropriate.
The audit committee of our board periodically reviews our cybersecurity risks and controls with senior
management, keeping our board informed of key issues.
Government Regulations
For information regarding the material effects of government regulations, see “—Industry Background”
above, “Item 3.D. Risk Factors— The dynamic regulatory environment around privacy and data protection, may limit our offering
or require modification of our products and services, which could limit our ability to attract new customers and support our current customers
and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we
fail to comply with the regulatory requirements which could harm our operating results and adversely affect our business,” “—We
are subject to a number of regulatory and geopolitical risks, associated with global sales and operations, which could materially affect
our business,” and “The tax benefits that are available to us require us to continue to meet various conditions and may be
terminated or reduced in the future, which could increase our costs and taxes,” and “Item 5. Operating and Financial Review
and Prospects—Operating Results—Israeli Tax Considerations and Government Programs.”
Legal Proceedings
See “Item 8.A. Consolidated Statements and Other Financial Information—Legal Proceedings.”
|
C. |
Organizational Structure |
The legal name of our Company is CyberArk Software Ltd. and we are organized under the laws of the State
of Israel.
The following table sets forth our key subsidiaries all of which are 100% owned directly or indirectly
by CyberArk Software Ltd.:
Name of Subsidiary |
Place of Incorporation |
CyberArk Software, Inc. |
Delaware, United States |
Cyber-Ark Software (UK) Limited |
United Kingdom |
CyberArk Software (Singapore) PTE. LTD. |
Singapore |
CyberArk Software (DACH) GmbH |
Germany |
CyberArk Software Italy S.r.l. |
Italy |
CyberArk Software (France) SARL |
France |
CyberArk Software (Netherlands) B.V. |
Netherlands |
CyberArk Software (Australia) Pty Ltd.
CyberArk Software (Japan) K.K.
CyberArk Software Canada Inc.
CyberArk USA Engineering, GP, LLC |
Australia
Japan
Canada
Delaware, United States |
CyberArk Software (Spain), S.L. |
Spain |
CyberArk Software (India) Private Limited |
India |
|
D. |
Property, Plant and Equipment |
See “Item 4.B.—Business Overview—Properties” for a discussion of property, plant
and equipment, as applicable.
ITEM 4A. |
UNRESOLVED STAFF COMMENTS |
Not applicable.
ITEM 5. |
OPERATING AND FINANCIAL REVIEW AND PROSPECTS |
The following discussion and analysis should be read in conjunction with our consolidated
financial statements and the related notes contained elsewhere in this annual report. This discussion and analysis may contain forward-looking
statements based upon current expectations that involve risks and uncertainties. Our actual results may differ materially from those anticipated
in these forward-looking statements as a result of various factors, including those set forth in “Item 3.D. Risk Factors”
of this annual report. Our financial statements have been prepared in accordance with U.S. GAAP.
Company Overview
CyberArk is a global leader in Identity Security, centered on Privileged Access Management (PAM) with a
focus on protecting enterprises against identity-oriented cyber threats. We secure access for any identity – human or machine –
to help organizations secure critical business assets, protect their distributed workforce and customers, and accelerate business in the
cloud. CyberArk’s vision is to deliver an Identity Security Platform that contextually authenticates each identity, dynamically authorizes the
least amount of privilege required, secures credentials, and thoroughly audits the entire cycle – giving organizations
peace of mind to drive their businesses fearlessly forward.
With CyberArk’s Identity Security Platform, organizations can reduce risk and secure their digital
business. As the market leader in Privileged Access Management, we are uniquely positioned to deliver on Identity Security because
our core competency is securing the “keys to the kingdom.” These “keys to the kingdom” provide complete control
of access to sensitive infrastructure and applications; in the hands of malicious insiders or external attackers, the consequences to
businesses can be devastating.
Securing these human and machine identities is now more important than ever. With the rapid rise in mobile
workers, hybrid and multi-cloud adoption, and digitalization of the enterprise, physical and network security barriers are less relevant
at securing data and assets than ever before. Compromised identities and their associated privileges represent an attack path to an organization’s
most valuable assets. We believe that identity has become the new security perimeter and is at the foundation of Zero Trust security models.
Our approach is unique since CyberArk recognizes that every identity can become privileged under certain conditions, and we offer the
broadest range of security controls to reduce risk while delivering a high-quality experience to the end user. This includes securing
workforce, partner, and customer identities by replacing complex, patchworked, and siloed legacy access management solutions to improve
security and operational efficiencies.
Prior to 2020, we primarily derived our revenues by licensing our cybersecurity software, selling maintenance
and support contracts, and providing professional services. In 2021, we began to actively transition our business to a subscription model
by shifting our sales from perpetual licenses to recurring subscriptions. Our subscriptions include self-hosted and SaaS subscriptions
of our software solutions. While we transition our business to a subscription model that generates recurring revenues which are recognized
ratably, we believe that annual recurring revenue (ARR), subscription portion of ARR, subscription revenues, recurring revenues and total
deferred revenue are indicators of the overall health of the business. For the full year 2021, we increased our ARR by 44% to $393 million
as of December 31, 2021. The majority of the growth in ARR was driven by an increase in our self-hosted and SaaS subscriptions revenues.
Our subscription revenues increased by 138.6% to $134.6 million in 2021 and recurring revenues increased by 41.0% to $348.7 million in
2021.
We plan to continue to invest in research and development in order to continue to develop technology to
protect modern enterprises from Identity Security risk from hybrid to cloud-native environments. During the years ended December 31,
2019, 2020 and 2021, our revenues were $433.9 million, $464.4 million and $502.9 million, respectively, representing year-over-year growth
of 7.0% and 8.3% in 2020 and 2021, respectively. Our net income (loss) for the years ended December 31, 2019, 2020 and 2021 was $63.1
million, $(5.8) million and $(83.9) million, respectively.
We have also increased our number of employees and subcontractors from 1,689 as of December 31, 2020 to
2,140 as of December 31, 2021. We intend to continue to execute on our strategy of growing our business to meet the needs of our customers
and to pursue opportunities in new and existing verticals, geographies, and products. We intend to continue to invest in the development
of our sales and marketing teams, with a particular focus on expanding our channel partnerships, targeting new customers, expanding our
relationships with existing customers, creating technology partnerships and further building out our customer success operations for existing
customers.
Key Performance Indicators and Recent Business Developments
In 2020, we experienced a shift in customer preferences toward recurring subscriptions for our software
solutions. In early 2021, we began to actively transition our business to a subscription model by incentivizing our team to shift our
sales from perpetual licenses to recurring subscriptions, including SaaS and self-hosted subscriptions. Revenue recognition for our subscription
offerings is ratable compared to sales of perpetual licenses, which results in the entire perpetual license portion recognized as revenue
upfront and only revenue from the related maintenance contract recognized ratably. As a result of our business model transition, our revenues,
operating income (loss) and net income (loss) continue to be adversely impacted by the increase in ratable revenue recognition while actual
and planned operating expenses continue to increase to support our growth and scaling of our business. We also expect maintenance revenues
associated with perpetual license contracts to be flat or begin to decline in the near term. Over the medium term we expect maintenance
revenues associated with perpetual license contracts to decline annually as we continue our transition to a subscription model and our
sales of new perpetual licenses become less significant. In addition, the shift toward a recurring revenue business is resulting in an
increase in single year payment terms for our customer contracts, which is customary in a subscription business model, in contrast to
upfront payments for multi-year maintenance contracts and upfront payments for perpetual licenses we experienced in the perpetual license
model. These dynamics will have an adverse impact on our net cash provided by operating activities in the near term. Over the long term,
we expect the transition to a subscription model to result in higher visibility, stronger durability of our business and the return to
profitability and strong cash flow. The subscription business model transition is also directly aligned with the broad market trends related
to digital transformation and cloud migration as well as our Identity Security strategy.
As we move forward with the transition, we are focusing on the following metrics to evaluate the health
of our business:
|
|
Year ended December 31, |
|
|
|
2019 |
|
|
2020 |
|
|
2021 |
|
|
|
($ in millions) |
|
Total ARR (as of period-end) |
|
$ |
192 |
|
|
$ |
274 |
|
|
$ |
393 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription Portion of Annual Recurring Revenue (as of period-end) |
|
$ |
19 |
|
|
$ |
74 |
|
|
$ |
183 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Recurring revenues |
|
$ |
176 |
|
|
$ |
247 |
|
|
$ |
349 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Deferred revenue (as of period-end) |
|
$ |
190 |
|
|
$ |
243 |
|
|
$ |
317 |
|
ARR. Annual Recurring Revenue (ARR) is
a performance indicator that provides more visibility into the growth of our recurring business. ARR is defined as the annualized value
of active SaaS, self-hosted subscriptions and maintenance contracts in effect at the end of the reported period. ARR should be viewed
independently of revenues and total deferred revenue as it is an operating measure and is not intended to be combined with or to replace
either of those measures. ARR provides management with more visibility into our revenue stream for the upcoming year. This visibility
allows us to make informed decisions about our capital allocation and level of investment.
Subscription Portion of Annual Recurring Revenue. Subscription
portion of ARR is a performance indicator that provides more visibility into the area of the business that will drive the long term growth
of our recurring business. Subscription portion of ARR is defined as the annualized value of active SaaS and self-hosted subscription
contracts in effect at the end of the reported period. The subscription portion of ARR excludes maintenance contracts related to perpetual
licenses. Subscription portion of ARR should be viewed independently of revenues and total deferred revenue as it is an operating measure
and is not intended to be combined with or to replace either of those measures. Subscription portion of ARR provides management with more
visibility into our revenue stream for the upcoming year. This visibility allows us to make informed decisions about our capital allocation
and level of investment.
Recurring Revenue. Recurring revenue refers to the portion
of our total revenue that includes our SaaS subscriptions, self-hosted subscriptions and recurring maintenance revenues related to our
perpetual license contracts. Management monitors the growth of our recurring revenue as we move through the transition to evaluate the
pace of our transition to a recurring revenue model and the health of our business. Recurring revenue also provides enhanced visibility
and predictability of future revenues.
Total Deferred Revenue. Our total deferred revenue consist of maintenance
and support and professional services that have been invoiced and collected but that have not yet been recognized as revenues because
they do not meet the applicable criteria, and of self-hosted and SaaS subscription contracts, where there are unconditional rights for
a consideration, that have been invoiced but have not yet been recognized. In 2021, an increasing percentage of our total deferred revenue
and the substantial portion of our total deferred revenue growth was related to SaaS contracts that have not been recognized. Management
monitors our total deferred revenue because it represents a significant portion of revenues to be recognized in future periods. The material
factors driving changes in our license revenues are discussed under “—Comparison of Period to Period Results of Operations.”
For a discussion of our results of operations for the year ended December 31, 2019,
including a year-to-year comparison between 2020 and 2019, refer to Item 5. “Operating and Financial Review and Prospects”
in our annual report on Form 20-F for the fiscal year ended December 31, 2020 filed with the SEC on March 11, 2021.
Components of Statements of Operations
Revenues
Our revenues consist of the following:
o Subscription
Revenues. Subscription revenues include SaaS and self-hosted subscription revenues, as well as maintenance and support services
associated with self-hosted subscriptions. Subscription revenues are generated primarily from sales of our Privileged Access Manager,
Endpoint Privilege Manager, Secrets Manager, Vendor Privileged Access Manager and Workforce Identity solutions. We are seeing an increasing
percentage of our business coming from our SaaS solutions, which have ratable revenue recognition, increasing our total deferred revenue
that will be recognized over time. We expect revenues from SaaS and self-hosted subscriptions to become a larger percentage of our total
revenues. Privileged Access Manager and Workforce Identity are both licensed per user. Endpoint Privilege Manager is licensed by target
system (workstations and servers). Secrets Manager has two different licensing approaches based on the types of applications being secured.
The first is licensed by agent for mission-critical and static applications and the second is licensed by site/region for more dynamic
cloud native applications and DevOps pipelines.
o Perpetual
License Revenues. Perpetual license revenues are generated primarily from sales of our Privileged Access Manager and Secrets Manager.
We are seeing a decreasing percentage of our business coming from perpetual licenses, which have upfront revenue recognition. We expect
revenues from perpetual licenses to continue to decrease due to our transition to a subscription model.
o Maintenance
and Professional Services Revenues. Maintenance revenues are generated from maintenance and support contracts purchased by our
customers who purchase perpetual licenses in order to gain access to the latest software enhancements and updates on an if-and-when available
basis and to telephone and email technical support. With the continued decline of new perpetual licenses and related new maintenance contracts,
we are not expecting our total maintenance revenues to grow in the near term, and we expect total maintenance revenues to decline in absolute
dollars over the long term as we continue to sell more new subscriptions and fewer new perpetual licenses. We also offer professional
services for consulting, deployment and training of our customers to fully leverage the use of our products.
Geographic Breakdown of Revenues
The United States is our biggest market, with the balance of our revenues generated
from the EMEA region and the rest of the world, which includes Canada, Central and South America, and the Asia Pacific and Japan region.
The following table sets forth the geographic breakdown of our revenues by region for the periods indicated:
|
|
Year ended December 31, |
|
|
|
2019 |
|
|
2020 |
|
|
2021 |
|
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
|
|
($ in thousands) |
|
United States |
|
$ |
233,945 |
|
|
|
53.9 |
% |
|
$ |
246,811 |
|
|
|
53.1 |
% |
|
$ |
253,811 |
|
|
|
50.5 |
% |
EMEA |
|
|
129,730 |
|
|
|
29.9 |
|
|
|
141,866 |
|
|
|
30.6 |
|
|
|
163,328 |
|
|
|
32.5 |
|
Rest of World |
|
|
70,220 |
|
|
|
16.2 |
|
|
|
75,754 |
|
|
|
16.3 |
|
|
|
85,778 |
|
|
|
17.0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total revenues |
|
$ |
433,895 |
|
|
|
100.0 |
% |
|
$ |
464,431 |
|
|
|
100.0 |
% |
|
$ |
502,917 |
|
|
|
100.0 |
% |
Cost of Revenues
Our total cost of revenues consists of the following:
o |
Cost of Subscription Revenues. Cost of subscription revenues consists primarily of cloud
infrastructure costs, amortization of intangible assets, personnel costs for our global cloud organization that consist primarily of salaries,
benefits, bonuses and share-based compensation and depreciation of internal use software capitalization. As we shift more of our sales
to SaaS and self-hosted subscription offerings, we expect the absolute cost of subscription revenues and the cost of subscription revenues
as a percentage of revenues to increase. |
o |
Cost of Perpetual
License Revenues. Cost of perpetual license revenues consists primarily of allocated personnel costs to support delivery and operations
related to perpetual licenses, appliances expenses and costs incurred by amortization of intangible assets. Personnel costs consist primarily
of salaries, benefits, bonuses and share-based compensation. As we shift more of our sales to SaaS and self-hosted subscription contracts,
we expect the absolute cost of perpetual license revenues and the cost of perpetual license revenues as a percentage of revenues to decrease.
|
o |
Cost of Maintenance and Professional Services Revenues. Cost of maintenance related to perpetual
license contracts and professional services revenues primarily consists of allocated personnel costs for our global customer support and
professional services organization. Such costs consist primarily of salaries, benefits, bonuses, share-based compensation and subcontractors’
fees. We expect the absolute cost of maintenance and professional services revenues to increase as our customer base grows and as we hire
additional professional services and technical support personnel. |
Gross Profit and Gross Margin
Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a
percentage of total revenues. Our gross margin has historically fluctuated from period to period as a result of changes in the mix of
license revenues and maintenance and professional services revenues. Since costs of subscription revenues as a percent of subscription
revenues are higher than costs of perpetual licenses as a percent of perpetual revenues, as we continue to transition to more subscription
revenues, we expect our gross margin to decline.
Operating Expenses
Our operating expenses are classified into three categories: research and development, sales and marketing
and general and administrative. For each category, the largest component is personnel costs, which consists primarily of salaries, employee
benefits (including commissions and bonuses) and share-based compensation expense. Operating expenses also include software and related
expenses and allocated overhead costs for facilities and office expenses as well as depreciation and amortization. Allocated costs for
facilities and office expenses primarily consist of rent, office maintenance and utilities and office supplies. We expect personnel and
all allocated costs to continue to increase in absolute dollars as we hire new employees and add facilities to continue to grow our business.
Research and Development. Research and development expenses consist
primarily of personnel costs attributable to our research and development personnel, consultants and contractors as well as allocated
overhead costs and software and related expenses. We continue to expect that our research and development expenses will continue to increase
in absolute dollars as we continue to grow our research and development headcount to further strengthen our technology platform and invest
in the development of both existing and new products.
Sales and Marketing. Sales and marketing expenses are the largest
component of our operating expenses and consist primarily of personnel costs, including commission, as well as marketing programs and
business development costs, travel expenses, allocated overhead costs and depreciation and amortization of intangibles assets. We expect
that sales and marketing expenses will continue to increase in absolute dollars as we plan to expand our sales and marketing efforts globally.
We continue to expect sales and marketing expenses will remain our largest category of operating expenses.
General and Administrative. General and administrative expenses
consist primarily of personnel costs for our executive, finance, human resources, legal and administrative personnel. General and administrative
expenses also include insurance premiums and external legal, accounting and other professional service fees. We continue to expect that
general and administrative expense will increase in dollars as we grow and expand our operations and operate as a public company, including
increased investor relations and accounting expenses, and the additional costs relating to our ongoing regulatory compliance efforts.
Financial Income (Expense), Net
Financial income (expense), net consists of mainly interest income, foreign currency exchange gains or
losses, amortization of debt discount and issuance costs and foreign exchange forward transactions expenses. Interest income consists
of interest earned on our cash, cash equivalents, short and long-term bank deposits and marketable securities. We expect interest income
to vary depending on our average investment balances and market interest rates during each reporting period. Foreign currency exchange
changes reflect gains or losses related to transactions denominated in currencies other than the U.S. dollar.
Taxes on Income
The ordinary corporate tax rate in Israel is 23.0%.
As discussed in greater detail below under “Israeli Tax Considerations and Government Programs”,
we have been entitled to various tax benefits under the Investment Law. Under the Investment Law, our tax rate to be paid with respect
to our eligible Israeli taxable income under these benefits programs is generally 12.0%.
Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits,
including accelerated deduction of research and development expenses, accelerated depreciation and amortization rates for tax purposes
on certain intangible assets and deduction of public offering expenses in three equal annual installments.
Our non-Israeli subsidiaries are taxed according to the tax laws in their respective jurisdictions of tax
residency. Due to our multi-jurisdictional operations, we apply significant judgment to determine our consolidated income tax position.
Comparison of Period to Period Results of Operations
The following table sets forth our results of operations in dollars and as a percentage of revenues for
the periods indicated:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Year ended December 31, |
|
|
|
2019 |
|
|
2020 |
|
|
2021 |
|
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
|
|
($ in thousands) |
|
Revenues: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription
|
|
$ |
18,168 |
|
|
|
4.2 |
% |
|
$ |
56,425 |
|
|
|
12.1 |
% |
|
$ |
134,628 |
|
|
|
26.8 |
% |
Perpetual license
|
|
|
221,955 |
|
|
|
51.1 |
|
|
|
176,061 |
|
|
|
37.9 |
|
|
|
115,738 |
|
|
|
23.0 |
|
Maintenance and professional services |
|
|
193,772 |
|
|
|
44.7 |
|
|
|
231,945 |
|
|
|
50.0 |
|
|
|
252,551 |
|
|
|
50.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total revenues
|
|
|
433,895 |
|
|
|
100.0 |
|
|
|
464,431 |
|
|
|
100.0 |
|
|
|
502,917 |
|
|
|
100.0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cost of revenues: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription
|
|
|
5,611 |
|
|
|
1.3 |
|
|
|
17,513 |
|
|
|
3.8 |
|
|
|
25,837 |
|
|
|
5.2 |
|
Perpetual license
|
|
|
7,900 |
|
|
|
1.8 |
|
|
|
4,925 |
|
|
|
1.1 |
|
|
|
3,904 |
|
|
|
0.8 |
|
Maintenance and professional services |
|
|
49,104 |
|
|
|
11.3 |
|
|
|
60,133 |
|
|
|
12.9 |
|
|
|
63,566 |
|
|
|
12.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total cost of revenues
|
|
|
62,615 |
|
|
|
14.4 |
|
|
|
82,571 |
|
|
|
17.8 |
|
|
|
93,307 |
|
|
|
18.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Gross profit
|
|
|
371,280 |
|
|
|
85.6 |
|
|
|
381,860 |
|
|
|
82.2 |
|
|
|
409,610 |
|
|
|
81.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Operating expenses: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Research and development
|
|
|
72,520 |
|
|
|
16.7 |
|
|
|
95,426 |
|
|
|
20.5 |
|
|
|
142,121 |
|
|
|
28.2 |
|
Sales and marketing
|
|
|
184,168 |
|
|
|
42.4 |
|
|
|
219,999 |
|
|
|
47.4 |
|
|
|
274,401 |
|
|
|
54.6 |
|
General and administrative
|
|
|
52,308 |
|
|
|
12.1 |
|
|
|
60,429 |
|
|
|
13.0 |
|
|
|
71,425 |
|
|
|
14. 2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total operating expenses
|
|
|
308,996 |
|
|
|
71.2 |
|
|
|
375,854 |
|
|
|
80.9 |
|
|
|
487,947 |
|
|
|
97. 0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Operating income (loss)
|
|
|
62,284 |
|
|
|
14.4 |
|
|
|
6,006 |
|
|
|
1.3 |
|
|
|
(78,337 |
) |
|
|
(15.6 |
) |
Financial income (expense), net
|
|
|
7,800 |
|
|
|
1.8 |
|
|
|
(6,395 |
) |
|
|
(1.4 |
) |
|
|
(12,992 |
) |
|
|
(2.6 |
) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Income (loss) before taxes on income |
|
|
70,084 |
|
|
|
16.2 |
|
|
|
(389 |
) |
|
|
(0.1 |
) |
|
|
(91,329 |
) |
|
|
(18.2 |
) |
Tax benefit (taxes on income)
|
|
|
(7,020 |
) |
|
|
(1.6 |
) |
|
|
(5,369 |
) |
|
|
(1.2 |
) |
|
|
7,383 |
|
|
|
1.5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Net income (loss)
|
|
$ |
63,064 |
|
|
|
14.5 |
% |
|
$ |
(5,758 |
) |
|
|
(1.2 |
)% |
|
$ |
(83,946 |
) |
|
|
(16.7 |
)% |
As of the first quarter of 2021, we revised the presentation of our lines of revenue
and cost of revenue. We believe that the revised categories for revenue and cost of revenue as presented in the income statement align
with how management evaluates the business and the shift toward recurring revenue.
Year Ended December 31, 2020 Compared to Year Ended December 31,
2021
Revenues
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Year ended December 31, |
|
|
|
2020 |
|
|
2021 |
|
|
Change |
|
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% |
|
|
|
($ in thousands) |
|
Revenues: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription |
|
$ |
56,425 |
|
|
|
12.1 |
% |
|
$ |
134,628 |
|
|
|
26.8 |
% |
|
$ |
78,203 |
|
|
|
138.6 |
% |
Perpetual license
|
|
|
176,061 |
|
|
|
37.9 |
|
|
|
115,738 |
|
|
|
23.0 |
|
|
|
(60,323 |
) |
|
|
(34.3 |
) |
Maintenance and professional services |
|
|
231,945 |
|
|
|
50.0 |
|
|
|
252,551 |
|
|
|
50.2 |
|
|
|
20,606 |
|
|
|
8.9 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total revenues
|
|
$ |
464,431 |
|
|
|
100.0 |
% |
|
$ |
502,917 |
|
|
|
100.0 |
% |
|
$ |
38,486 |
|
|
|
8.3 |
% |
Revenues increased by $38.5 million, or 8.3%, from $464.4 million in 2020 to $502.9 million in
2021. This increase was due primarily to increased subscription sales and increased revenues from our maintenance services. The largest
increase in revenue occurred in EMEA, where revenues increased by $21.5 million, while the increase in United States and the rest
of the world was $7.0 million and $10.0 million, respectively. We increased our number of customers from approximately 6,600 as of
December 31, 2020 to approximately 7,500 as of December 31, 2021.
Subscription revenues increased by $78.2 million, or 138.6%, from $56.4 million in 2020 to $134.6 million
in 2021 as we increased the mix of our subscription sales.
Perpetual license revenues declined by $60.3 million, or 34.3%, from $176.1 million in 2020 to $115.7 million
in 2021. The decline in perpetual license revenue is due to our transition from selling perpetual licenses to selling SaaS and self-hosted
subscription licenses.
Maintenance and professional services revenues increased by $20.6 million, or 8.9%, from $231.9 million
in 2020 to $252.6 million in 2021. Maintenance revenues increased by $23.1 million from $190.9 million in 2020 to $214.0 million
in 2021, with renewals accounting for approximately $23 million and initial maintenance contracts for approximately $0.1 million,
respectively, of this increase. Professional services revenues declined by $2.5 million from $41.0 million in 2020 to $38.5 million
in 2021, primarily due to our continued investment strategy in our channel partners enabling them to conduct more of our implementation
services.
Cost of Revenues and Gross Profit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Year ended December 31, |
|
|
|
2020 |
|
|
2021 |
|
|
Change |
|
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% |
|
|
|
($ in thousands) |
|
Cost of revenues: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription
|
|
$ |
17,513 |
|
|
|
3.8 |
% |
|
$ |
25,837 |
|
|
|
5.2 |
% |
|
$ |
8,324 |
|
|
|
47.5 |
% |
Perpetual license
|
|
|
4,925 |
|
|
|
1.1 |
|
|
|
3,904 |
|
|
|
0.8 |
|
|
|
(1,021 |
) |
|
|
(20.7 |
) |
Maintenance and professional services |
|
|
60,133 |
|
|
|
12.9 |
|
|
|
63,566 |
|
|
|
12.6 |
|
|
|
3,433 |
|
|
|
5.7 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total cost of revenues
|
|
$ |
82,571 |
|
|
|
17.8 |
% |
|
$ |
93,307 |
|
|
|
18.6 |
% |
|
$ |
10,736 |
|
|
|
13.0 |
% |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Gross profit
|
|
$ |
381,860 |
|
|
|
82.2 |
% |
|
$ |
409,610 |
|
|
|
81.4 |
% |
|
$ |
27,750 |
|
|
|
7.3 |
% |
Cost of subscription revenues increased by $8.3 million, or 47.5%, from $17.5 million in 2020 to $25.8 million
in 2021. The increase in cost of subscription revenues was primarily driven by a $5.9 million increase in cloud infrastructure costs,
a $3.2 million increase in personnel costs and related expenses, a $0.9 million increase in amortization of capitalized software costs
and a $0.3 million increase in software and related expenses, partially offset by a $2.2 million decrease in amortization of intangible
assets.
Cost of perpetual license revenues decreased by $1.0 million, or 20.7%, from $4.9 million in 2020
to $3.9 million in 2021. The decrease in cost of perpetual license revenues was primarily driven by a $0.8 million decrease in installations
of appliances and a $0.8 million decrease in amortization of intangible assets, partially offset by a $0.5 million increase in allocated
personnel costs and related expenses.
Cost of maintenance and professional services revenues increased by $3.4 million, or 5.7%, from $60.1 million
in 2020 to $63.5 million in 2021. The increase in cost of maintenance and professional services revenues was driven primarily by
a $3.9 million increase in personnel costs and related expenses. Our technical support and professional services headcount grew from
309 at the end of 2020 to 381 at the end of 2021.
Gross profit increased by approximately $27.8 million, or 7.3%, from $381.9 million in 2020 to
$409.6 million in 2021. Gross margins decreased from 82.2% in 2020 to 81.4% in 2021. This was driven by the increase in SaaS sales
which have incremental costs related to cloud infrastructure and, as a result, a lower margin contribution.
Operating Expenses
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Year ended December 31, |
|
|
|
2020 |
|
|
2021 |
|
|
Change |
|
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% |
|
|
|
($ in thousands) |
|
Operating expenses: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Research and development
|
|
$ |
95,426 |
|
|
|
20.5 |
% |
|
$ |
142,121 |
|
|
|
28.2 |
% |
|
$ |
46,695 |
|
|
|
48.9 |
% |
Sales and marketing
|
|
|
219,999 |
|
|
|
47.4 |
|
|
|
274,401 |
|
|
|
54.6 |
|
|
|
54,402 |
|
|
|
24.7 |
|
General and administrative
|
|
|
60,429 |
|
|
|
13.0 |
|
|
|
71,425 |
|
|
|
14.2 |
|
|
|
10,996 |
|
|
|
18.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total operating expenses
|
|
$ |
375,854 |
|
|
|
80.9 |
% |
|
$ |
487,947 |
|
|
|
97.0 |
% |
|
$ |
112,093 |
|
|
|
29.8 |
% |
Research and Development. Research and development expenses increased
by $46.7 million, or 48.9%, from $95.4 million in 2020 to $142.1 million in 2021. This increase was primarily attributable
to a $33.7 million increase in personnel costs and related expenses, as we increased our research and development team headcount
from 464 at the end of 2020 to 643 at the end of 2021 to support continued investment in our existing and future product and service offerings.
The increase was also attributable to a $7.4 million increase in software and related expenses, a $3.2 million increase in expenses related
to consultants and contractors and a $0.9 million increase in research and development personnel recruiting expenses.
Sales and Marketing. Sales and marketing expenses increased by
$54.4 million, or 24.7%, from $220.0 million in 2020 to $274.4 million in 2021. This increase was primarily attributable
to a $45.7 million increase in personnel costs and related expenses due to increased headcount in all regions to expand our sales
and marketing organization. The increase was also attributable to a $5.4 million increase in marketing programs expenses, a $2.5 million
increase in software and related expenses and a $0.9 million increase in costs of certifications. Our sales and marketing headcount grew
from 772 at the end of 2020 to 941 at the end of 2021.
General and Administrative. General and administrative expenses
increased by $11.0 million, or 18.2%, from $60.4 million in 2020 to $71.4 million in 2021. This increase was primarily
attributable to an increase of $10.6 million in personnel costs and related expenses due to increased headcount, coupled with a $3.3
million increase in insurance premiums and facilities and depreciation overhead costs, partially offset by a $3.6 million decrease in
services fees for external legal counsel, accounting and patent administration. Our general and administrative headcount grew from 144
at the end of 2020 to 175 at the end of 2021.
Financial Expense, Net. Financial expense, net increased by $6.6
million from $6.4 million in 2020 to $13.0 million in 2021. This change resulted primarily from a decrease of $4.8 million in interest
income from investments in marketable securities and short-term and long-term bank deposits due to a lower interest rate environment in
2021 compared to 2020, a $1.2 million increase in financial expenses from foreign currency exchange differences and an increase of $0.6
million in non-cash interest expense related to the amortization of debt discount and issuance costs.
Tax benefit (taxes on income). Tax benefit (taxes on income) changed
from taxes on income of $5.4 million in 2020 to tax benefits of $7.4 million in 2021. This change was mainly attributed
to an increase in our loss before taxes on income, partially offset mainly by valuation allowance recorded in 2021.
|
B. |
Liquidity and Capital Resources |
We fund our operations with cash generated from operating activities. We have also raised capital through
issuing convertible senior notes, the sale of equity securities in public offerings and, to a lesser extent, through exercised options.
Our primary current uses of our cash are ongoing operating expenses and capital expenditures.
As of December 31, 2020 and 2021, our principal sources of liquidity were cash, cash equivalents,
short-term bank deposits and marketable securities of $1.2 billion. We believe that our cash generated from operating activities, along
with existing cash, cash equivalents, marketable securities and short-term bank deposits will be sufficient to fund our working capital
and capital expenditures for at least the next 12 months and for the foreseeable future. Our future capital requirements will depend on
many factors, including our revenue growth rate, the expansion of our sales and marketing activities, the timing and extent of spending
to support product development efforts and expansion into new geographic locations, the timing of introductions of new products and enhancements
to existing products and the continuing market acceptance of our offerings.
The following table presents the major components of net cash flows for the periods presented:
|
|
|
|
|
|
|
|
|
Year Ended December 31, |
|
|
|
2020 |
|
|
2021 |
|
|
|
($ in thousands) |
|
Net cash provided by operating activities
|
|
$ |
106,769 |
|
|
$ |
74,740 |
|
Net cash used in investing activities
|
|
|
(412,387 |
) |
|
|
(228,194 |
) |
Net cash provided by financing activities
|
|
|
13,249 |
|
|
|
10,949 |
|
A substantial source of our net cash provided by operating activities is our deferred revenue, which is
included on our consolidated balance sheet as a liability. Our deferred revenue consists of maintenance and support and professional services
that have been invoiced and collected but that have not yet been recognized as revenues and of self-hosted subscriptions and SaaS contracts
that have been invoiced but not yet recognized. We assess our liquidity, in part, through an analysis of our short-term and long-term
deferred revenue that has not yet been recognized as revenues together with our other sources of liquidity. Revenues from SaaS contracts
and maintenance and support contracts are recognized ratably on a straight-line basis over the term of the related contract which is typically
one year or three years, and revenues from professional services are recognized as services are performed. Thus, upfront payments add
to the liquidity of our operations since we frequently recognize self-hosted subscription, SaaS, maintenance and support and professional
services revenues and expenses in subsequent periods to when the payments may be received.
Net Cash Provided by Operating Activities
Our cash flows historically have reflected our net income (loss) coupled with changes in our non-cash working
capital. During the year ended December 31, 2021, operating activities provided $74.7 million in cash as a result of $83.9 million
of net loss, adjusted by $95.4 million of non-cash charges related to share-based compensation expense, $14.2 million related to depreciation
and amortization expenses, $17.8 million in non-cash interest expense related to the amortization of debt discount and issuance costs
and a net change of $72.1 million in non-cash working capital, offset by a $12.0 million increase in deferred tax assets and a $28.9 million
net change from other long-term assets and liabilities.
The change of $72.1 million in non-cash working capital was due to a $69.2 million increase in short-term
deferred revenue, an increase of $23.8 million in employees and payroll accruals and an increase of $1.5 million in trade payables, offset
by an increase of $20.1 million in trade receivables and a decrease of $2.3 million in other current liabilities.
During the year ended December 31, 2020, operating activities provided $106.8 million in cash as a
result of $5.8 million of net loss, adjusted by $71.8 million of non-cash charges related to share-based compensation expenses, $15.5
million related to depreciation and amortization expenses, a $13.9 million net change from other long-term assets and liabilities and
a net change of $24.0 million in non-cash working capital, offset by a $2.0 million increase in deferred tax assets.
The change of $24.0 million in non-cash working capital was due to a $37.2 million increase in short-term
deferred revenue, an increase of $7.8 million in employees and payroll accruals and an increase of $0.6 million in trade payables, offset
by an increase of $17.2 million in trade receivables and a decrease of $4.4 million in other current liabilities.
During the years ended December 31, 2020 and 2021, our days’ sales outstanding, (“DSO”),
was 85 days and 84 days, respectively.
Net Cash Used in Investing Activities
Investing activities have consisted of investment in, and proceeds from, short-term and long-term deposits,
investment in, and proceeds from sales and maturities of marketable securities, business acquisitions and purchase of property and equipment.
Net cash used in investing activities was $412.4 million and $228.2 million for the years ended December
31, 2020 and 2021, respectively.
The decrease of $184.2 million in net cash used in investing activities in 2021 was due to a net decrease
of $117.3 million in investments in short and long term deposits and marketable securities, and a decrease of $68.6 million in payments
for business acquisitions, net of cash acquired, offset by an increase of $1.7 million in capital expenditures.
The increase of $269.2 million in net cash used in investing activities in 2020 was due to a net increase
of $200.5 million in investments in short and long term deposits and marketable securities, an increase of $68.6 million in payments for
business acquisitions, net of cash acquired and an increase of $0.1 million in capital expenditures.
Net Cash Provided by Financing Activities
Our financing activities have consisted of proceeds from the exercise of share options and proceeds from
(payment of) withholding tax related to employee share plans.
Net cash provided by financing activities was $13.2 million and $10.9 million for the years ended December 31,
2020 and 2021, respectively.
Our Material Contractual Obligations
The following table summarizes our contractual obligations as of December 31, 2021:
($ in thousands) |
|
Total |
|
|
Less than 1
year |
|
|
1 – 3 years |
|
|
3 – 5 years |
|
|
|
|
|
Operating lease obligations(1) |
|
$ |
17,596 |
|
|
$ |
7,017 |
|
|
$ |
9,993 |
|
|
$ |
586 |
|
Uncertain tax obligations(2) |
|
|
3,870 |
|
|
|
— |
|
|
|
— |
|
|
|
— |
|
Severance pay(3) |
|
|
8,271 |
|
|
|
— |
|
|
|
— |
|
|
|
— |
|
0.00% Convertible Senior Notes due 2024(4) |
|
|
575,000 |
|
|
|
— |
|
|
|
575,000 |
|
|
|
— |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total |
|
$ |
604,737 |
|
|
$ |
7,017 |
|
|
$ |
584,993 |
|
|
$ |
586 |
|
(1) Operating lease obligations consist of our contractual rental expenses under operating leases of facilities
and certain motor vehicles.
(2) Consists of accruals for certain income tax positions under ASC 740 that are paid upon settlement,
and for which we are unable to reasonably estimate the ultimate amount and timing of settlement. See Note 13(l) to our consolidated
financial statements included elsewhere in this annual report for further information regarding our liability under ASC 740. Payment of
these obligations would result from settlements with tax authorities. Due to the difficulty in determining the timing of resolution of
audits, these obligations are only presented in their total amount.
(3) Severance pay relates to accrued severance obligations mainly to our Israeli employees as required
under Israeli labor laws. These obligations are payable only upon the termination, retirement or death of the respective employee and
may be reduced if the employee’s termination is voluntary. These obligations are partially funded through accounts maintained with
financial institutions and recognized as an asset on our balance sheet. As of December 31, 2021, $3.0 million is unfunded. See Note 2(l)
to our consolidated financial statements included elsewhere in this annual report for further information.
(4) For additional information, see Note 11 to our consolidated financial statements included elsewhere
in this annual report.
Additionally, we entered into a non-cancelable material agreement for the receipt of cloud infrastructure
services, effective as of April 2021 through March 2024. As of December 31, 2021, our outstanding contractual commitment is $14.4 million
due in the next twelve months and $23.8 million due thereafter.
|
C. |
Research and Development, Patents and Licenses, etc. |
We conduct our research and development activities primarily in Israel as well as other locations such
as the United States and India. As of December 31, 2021, our research and development department included 643 employees and contractors.
In 2021, research and development costs accounted for 28.2% of our total revenues.
For a description of our research and development policies, see “Item 4.B. Business Overview—Research
and Development.”
For information regarding our patents, see “Item 4.B. Business Overview—Intellectual Property.”
Other than as disclosed elsewhere in this annual report, we are not aware of any trends, uncertainties,
demands, commitments or events since December 31, 2021, that are reasonably likely to have a material adverse effect on our net revenue,
income, profitability, liquidity or capital resources, or that caused the disclosed financial information to be not necessarily indicative
of future operating results or financial condition.
|
E. |
Critical Accounting Estimates |
Our accounting policies and their effect on our financial condition and results of operations are more
fully described in our consolidated financial statements included elsewhere in this annual report. We have prepared our financial statements
in conformity with U.S. GAAP, which requires management to make estimates and assumptions that in certain circumstances affect the reported
amounts of assets and liabilities, revenues and expenses and disclosure of contingent assets and liabilities. These estimates are prepared
using our best judgment, after considering past and current events and economic conditions. While management believes the factors evaluated
provide a meaningful basis for establishing and applying sound accounting policies, management cannot guarantee that the estimates will
always be consistent with actual results. In addition, certain information relied upon by us in preparing such estimates includes internally
generated financial and operating information, external market information, when available, and when necessary, information obtained from
consultations with third parties. Actual results could differ from these estimates and could have a material adverse effect on our reported
results. See “Item 3.D. Risk Factors” for a discussion of the possible risks which may affect these estimates.
We believe that the accounting policies discussed below are critical to our financial results and to the
understanding of our past and future performance. These accounting policies involve estimates that have been made in accordance with generally
accepted accounting principles that involve a significant level of estimation uncertainty and have had or are reasonably likely to have
a material impact on our financial condition or results of operations.
Revenue Recognition
We primarily generate revenues from providing the right to access our SaaS solutions and licensing the
rights to use our software products, as well as from maintenance and professional services. Subscription revenues include SaaS and self-hosted
subscription contracts. We sell our products through our direct sales force and indirectly through channel partners.
We recognize revenues in accordance with ASC No. 606 “Revenue from Contracts with Customers.”
As such, we identify a contract with a customer, identify the performance obligations in the contract, determine the transaction price,
allocate the transaction price to each performance obligation in the contract and recognize revenues when (or as) we satisfy a performance
obligation.
We enter into contracts that can include combinations of products and services, which are generally capable
of being distinct and accounted for as separate performance obligations and may include an option to provide professional services. Perpetual
license and self-hosted subscription are distinct as the customer can derive the economic benefit of the software without any professional
services, updates or technical support.
The transaction price is determined based on the consideration to which we will be entitled in exchange
for transferring goods or services to the customer. We do not grant a right of return to our customers.
We allocate the transaction price to each performance obligation based on its relative standalone selling
price. For maintenance, we determine the standalone selling prices based on the price at which we separately sell a renewal contract.
For professional services, we determine the standalone selling prices based on the prices at which we separately sell those services.
For SaaS, self-hosted subscriptions and perpetual licenses, we determine the standalone selling prices by making estimations and taking
into account available information such as historical selling prices, contract value, geographic location, and our price list and discount
policy.
Our revenues from perpetual licenses or self-hosted subscriptions, are recognized at the point of time
when the license is made available for download by the customer. Maintenance revenue related to our perpetual license contracts and the
maintenance component of our self-hosted subscription offering as well as our SaaS revenues are recognized ratably, on a straight-line
basis over the term of the related contract, which is generally one to three years. Professional services revenues are substantially recognized
as the services are performed.
Transaction price allocated to remaining performance obligations represents non-cancelable contracts that
have not yet been recognized, which includes deferred revenues and amounts not yet received that will be recognized as revenue in future
periods.
Deferred Contract Costs
We pay sales commissions primarily to sales and certain management personnel based on their attainment
of certain predetermined sales goals. Sales commissions are considered incremental and recoverable costs of obtaining a contract with
a customer. Sales commissions paid for initial contracts, which are not commensurate with sales commissions paid for renewal contracts,
are capitalized and amortized over an expected period of benefit. We estimate the expected period of benefit based on assumptions related
to our technology, customer contracts and other factors. We have determined the expected period of benefit to be approximately five years.
Amortization expense of these costs are substantially included in sales and marketing expenses.
Share-Based Compensation
We account for share-based compensation in accordance with ASC No. 718, “Compensation - Stock Compensation”
(“ASC No. 718”). ASC No. 718 requires companies to estimate the fair value of equity-based payment awards on the date of grant
using an option-pricing model. The value of the award is recognized as an expense over the requisite service periods, which is generally
the vesting period of the respective award, on a straight-line basis when the only condition to vesting is continued service. If vesting
is subject to a performance condition, recognition is based on the implicit service period of the award. Expense for awards with performance
conditions is estimated and adjusted on a quarterly basis based upon the assessment of the probability that the performance condition
will be met.
We selected the Black-Scholes-Merton option-pricing model as the most appropriate fair value method for
our option awards and Employee Share Purchase Plan (“ESPP”). The fair value of Restricted Share Units (“RSUs”)
and Performance Share Units (“PSUs”) without market conditions, is based on the closing market value of the underlying shares
at the date of grant. For PSUs subject to market conditions, we use a Monte Carlo simulation model, which utilizes multiple inputs to
estimate payout level and the probability that market conditions will be achieved.
The option-pricing and Monte Carlo models require a number of assumptions, of which the most significant
are the expected share price volatility and the expected option term. We recognize forfeitures of equity-based awards as they occur.
These estimates involve uncertainties and the application of judgment. If circumstances are changed and
different estimates are used, our expenses could materially differ in the future.
Goodwill and Other Intangible Assets
Goodwill and certain other purchased intangible assets have been recorded in our financial statements as
a result of acquisitions. In business combinations, in accordance with ASC Topic 805, “Business Combination,” we allocate
the fair value of purchase consideration to the tangible assets acquired, liabilities assumed, and intangible assets acquired based on
their estimated fair values. Such valuations require us to make significant estimates, assumptions, and judgments, especially with respect
to intangible assets. The estimated fair values and useful lives of identifiable intangible assets are based on many factors, including
estimates and assumptions of future operating performance and cash flows of the acquired business, market conditions, technological developments
and specific characteristics of the identified intangible assets. The allocation of the consideration transferred in certain cases may
be subject to revision based on the final determination of fair values during the measurement period, which may be up to one year from
the acquisition date.
Goodwill represents excess of the purchase price in a business combination over the fair value of identifiable
tangible and intangible assets acquired. Goodwill is not amortized, but rather is subject to an impairment test.
ASC No. 350, “Intangible—Goodwill and Other” requires goodwill to be tested for impairment
at least annually and, in certain circumstances, between annual tests. The accounting guidance gives the option to perform a qualitative
assessment to determine whether further impairment testing is necessary. The qualitative assessment includes judgement and considers events
and circumstances that might indicate that a reporting unit’s fair value is less than its carrying amount.
For the years ended December 31, 2019, 2020 and 2021, no impairment losses were identified.
Convertible Senior Notes
We account for our convertible senior notes in accordance with ASC No. 470-20, “Debt
with Conversion and Other Options.” We allocated the principal amount of the convertible senior notes between its liability and
equity component. The liability component at issuance is recognized at fair value, which is based on estimations. The calculation is based
on the fair value of a similar instrument of similar credit rating and maturity that does not have a conversion feature. The equity component
is based on the excess of the principal amount of the convertible senior notes over the fair value of the liability component and is recorded
in additional paid-in capital. We allocated the total issuance costs incurred to the liability and equity components of the convertible
senior notes based on the same proportions as the proceeds from the notes.
Issuance costs attributable to the liability are netted against the principal balance and are amortized
to interest expense using the effective interest method over the contractual term of the notes. The effective interest rate of the liability
component of the notes is 3.50%. The effective interest rate calculation was based on estimations and assumptions related to economic
and market factors.
Issuance costs attributable to the equity component are netted with the equity component in additional
paid-in capital.
Legal Contingencies
From time to time we may be subject to legal proceedings and claims arising in the ordinary course of our
business. Such matters are subject to many uncertainties and outcomes are not predictable with assurance. We accrue for contingencies
when the loss is probable and we can reasonably estimate the amount of any such loss. In determining the probability of a loss and consequently
determining a reasonable estimate, we are required to use significant judgment. We are currently not a party to any material litigation
and are not aware of any pending or threatened material legal or administrative proceedings against us. Regardless of the outcome, litigation
can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
Income Taxes
We calculate income tax provisions based on our results in each jurisdiction in which we operate. The calculation
is based on estimated tax consequences and on assumptions as to our entitlement to various benefits under the applicable local tax laws.
Significant judgment is required in evaluating our uncertain tax positions. We establish reserves for uncertain
tax positions based on the evaluation of whether or not our uncertain tax position is “more likely than not” to be sustained
upon examination based on our technical merits. We record estimated interest and penalties pertaining to our uncertain tax positions in
the financial statements as income tax expense.
Deferred tax assets are recognized for unused tax losses, unused tax credits, and deductible temporary
differences to the extent that it is probable that future taxable profits will be available, against which they can be used. Deferred
taxes for each jurisdiction are presented as a net asset or liability, net of any valuation allowances. We estimate the need for any valuation
allowance by applying significant judgment and considering all available evidence including past results and future projections. We reassess
our estimates periodically and record a partial or full valuation allowance release if needed.
We cannot assure that future final tax outcomes will not be different than our tax provisions and reserves
for uncertain tax positions. To the extent that the final tax outcome of these matters is different than the amounts recorded, such differences
will impact the provision for income taxes in the period in which such determination is made.
Israeli Tax Considerations and Government Programs
The following is a brief summary of the material Israeli tax laws applicable to us, and certain Israeli
Government programs that benefit us. To the extent that the discussion is based on new tax legislation that has not yet been subject to
substantive judicial or administrative interpretation, we cannot provide assurance that the appropriate tax authorities or the courts
will accept the views expressed in this discussion. The discussion below is subject to change, including due to amendments under Israeli
law or changes to the applicable judicial or administrative interpretations of Israeli law, which could affect the tax consequences described
below.
General Corporate Tax Structure in Israel
Ordinary taxable income is subject to a corporate tax rate of 23% as of 2018. However, the effective tax
rate payable by a company that derives income from an Approved Enterprise, a Benefited Enterprise, a Preferred Enterprise or a Preferred
Technology Enterprise (as discussed below) may be considerably lower. Capital gains derived by an Israeli company are generally subject
to tax at the prevailing ordinary corporate tax rate.
Tax Benefits for Research and Development
Israeli tax law allows, under certain conditions, a tax deduction for research and development expenditures,
including capital expenditures, for the year in which they are incurred if:
|
o |
the expenditures are approved by the relevant Israeli government ministry, determined by the field of research; |
|
o |
the research and development is for the promotion or development of the company; and |
|
o |
the research and development is carried out by or on behalf of the company seeking the deduction. |
However, the amount of such deductible expenses shall be reduced by the sum of any funds received through
government grants for the finance of such scientific research and development projects. Expenditures not so approved are deductible over
a three-year period from the first year that the expenditures were made if the research or development is for the promotion or development
of the company.
Law for the Encouragement of Industry (Taxes), 5729-1969
The Law for the Encouragement of Industry (Taxes), 5729-1969, generally referred to as the Industry Encouragement
Law, provides several tax benefits for “Industrial Companies.”
The Industry Encouragement Law defines an “Industrial Company” as an Israeli resident company
which was incorporated in Israel, of which 90% or more of its income in any tax year, other than income from certain government loans,
is derived from an “Industrial Enterprise” owned by it and located in Israel or in the “Area”, in accordance with
the definition in the section 3a of the Israeli Income Tax Ordinance (New Version) 1961 (the “Ordinance”). An “Industrial
Enterprise” is defined as an enterprise whose principal activity in a given tax year is industrial production.
The following tax benefits, among others, are available to Industrial Companies:
|
o |
amortization of the cost of purchased know-how, patents and rights to use a patent and know-how which are used for the development
or promotion of the Industrial Enterprise, over an eight-year period commencing on the year in which such rights were first exercised;
|
|
o |
under limited conditions, an election to file consolidated tax returns together with Israeli Industrial Companies controlled by it;
and |
|
o |
expenses related to a public offering of shares in a stock exchange are deductible in equal amounts over three years commencing on
the year of offering. |
Eligibility for benefits under the Industry Encouragement Law is not contingent upon the approval of any
governmental authority. We believe that we generally qualify as an Industrial Company within the meaning of the Industry Encouragement
Law. The Israel Tax Authority may determine that we do not qualify as an Industrial Company, which could entail our loss of the benefits
that relate to this status. There can be no assurance that we will continue to qualify as an Industrial Company or that the benefits
described above will be available in the future.
Law for the Encouragement of Capital Investments, 5719-1959
The Law for the Encouragement of Capital Investments, 5719-1959, generally referred to as the Investment
Law, provides certain incentives for capital investments in production facilities (or other eligible assets) by “Industrial Enterprises”
(as defined under the Investment Law).
The Investment Law was significantly amended effective April 1, 2005 (the “2005 Amendment”),
further amended as of January 1, 2011 (the “2011 Amendment”), and further amended as of January 1, 2017 (the “2017
Amendment”). Pursuant to the 2005 Amendment, tax benefits granted in accordance with the provisions of the Investment Law prior
to its revision by the 2005 Amendment remain in force but any benefits granted subsequently are subject to the provisions of the 2005
Amendment. Similarly, the 2011 Amendment introduced new benefits to replace those granted in accordance with the provisions of the Investment
Law in effect prior to the 2011 Amendment. However, companies entitled to benefits under the Investment Law as in effect prior to January 1,
2011 were entitled to choose to continue to enjoy such benefits, provided that certain conditions are met, or elect instead, irrevocably,
to forego such benefits and have the benefits of the 2011 Amendment apply. The 2017 Amendment introduced new benefits for Technological
Enterprises which meet certain conditions, alongside the existing tax benefits.
Tax Benefits Prior to the 2005 Amendment
An investment program that is implemented in accordance with the provisions of the Investment Law prior
to the 2005 Amendment, referred to as an “Approved Enterprise”, is entitled to certain benefits. A company that wished to
receive benefits as an Approved Enterprise must have received approval from the Israeli Authority for Investments and Development of the
Industry and Economy (the “Investment Center”). Each certificate of approval for an Approved Enterprise relates to a specific
investment program, delineated both by the financial scope of the investment, including sources of funds, and by the physical characteristics
of the facility or other assets.
The tax benefits available under any certificate of approval relate only to taxable income attributable
to the specific program and are contingent upon meeting the criteria set out in such certificate. Income derived from activity that is
not integral to the activity of the Approved Enterprise will not enjoy tax benefits.
The tax benefits under the alternative benefits track include an exemption from corporate tax on undistributed
income which was generated from an Approved Enterprise for between two and ten years from the first year of taxable income, depending
on the geographic location of the Approved Enterprise facility within Israel, and the taxation of income generated from an Approved Enterprise
at a reduced corporate tax rate of between 10% to 25% for the remainder of the benefits period, depending on the level of foreign investment
in the company in each year, as detailed below.
In addition, a company that has an Approved Enterprise program is eligible for further tax benefits if
it qualifies as a Foreign Investors’ Company (“FIC”), which is a company with a level of foreign investment, as defined
in the Investment Law, of more than 25%.
If a company elects the alternative benefits track and subsequently distributes a dividend out of income
derived by its Approved Enterprise during the tax exemption period it will be subject to corporate tax in respect of the amount of the
distributed dividend (grossed-up to reflect the pre-tax income that it would have had to earn in order to distribute the dividend) at
the corporate tax rate which would have been otherwise applicable if such income had not been tax-exempted under the alternative benefits
track. This rate generally ranges from 10% to 25%, depending on the level of foreign investment in the company in each year, as mentioned
above. In addition, dividends paid out of income attributed to an Approved Enterprise (or out of dividends received from a company
whose income is attributed to an Approved Enterprise) are generally subject to withholding tax at source at the rate of 15% or such lower
rate as may be provided in an applicable tax treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority
allowing for a reduced tax rate). The 15% tax rate is limited to dividends and distributions out of income derived during the benefits
period and actually paid at any time up to 12 years thereafter. After this period, the withholding tax is applied at a rate of up to 30%,
or at the lower rate under an applicable tax treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority
allowing for a reduced tax rate). In the case of a FIC, the 12-year limitation on reduced withholding tax on dividends does not apply.
The benefits available to an Approved Enterprise are subject to the continued fulfillment of conditions
stipulated in the Investment Law and its regulations and the criteria in the specific certificate of approval, as described above. If
a company does not meet these conditions, it would be required to refund the amount of tax benefits, adjusted to the Israeli consumer
price index, and interest, or other monetary penalties.
Tax Benefits Subsequent to the 2005 Amendment
The 2005 Amendment applies to new investment programs commencing after 2004, but does not apply to investment
programs approved prior to April 1, 2005. The 2005 Amendment provides that terms and benefits included in any certificate of approval
that was granted before the 2005 Amendment became effective (April 1, 2005) will remain subject to the provisions of the Investment
Law as in effect on the date of such approval. Pursuant to the 2005 Amendment, the Investment Center will continue to grant Approved Enterprise
status to qualifying investments. The 2005 Amendment, however, limits the scope of enterprises that may be approved by the Investment
Center by setting criteria for the approval of a facility as an Approved Enterprise, such as provisions generally requiring that at least
25% of the Approved Enterprise’s income be derived from exports.
Tax benefits are available under the 2005 Amendment to production facilities (or other eligible facilities)
which are generally required to derive more than 25% of their business income from export to specific markets with a population of at
least 14 million in 2012 (such export criteria will further be increased in the future by 1.4% per annum).
A company qualifying for tax benefits under the 2005 Amendment which pays a dividend out of income derived
by its Benefited Enterprise during the tax exemption period will be subject to corporate tax in respect of the amount of the dividend
distributed (grossed-up to reflect the pre-tax income that it would have had to earn in order to distribute the dividend) at the corporate
tax rate which would have otherwise been applicable. Dividends paid out of income attributed to a Benefited Enterprise (or out of dividends
received from a company whose income is attributed to a Benefited Enterprise) are generally subject to withholding tax at source at the
rate of 15% or at a lower rate as may be provided in an applicable tax treaty (subject to the receipt in advance of a valid certificate
from the Israel Tax Authority allowing for a reduced tax rate). The reduced rate of 15% is limited to dividends and distributions out
of income attributed to a Beneficiary Enterprise during the benefits period and actually paid at any time up to 12 years thereafter except
with respect to a FIC, in which case the 12-year limit does not apply.
The benefits available to a Benefited Enterprise are subject to the continued fulfillment of conditions
stipulated in the Investment Law and its regulations. If a company does not meet these conditions, it would be required to refund the
amount of tax benefits, adjusted to the Israeli consumer price index, and interest, or other monetary penalties.
As of December 31, 2021, approximately $16.4 million was derived from tax exempt profits earned under
the "Approved Enterprises" and "Beneficiary Enterprise". If the retained tax-exempt income is distributed, the income would be taxed at
the applicable corporate tax rate as if it had not elected the alternative tax benefits under the Investment Law and an income tax liability
of up to $4.0 million would be incurred as of December 31, 2021.
Tax Benefits under the 2011 Amendment
The 2011 Amendment introduced new benefits for income generated by a “Preferred Company” through
its “Preferred Enterprise” (as such terms are defined in the Investment Law) as of January 1, 2011. The definition of
a Preferred Company includes a company incorporated in Israel that is not wholly owned by a governmental entity, and that has, among other
things, Preferred Enterprise status and is controlled and managed from Israel. Pursuant to the 2011 Amendment, a Preferred Company is
entitled to a reduced corporate tax rate of 15% with respect to its preferred income derived by its Preferred Enterprise in 2011 and 2012,
unless the Preferred Enterprise is located in a development zone A, in which case the rate will be 10%. Such corporate tax rate was reduced
from 15% and 10%, respectively, to 12.5% and 7%, respectively in 2013, and then increased to 16% and 9%, respectively, in 2014 until 2016.
Pursuant to the 2017 Amendment, in 2017 and thereafter, the corporate tax rate for Preferred Enterprise which is located in development
zone A was decreased to 7.5%, while the reduced corporate tax rate for other development zones remains 16%. Income derived by a Preferred
Company from a ‘Special Preferred Enterprise’ (as such term is defined in the Investment Law) could be entitled, under certain
conditions and limitations, to further reduced tax rates.
Dividends paid to Israeli shareholders out of preferred income attributed to a Preferred Enterprise are
generally subject to withholding tax at the rate of 20%, and in case of non-Israeli shareholders, such lower rate as may be provided in
an applicable tax treaty (each subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced
tax rate). However, if such dividends are paid to an Israeli company, no tax is required to be withheld (although, if such dividends are
subsequently distributed to individuals or a non-Israeli company, withholding tax at a rate of 20% or such lower rate as may be provided
in an applicable tax treaty will apply). In 2017-2019, dividends paid out of preferred income attributed to a Special Preferred Enterprise,
directly to a foreign parent company, are subject to withholding tax at source at the rate of 5% (temporary provisions).
The 2011 Amendment also provided transitional provisions to address companies already enjoying existing
tax benefits under the Investment Law. These transitional provisions provide, among other things, that unless an irrevocable request is
made to apply the provisions of the Investment Law as amended in 2011 with respect to income to be derived as of January 1, 2011:
(i) the terms and benefits included in any certificate of approval that was granted to an Approved Enterprise which chose to receive
grants before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as in effect on the date
of such approval, and subject to certain other conditions; (ii) the terms and benefits included in any certificate of approval that
was granted to an Approved Enterprise which had participated in an alternative benefits track before the 2011 Amendment became effective
will remain subject to the provisions of the Investment Law as in effect on the date of such approval, provided that certain conditions
are met; and (iii) a Benefited Enterprise can elect to continue to benefit from the benefits provided to it before the 2011 Amendment
became effective, provided that certain conditions are met.
From time to time, the Israeli Government has discussed reducing the benefits available to companies under
the Investment Law. The termination or substantial reduction of any of the benefits available under the Investment Law could materially
increase our tax liabilities.
We applied the new benefits under the 2011 Amendment instead of the benefits provided to our Approved Enterprise
and Benefited Enterprise as of 2013 tax year onwards through 2016 tax year.
Tax Benefits under the 2017 Amendment
The 2017 Amendment was enacted as part of the Economic Efficiency Law that was published on December 29,
2016, and is effective as of January 1, 2017. The 2017 Amendment provides new tax benefits for two types of “Technology Enterprises”,
as described below, and is in addition to the other existing tax beneficial programs under the Investment Law.
The 2017 Amendment provides that a technology company satisfying certain conditions will qualify as a “Preferred
Technology Enterprise” (“PTE”) and will thereby enjoy a reduced corporate tax rate of 12% on income that qualifies as
PTE which is generally generated by “Benefited Intangible Assets,” as defined in the Investment Law. The tax rate is further
reduced to 7.5% for a PTE and/or for its segment located in development Zone A. In addition, a PTE will enjoy a reduced corporate tax
rate of 12% on capital gain derived from the sale of certain “Benefitted Intangible Assets” (as defined in the Investment
Law) to a related foreign company if the Benefitted Intangible Assets were acquired from a foreign company on or after January 1, 2017
for at least NIS 200 million, and the sale receives prior approval from the National Authority for Technological Innovation (“NATI”).
The 2017 Amendment further provides that a technology company satisfying certain conditions will qualify
as a “Special Preferred Technology Enterprise” and will thereby enjoy a reduced corporate tax rate of 6% on “Preferred
Technology Income” regardless of the company’s geographic location within Israel. In addition, a Special Preferred Technology
Enterprise will enjoy a reduced corporate tax rate of 6% on capital gain derived from the sale of certain “Benefitted Intangible
Assets” to a related foreign company if the Benefitted Intangible Assets were either developed by an Israeli company or acquired
from a foreign company on or after January 1, 2017, and the sale received prior approval from NATI. A Special Preferred Technology Enterprise
that acquires Benefitted Intangible Assets from a foreign company for more than NIS 500 million will be eligible for these benefits for
at least ten years, subject to certain approvals as specified in the Investment Law.
Dividends distributed to Israeli shareholders by a PTE or a Special Preferred Technology Enterprise, paid
out of Preferred Technology Income, are generally subject to withholding tax at source at the rate of 20%, and in case of non-Israeli
shareholders, such lower rate as may be provided in an applicable tax treaty (each subject to the receipt in advance of a valid certificate
from the Israel Tax Authority allowing for such reduced tax rate). However, if such dividends are paid to an Israeli company, no tax is
required to be withheld. If such dividends are distributed to a foreign company that holds alone or together with other foreign companies
90% or more in the Israeli company and other conditions are met, the withholding tax rate will be 4%.
We have obtained a comprehensive tax ruling confirming, among others, that we generally qualify as a PTE
since 2017 onwards and this status was affirmed by the Israeli Tax Authority in a corporate tax audit assessment agreement reached in
2021.
Recently Issued Accounting Pronouncements
See Note 2(ab) and Note 2(ac) to our consolidated financial statements included elsewhere in this
annual report for information regarding recent accounting standards issued.
ITEM 6. |
DIRECTORS, SENIOR MANAGEMENT AND EMPLOYEES |
|
A. |
Directors and Senior Management |
The following table sets forth the name, age and position of each member of our senior management as of
March 10, 2022:
|
|
|
|
|
Name |
|
Age |
|
Position |
Senior Management |
|
|
|
|
Ehud (Udi) Mokady |
|
53 |
|
Chairman of the Board and Chief Executive Officer and Founder |
Joshua Siegel |
|
58 |
|
Chief Financial Officer |
Chen Bitan |
|
52 |
|
General Manager Israel, Chief Product Officer |
Matthew Cohen |
|
46 |
|
Chief Operating Officer |
Donna Rahav |
|
43
|
|
Chief Legal Officer |
Directors |
|
|
|
|
Gadi Tirosh(1)(3)(4)(5) |
|
55 |
|
Lead Independent Director |
Ron Gutler(1)(2)(4)(5) |
|
64 |
|
Director |
Kim Perdikou(1)(2)(3)(4)(5) |
|
64 |
|
Director |
David Schaeffer(5) |
|
65 |
|
Director |
Amnon Shoshani(3)(5) |
|
58 |
|
Director |
François Auque(2)(5) |
|
65 |
|
Director |
Avril England(4)(5) |
|
53 |
|
Director |
(1) |
Member of our compensation committee. |
(2) |
Member of our audit committee. |
(3) |
Member of our nominating and corporate governance committee. |
(4) |
Member of our strategy committee. |
(5) |
Independent director under the rules of Nasdaq. |
Senior Management
Ehud (Udi) Mokady is one of our founders and has served as our
Chief Executive Officer since 2005 and as chairman of the board since June 2016. He has also served as a member of our board since November
2004. Mr. Mokady previously served as our President from 2005 to 2016 and as our Chief Operating Officer from 1999 to 2005. He has served
as a member of the Board of Advisors of Brandeis International Business School since September 2019. Mr. Mokady served as a member of
the board of directors of Demisto, Inc. commencing in January 2018 until its acquisition by Palo Alto Networks, Inc. in March 2019. From
1997 to 1999, Mr. Mokady served as general counsel at Tadiran Spectralink Ltd., a producer of secure wireless communication systems. From
1986 to 1989, Mr. Mokady served in a military intelligence unit in the Israel Defense Forces. Mr. Mokady was honored by a panel of independent
judges with the New England EY Entrepreneur Of The Year™ 2014 Award in the Technology Security category. Mr. Mokady holds a Bachelor
of Laws (LL.B.) from Hebrew University in Jerusalem, Israel and a Master of Science Management (MSM) from Boston University in Massachusetts.
Joshua Siegel has served as our Chief Financial Officer since May
2011. Prior to joining CyberArk, Mr. Siegel served as Chief Financial Officer for Voltaire Ltd., a provider of InfiniBand and Ethernet
connectivity solutions, from December 2005 to February 2011, and as Director of Finance and then Vice President of Finance from April
2002 to December 2005. Voltaire completed an initial public offering and listing on Nasdaq in 2007 and was acquired by Mellanox Technologies,
Ltd. in 2011. From 2000 to 2002, he was Vice President of Finance at KereniX Networks Ltd., a terabit routing and transport system company.
From 1995 to 2000, Mr. Siegel served in various positions at Lucent Technologies Networks Ltd. (formerly Lannet Ltd.). From 1990
to 1995, he served in various positions at SLM Corporation (Sallie Mae—Student Loan Marketing Association). Mr. Siegel holds a Bachelor
of Arts in economics and an MBA with a concentration in finance from the University of Michigan in Ann Arbor.
Chen Bitan has served as the General Manager of our Israeli headquarters,
and as Chief Product Officer since January 2020. He previously served as our General Manager of EMEA, Asia Pacific and Japan since
2005 and as Head of Research & Development since 1999. From March 1998 to April 1999, Mr. Bitan worked as Project Manager
for Amdocs Software Ltd., leading the development of billing and customer care systems for telecommunications providers. From 1995 to
1998, he worked for Magic Software Enterprises Ltd. as Research and Development Group Manager leading the development of their 4GL products
for the Asia Pacific market. From 1988 to 1995, Mr. Bitan served in a software engineering unit in the Israel Defense Forces (IDF)
in various research and development roles, finally leading the programming education department as Department Manager at the Computer
Studies Academy (Mamram). Mr. Bitan holds a Bachelor of Science in computer science and political science from Bar-Ilan University
in Ramat-Gan, Israel.
Matthew Cohen has served as our Chief Operating Officer since December
2020 after he served as our Chief Revenue Officer since December 2019. Prior to joining CyberArk, Mr. Cohen held several leadership positions
in PTC Inc. (Nasdaq: PTC). His most recent position was Executive Vice President of Field Operations, from February 2018 to November 2019,
where he led the go-to-market strategy and all Sales, Commercial Marketing, Customer Success, Services, and Partner functions. Prior to
that he was Executive Vice President, Customer Success and Partners from July 2016 to February 2018, Executive Vice President, Global
Services from April 2014 through July 2016, and Divisional Vice President, Global Services from October 2013 to March 2014. Before that,
Mr. Cohen held various positions in the company’s Global Services group. Mr. Cohen holds a Bachelor of Arts in Psychology from Harvard
University.
Donna Rahav has
served as our Chief Legal Officer since December 2021. She previously served as our General Counsel and Compliance Officer since March
2014 and as Corporate Secretary from April 2014 until December 2019. Prior to joining CyberArk, Ms. Rahav served as Deputy General Counsel
at Allot Communications Ltd. (Nasdaq and TASE: ALLT) from 2011 to 2014 and as legal counsel at Alvarion Ltd. (Nasdaq and TASE: ALVR) 2009
to 2011 and MediaMind Technologies, Inc. (formerly Eyeblaster, Inc.; Nasdaq: MDMD) from 2008 to 2009. Prior to that, from 2005 to 2006
she was an associate at an Israeli law firm specializing in technology transactions. Ms. Rahav holds a Bachelor of Laws (LL.B.) from Tel
Aviv University in Israel, and a Master of Laws (LL.M.) from Tel Aviv University in collaboration with University of California, Berkeley,
an executive program focused on corporate and commercial law.
Directors
Gadi Tirosh has served as a member of our board of directors since
June 2011, as chairman of the board between July 2013 and June 2016 and as lead independent director since June 2016. Since 2020, Mr.
Tirosh has served as Venture Partner at DisruptiveAI, an Israeli venture capital firm that focuses on innovative artificial intelligence
companies. From 2018 to 2020, Mr. Tirosh served as Venture Partner at Jerusalem Venture Partners, an Israeli venture capital firm
that focuses, among other things, on cybersecurity companies and operates the JVP Cyber Labs incubator. From 2005 to 2018, he served as
Managing Partner at Jerusalem Venture Partners. From 1999 to 2005, he served as Corporate Vice President of Product Marketing and as a
member of the executive committee for NDS Group Ltd. (Nasdaq: NNDS) later acquired by Cisco Systems, Inc. a provider of end-to-end software
solutions to the pay-television industry, including content protection and video security. Mr. Tirosh holds a Bachelor of Science
in computer science and mathematics and an Executive MBA from the Hebrew University in Jerusalem, Israel.
Ron Gutler has served as a member of our board of directors since
July 2014 and served as an external director under the Companies Law between July 2014 and May 2016. Mr. Gutler is currently a director
of Wix.com Ltd. (Nasdaq: WIX), Fiverr International Ltd. (NYSE: FVRR) and WalkMe Ltd. (Nasdaq: WKME). Between November 2009 and December
2020. Mr. Gutler served as a director of Psagot Investment House and between November 2007 and December 2020, he served as a director
of Psagot Securities. Between June 2018 and November 2019, Mr. Gutler served as the Chairman of the Board of Psagot Market Making. Between
2014 and 2019 Mr. Gutler served as a director of Hapoalim Securities USA (HSU). Between August 2012 and January 2018, Mr. Gutler
served as chairman of the board of the College of Management Academic Studies in Israel. Between May 2002 and February 2013, Mr. Gutler
served as the Chairman of NICE Systems Ltd., a public company specializing in voice recording, data security, and surveillance. Between
2000 and 2011, Mr. Gutler served as the Chairman of G.J.E. 121 Promoting Investments Ltd., a real estate company. Between 2000 and
2002, Mr. Gutler managed the Blue Border Horizon Fund, a global macro fund. Mr. Gutler is a former Managing Director and a Partner
of Bankers Trust Company, which is currently part of Deutsche Bank. He also established and headed the Israeli office of Bankers Trust
Company. Mr. Gutler holds a Bachelor of Arts in economics and international relations and an MBA, both from the Hebrew University
in Jerusalem, Israel.
Kim Perdikou has served as a member of our board of directors since
July 2014 and served as an external director under the Companies Law between July 2014 and May 2016. Ms. Perdikou has served as Chairman
of REBBL Inc., since June 2014, a private beverage company. Ms. Perdikou has served as Chairman of The @Company, a private startup Internet
Protocol company, from December 2019. Ms. Perdikou serves on the board of Trunomi, Ltd. a private fintech startup, based in Bermuda, from
June 2018. Ms. Perdikou serves on the Supervisory Board of Alter Domus, a Financial Services Company based in Luxembourg, since January
2021. From 2010 to August 2013, Ms. Perdikou served as the Executive Vice President for the Office of the Chief Executive Officer at Juniper
Networks, Inc. Before that she served as the Executive Vice President and General Manager of Infrastructure Products Group and as Chief
Information Officer at Juniper Networks, Inc. from 2006 to 2010 and from August 2000 to January 2006, respectively. Ms. Perdikou served
in leadership positions at Women.com, Readers Digest, Knight Ridder, and Dun & Bradstreet. Ms. Perdikou holds a Bachelor of Science
degree in computing science with operational research from Paisley University (now the West of Scotland University) in Paisley, Scotland,
a Post-Graduate degree in education from Jordanhill College in Glasgow, Scotland and a Master of Science in information systems from Pace
University in New York, United States.
David Schaeffer has served as a member of our board of directors
since May 2014. Mr. Schaeffer has served as the Chairman, Chief Executive Officer and President of Cogent Communications, Inc. (Nasdaq:
CCOI), an internet service provider based in the United States that is listed on Nasdaq, since he founded the company in August 1999.
Mr. Schaeffer was the founder of Pathnet, Inc., a broadband telecommunications provider, where he served as Chief Executive Officer from
1995 until 1997 and as Chairman from 1997 until 1999. Mr. Schaeffer holds a Bachelor of Science in physics from the University of Maryland,
the United States.
Amnon Shoshani has served as a member of our board of directors
since November 2009. Since February 1995, Mr. Shoshani has served as the Founder and Managing Partner of Cabaret Holdings Ltd. and, since
March 1999, he has also served as Managing Partner of Cabaret Security Ltd., CyberArk’s founding investor and Cabaret and ArbaOne
Inc. ventures activities where he had a lead role in managing the group’s portfolio companies. Since 2018, Mr. Shoshani has served
as the President and Chairman of the Board of Smartech, a portfolio company of Cabaret and ArbaOne, that provides game changing technologies
to the industrial world. Between 2005 and 2018, he served as CEO and Chairman of the Board of Smartech. From 1994 to April 2005, Mr. Shoshani
owned a Tel Aviv boutique law firm engaged in entrepreneurship, traditional industries and high tech, which he founded. Mr. Shoshani holds
a Bachelor of Law (LL.B.) from Tel Aviv University in Israel.
François Auque has served as a member of our board of directors
since February 2019. Mr. Auque serves as the chairman of the Audit and Risk Committee of Rexel SA from May 2019, after being an observer
on the board from October 2018. Mr. Auque is a partner at InfraVia Capital Partners, a Private Equity firm based in Paris. Mr. Auque served
as the General Partner and Chairman of the Investment Committee of Airbus Ventures, the venture capital arm of Airbus between 2016 and
2018. From 2000 to 2016, Mr. Auque headed the Airbus space division as a member of Airbus Group’s Executive Committee. Between 1991
and 2000, Mr. Auque served as Chief Financial Officer of Aerospatiale (then Aerospatiale-Matra), one of the three founding firms of the
European Aeronautic Defense and Space Company (EADS), Europe’s largest aerospace company (currently Airbus). Mr. Auque holds a Master’s
in Finance from Ecole des Hautes Etudes Commercials in Paris, France, a Bachelor of Arts in Public Administration from the Paris Institute
of Political Studies in Paris, France, and is a graduate in economics from Ecole Nationale d’Administration in Paris, France.
Avril England has served as a member of our board of directors
since March 2021. Since September 2013, Ms. England has served as part of the product leadership of Veeva Systems Inc. (NYSE: VEEV), as
the General Manager of Veeva Vault, a fast-growing cloud software platform and suite of applications. Ms. England holds a Bachelor of
Commerce degree from Queen’s University in Ontario, Canada, and has received numerous professional and academic awards.
Compensation of Directors and Senior Management
The aggregate compensation expensed, including share-based compensation and other compensation expensed
by us and our subsidiaries, with respect to the year ended December 31, 2021, to our directors and senior management that served
at any time during the year ended December 31, 2021 was $28.8 million. This amount includes approximately $0.8 million set aside
or accrued to provide pension, severance, retirement, or similar benefits.
The table below sets forth the compensation earned by our five most highly compensated office holders (as
defined in the Companies Law and described under “Board Practices— Disclosure of Compensation of Senior Management”
below) during or with respect to the year ended December 31, 2021. We refer to the five individuals for whom disclosure is provided
herein as our “Covered Executives.” For purposes of the table and the summary below, “compensation” includes base
salary, bonuses, equity-based compensation, retirement or termination payments, and any benefits or perquisites such as car, phone and
social benefits, as well as any undertaking to provide such compensation in the future.
Summary Compensation Table
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Information Regarding the Covered Executive(1) |
|
Name and Principal Position(2) |
|
Base Salary |
|
|
Benefits and Perquisites (3) |
|
|
Variable Compensation (4) |
|
|
Equity-Based Compensation
(5) |
|
|
|
|
|
Ehud (Udi) Mokady, Chairman of the Board & CEO
|
|
$ |
415,000 |
|
|
$ |
325,324 |
|
|
$ |
695,320 |
|
|
$ |
10,970,738 |
|
Joshua Siegel, Chief Financial Officer
|
|
|
422,231 |
|
|
|
127,886 |
|
|
|
393,740 |
|
|
|
4,306,569 |
|
Matthew Cohen, Chief Operating Officer
|
|
|
412,000 |
|
|
|
88,662 |
|
|
|
690,432 |
|
|
|
3,674,682 |
|
Chen Bitan, General Manager Israel, Chief Product Officer
|
|
|
366,493 |
|
|
|
206,051 |
|
|
|
323,690 |
|
|
|
2,227,113 |
|
Clarence Hinton, Chief Strategy Officer
|
|
|
330,000 |
|
|
|
71,012 |
|
|
|
300,010 |
|
|
|
1,788,878 |
|
(1) |
In accordance with Israeli law, all amounts reported in the table are in terms of cost to our Company, as recorded in our financial
statements for the year ended December 31, 2021. |
(2) |
All current officers listed in the table are full-time employees. Cash compensation amounts denominated in currencies other than
the U.S. dollar were converted into U.S. dollars at the average conversion rate for the year ended December 31, 2021. |
(3) |
Amounts reported in this column include benefits and perquisites, including those mandated by applicable law. Such benefits and perquisites
may include, to the extent applicable to each executive, payments, contributions and/or allocations for savings funds, pension, severance,
vacation, car or car allowance, medical insurances and benefits, risk insurances (such as life, disability and accident insurances), convalescence
pay, payments for Medicare and social security, tax gross-up payments and other benefits and perquisites consistent with our guidelines,
regardless of whether such amounts have actually been paid to the executive. |
(4) |
Amounts reported in this column refer to Variable Compensation such as incentives and earned or paid bonuses as recorded in our financial
statements for the year ended December 31, 2021. |
(5) |
Amounts reported in this column represent the expense recorded in our financial statements for the year ended December 31, 2021
with respect to equity-based compensation, reflecting also equity awards made in previous years which have vested during the current year.
Assumptions and key variables used in the calculation of such amounts are described in Note 12 to our audited consolidated financial statements,
which are included in this annual report. |
CEO Equity Plan
In June 2020, the Company’s shareholders approved a three-year CEO Equity Plan, which included an
equity grant to the CEO in respect of 2020 and authorized the compensation committee and Board to approve CEO equity grants for 2021 and
2022 under the terms of such plan.
Accordingly, the CEO was awarded the following equity grants:
|
|
RSUs |
Business PSUs |
Relative TSR PSUs |
2020 |
Percentage |
50% |
30% |
20% |
Amount |
27,700 |
16,600 |
11,100 |
2021 |
Percentage |
~40% |
~40% |
20% |
Amount |
25,300 |
25,290 |
12,650 |
2022 |
Percentage |
40% |
40% |
20% |
Amount |
24,600 |
24,600 |
12,300 |
In February 2021 and 2022, the compensation committee certified the Company’s performance of the
business PSUs performance criteria and the applicable amount of PSUs earned, demonstrating our track record of paying for performance
and linking the CEO’s achievement rate of the performance criteria with the earning of the underlying PSUs as follows:
Year of Grant |
Number of Business PSUs Granted (on Target) |
Performance Targets |
Performance Criteria Achievement Rate |
Number of PSUs Earned |
Earning Rate |
2020 |
16,600 |
• Annual revenue
• Non-GAAP profitability
• License-derived revenue |
80% |
9,830 |
60% |
2021 |
25,290 |
• Annual recurring revenue
• Percentage of new license subscription
bookings out of total new license bookings,
on an annualized basis |
111% |
46,370 |
183% |
2022 |
24,600 |
• Annual recurring revenue
• Total new license
bookings, on an
annualized basis |
To be determined at the end of the performance period |
Business PSUs are earned based on a one-year performance period, subject to further time-based vesting.
Relative Total Shareholder Return PSUs (“rTSR PSUs”) are earned based on a three-year performance period. No rTSR PSUs has
been earned to date, as the performance periods for each of the rTSR PSUs have not yet been completed.
Employment Agreements with Executive Officers
We have entered into written employment agreements with all our executive officers. Most of these agreements
contain provisions regarding non-competition and all these agreements contain provisions regarding confidentiality of information and
ownership of inventions. The non-competition provision applies for a period that is generally 12 months following termination of employment.
The enforceability of covenants not to compete in Israel and the United States is subject to limitations. In addition, we are required
to provide one to six months’ notice prior to terminating the employment of our executive officers, other than in the case of a
termination for cause.
Directors’ Service Contracts
Other than with respect to Ehud (Udi) Mokady, our Chairman of the Board and Chief Executive Officer, there
are no arrangements or understandings between us, on the one hand, and any of our directors, on the other hand, providing for benefits
upon termination of their service as directors of our Company, except that directors are permitted to exercise vested options for one
year following the termination of their service. In July 2019, our shareholders approved certain changes to the compensation framework
for each of our non-executive directors, specifically by implementing a fixed annual fee and predetermined dollar values of initial and
recurring annual equity grants of RSUs.
Equity Incentive Plans
2014 Share Incentive Plan
The 2014 Share Incentive Plan (the “2014 SIP”), was adopted by our board of directors and became
effective on June 10, 2014. The 2014 SIP was approved by our shareholders on July 10, 2014. The 2014 SIP provides for the grant of
options, restricted shares, restricted share units and other share-based awards to our employees, directors, officers, consultants, advisors
and any other person providing services to us or our affiliates, under varying tax regimes. The maximum aggregate number of shares that
may be issued pursuant to awards under this 2014 SIP is the sum of (a) 422,000 shares plus (b) an increase of 1,220,054 shares as
of January 1, 2015 plus (c) on January 1 of each calendar year commencing in 2016, a number of shares equal to the lesser of:
(i) an amount determined by our board of directors, if so determined prior to the January 1 of the calendar year in which the
increase will occur, (ii) 4% of the total number of shares outstanding on December 31 of the immediately preceding calendar
year, and (iii) 4,000,000 shares. Additionally, any share underlying an award that is cancelled or terminated or forfeited for any
reason without having been exercised will automatically be available for grant under the 2014 SIP. As of December 31, 2021, 2,563,870
ordinary shares underlying share-based awards were outstanding under the 2014 SIP and 1,270,938 ordinary shares were reserved for future
grant under the 2014 SIP. On January 1, 2022, the aggregate number of ordinary shares reserved for issuance under the 2014 SIP was increased
by 1,100,000 shares. Either our board, or a committee established by our board, administers the 2014 SIP, and the board may, at any time,
suspend, terminate, modify, or amend the 2014 SIP retroactively or prospectively.
The board or the committee may grant awards intended to qualify as an incentive stock option, non-qualified
stock option, Israeli Income Tax Ordinance Section 102 award, Section 3(9) award, or other designations under other regimes. Other than
with respect to incentive stock options, governed by the specific exercise price provisions of the 2014 SIP, the exercise price of any
award will be determined by the committee or the board (as applicable). Unless otherwise stated in the applicable award agreement, option
awards under the 2014 SIP expire ten years after their grant date. Upon termination of the employment or service of a grantee, any unvested
awards will be forfeited on the termination date. Upon termination by reason of death, disability or retirement, all of the grantee’s
vested awards may be exercised at any time within one year after such death or disability or within three months following retirement.
Upon termination for “cause” (as defined in the 2014 SIP), all awards granted to such grantee (whether vested or not) will
be forfeited on the termination date. Upon termination for any other reason all vested and exercisable awards at the time of termination
may, unless earlier terminated in accordance with their terms, be exercised within up to three months after the termination date (or such
different period as the committee will prescribe).
The committee and the board may grant restricted shares under the 2014 SIP. If a grantee’s employment
or service to the Company or any affiliate thereof terminates for any reason prior to the vesting of such grantee’s restricted shares,
any unvested shares will be forfeited by such grantee. The committee and the board may also grant restricted share units, performance
share units, and other awards under the 2014 SIP, including shares, cash, cash and shares, other share units and share appreciation rights.
In order to comply with the provisions of Section 102, all awards to Israeli grantees must be held in trust
for the benefit of the relevant grantee for the requisite period prescribed by the Ordinance.
Upon a “Change in Control” event (as defined in the 2014 SIP), any award then outstanding will
be assumed or substituted by us or the successor corporation or by any affiliate thereof, as determined by the committee. Regardless of
whether or not awards are assumed or substituted, the committee may: (1) provide for grantees to have the right to exercise their
awards or otherwise for the accelerated vesting of the unvested underlying shares, under such terms as the committee will determine, including
the cancellation of all unexercised awards (whether vested or unvested) upon or immediately prior to the closing of the Change in Control;
and/or (2) provide for the cancellation of each outstanding and unexercised award at or immediately prior to the closing of the Change
in Control, and payment to the grantees of an amount in cash or in shares of the acquirer or of a corporation or other business entity
which is a party to the Change in Control, or in other property, as determined by the committee to be fair in the circumstances, and subject
to such terms and conditions as determined by the committee.
Awards under the 2014 SIP are not transferable other than by will or by the laws of descent and distribution
or to a grantee’s designated beneficiary, unless, in the case of awards other than incentive stock options, otherwise determined
by our committee or under the 2014 SIP. Awards may be granted from time to time pursuant to the 2014 SIP, within a period of ten years
from the effective date of the 2014 SIP, which period may be extended by our board.
2011 Share Incentive Plan
The 2011 Share Incentive Plan (the “2011 SIP”), was adopted by our board of directors and became
effective on July 14, 2011. The 2011 SIP was approved by our shareholders on December 20, 2011. Any share underlying an award
that is cancelled or terminated or forfeited for any reason without having been exercised will automatically be available for grant under
the 2014 SIP. As of December 31, 2021, 14,104 options to purchase ordinary shares remained outstanding under the 2011 SIP. No
new awards may be granted under the 2011 SIP.
The 2011 SIP is administered by our board or a committee established by our board. Option awards to purchase
our ordinary shares that were granted under the 2011 SIP are designated in the applicable award agreement as an incentive stock option,
non-qualified stock option, Section 102 award (with such designation to include the relevant tax track), Section 3(i) award,
or other designations under other regimes. All awards granted under the 2011 SIP have vested. Upon termination by reason of death, disability
or retirement, all of the grantee’s vested options may be exercised at any time within one year after such death or disability or
within three months following retirement. Upon termination for cause (as defined in the 2011 SIP), all options granted to such grantee
are forfeited on the termination date. Upon termination for any other reason all vested and exercisable options at the time of termination
may, unless earlier terminated in accordance with their terms, be exercised within up to 90 days after the termination date.
In the event of certain merger or sale events (as specified in the 2011 SIP), any award then outstanding
will be assumed or an equivalent award will be substituted by such successor corporation under substantially the same terms as such award.
If such awards are not assumed or substituted by an equivalent award, then the committee may (i) provide for grantees to have the
right to exercise their awards under such terms and conditions as the committee will determine; and/or (ii) provide for the cancellation
of each outstanding award at the closing of such transaction, and payment to the grantees of an amount in cash as determined by the committee
to be fair in the circumstances, and subject to such terms and conditions as determined by the committee.
Awards under the 2011 SIP are not transferable other than by will or by the laws of descent and distribution,
unless otherwise determined by the board or under the 2011 SIP, and generally expire ten years following the grant date. The 2011 SIP
will terminate on the tenth anniversary of the effective date, other than with respect to those awards outstanding under the 2011 SIP
at the time of termination.
2020 Employee Share Purchase Plan
On January 1, 2021, our employee share purchase plan (“ESPP”), became effective. The ESPP enables
our eligible employees and eligible employees of our designated subsidiaries to elect to have payroll deductions made during the offering
period in an amount not exceeding 15% of the gross base compensation which the employees receive. The aggregate number of ordinary shares
reserved for issuance under the ESPP, as of January 1, 2022, was 125,000 shares (the “ESPP Share Pool”). On January 1 of each
year between 2022 and 2026 the ESPP Share Pool will be increased by a number of ordinary shares equal to the lowest of (i) 1,000,000 shares,
(ii) 1% of our outstanding shares on December 31 of the immediately preceding calendar year, and (iii) a lesser number of shares determined
by our board of directors.
The ESPP is administered by our board of directors or by a committee designated by the board of directors.
Subject to those rights which are reserved to the board of directors or which require shareholder approval under Israeli law, our board
of directors has designated the compensation committee to administer the ESPP. Eligible employees become participants in the ESPP by enrolling
and authorizing payroll deductions by the deadline established by the plan administrator prior to the relevant enrollment date. We expect
that on the first trading day of each purchase period, each participant will automatically be granted an option to purchase our ordinary
shares on the exercise date of such purchase period. The applicable purchase price will be no less than 85% of the lesser of the fair
market value of our ordinary shares on the first day or the last day of the purchase period. The maximum number of ordinary shares that
may be purchased under the ESPP in any offer period is 10,000. Participant payroll deductions will be used to purchase shares on the last
day of each purchase period. The plan administrator may amend, suspend or terminate the ESPP at any time. However, shareholder approval
must be obtained for any amendment to the ESPP that increases the aggregate number of shares, changes the type of shares that may be sold
pursuant to rights under the ESPP or changes the corporations or classes of corporations whose employees are eligible to participate in
the ESPP.
Board of Directors
Under the Companies Law, the management of our business is vested in our board of directors. Our board
of directors may exercise all powers and may take all actions that are not specifically granted to our shareholders or to management.
Our executive officers are responsible for our day-to-day management and have individual responsibilities established by our board of
directors. Our Chief Executive Officer is appointed by, and serves at the discretion of, our board of directors, subject to the employment
agreement that we have entered into with him. All other executive officers are also appointed by our board of directors, and are subject
to the terms of any applicable employment agreements that we may enter into with them.
We comply with the Nasdaq rule that requires a majority of our directors to be independent as defined under
Nasdaq corporate governance rules. Our board of directors has determined that all of our directors, other than our Chief Executive Officer,
are independent under such rules. Under our articles of association, our directors serve for a period of three years pursuant to the staggered
board provisions of our articles of association. Under our articles of association, our board of directors must consist of at least four
and not more than nine directors. Our board of directors currently consists of eight directors. Our Chairman of the Board is Ehud (Udi)
Mokady, who also serves as our Chief Executive Officer. Under the Companies Law, a chairman of the board of directors of a public company
may also serve as the chief executive officer of such company if his appointment is ratified and approved by the company’s shareholders,
and which term will be valid for a period not exceeding three years from the date of such shareholder approval. In July of 2019, our shareholders
ratified and approved Mr. Mokady’s appointment as both Chairman of the Board and Chief Executive Officer, and therefore such appointment
will remain valid until July of 2022.
Pursuant to our articles of association, our directors are divided into three classes with staggered three-year
terms. Each class of directors consists, as nearly as possible, of one-third of the total number of directors constituting the entire
board of directors. At each annual general meeting of our shareholders, the election or re-election of directors following the expiration
of the term of office of the directors of that class of directors is for a term of office that expires on the third annual general meeting
following such election or re-election, such that at each annual general meeting, the term of office of only one class of directors will
expire. Each director will hold office until the annual general meeting of our shareholders in which his or her term expires, unless he
or she is removed by a vote of 65% of the total voting power of our shareholders at a general meeting of our shareholders or upon the
occurrence of certain events, in accordance with the Companies Law and our articles of association.
Our directors are divided among the three classes as follows:
(i) the Class I directors are Ehud (Udi) Mokady and David Schaeffer, and their term expires at the annual
general meeting of shareholders to be held in 2024 at the time their successors are elected and qualified;
(ii) the Class II directors are Gadi Tirosh, Amnon Shoshani and Avril England, and their term expires at
the annual general meeting of shareholders to be held in 2022 at the time their successors are elected and qualified; and
(iii) the Class III directors are Ron Gutler, Kim Perdikou and François Auque, and their term expires
at the annual general meeting of shareholders to be held in 2023 at the time their successors are elected and qualified.
In addition, our articles of association allow our board of directors to appoint directors, create new
directorships or fill vacancies on our board of directors up to the maximum number of directors permitted under our articles of association.
In case of an appointment by our board of directors to fill a vacancy on our board of directors due to a director no longer serving, the
term of office shall be equal to the remaining period of the term of office of the director(s) whose office(s) have been vacated, and
in case of a new appointment where the number of directors serving is less than the maximum number stated in our articles of association,
our board of directors shall determine at the time of appointment the class to which the new director shall be assigned.
Under the Companies Law and our articles of association, nominations for directors may be made by any shareholder(s)
holding together at least 1% of our outstanding voting power. However, any such shareholder may make such a nomination only if a written
notice of such shareholder’s intent to make such nomination has been timely and duly given to our Secretary (or, if we have no Secretary,
our Chief Executive Officer), as set forth in our articles of association. Any such notice must include certain information regarding
the proposing shareholder and the proposed director nominee, the consent of the proposed director nominee(s) to serve as our director(s)
if elected and a declaration signed by the proposed director nominee(s) as required by the Companies Law and that all of the information
that is required to be provided to us in connection with such election under the Companies Law and under our articles of association has
been provided.
Under the Companies Law, our board of directors must determine the minimum number of directors who are
required to have accounting and financial expertise. A director with accounting and financial expertise is a director who, due to his
or her education, experience and skills, possesses an expertise in, and an understanding of, financial and accounting matters and financial
statements, such that he or she is able to understand the financial statements of the company and initiate a discussion about the presentation
of financial data.
In determining the number of directors required to have such expertise, a board of directors must consider,
among other things, the type and size of the company and the scope and complexity of its operations. Our board of directors has determined
that the minimum number of directors of our Company who are required to have accounting and financial expertise is one.
External Directors
Under the Companies Law, companies incorporated under the laws of the State of Israel that are public companies,
including companies with shares listed on Nasdaq, are required to appoint at least two external directors.
Pursuant to regulations enacted under the Companies Law, the board of directors of a public company whose
shares are listed on certain non-Israeli stock exchanges, including Nasdaq, that do not have a controlling shareholder (as such term is
defined in the Companies Law), may, subject to certain conditions, elect to “opt-out” of the requirements of the Companies
Law regarding the election of external directors and to the composition of the audit committee and compensation committee, provided that
the company complies with the requirements as to director independence and audit committee and compensation committee composition applicable
to companies that are incorporated in the jurisdiction in which its stock exchange is located. In May 2016, our board of directors elected
to opt-out of the Companies Law requirements to appoint external directors and related Companies Law rules concerning the composition
of the audit committee and compensation committee.
The foregoing exemptions will continue to be available to us so long as: (i) we do not have a “controlling
shareholder” (as such term is defined under the Companies Law), (ii) our shares are traded on a U.S. stock exchange, including Nasdaq,
and (iii) we comply with Nasdaq listing rules applicable to domestic U.S. companies. If in the future we were to have a controlling shareholder,
we would again be required to comply with the requirements relating to external directors and composition of the audit committee and compensation
committee.
Under the Securities Law 1968-5728 (the “Securities Law”), and the Companies Law, the term
“controlling shareholder” means a shareholder with the ability to direct the activities of the company, other than by virtue
of being an office holder. A shareholder is presumed to be a controlling shareholder if the shareholder holds 50% or more of the voting
rights in a company or has the right to appoint the majority of the directors of the company or its general manager. For the purpose of
approving transactions with controlling shareholders, the term “controlling shareholder” also includes any shareholder that
holds 25% or more of the voting rights of the company if no other shareholder holds more than 50% of the voting rights in the company.
Lead Independent Director
Mr. Mokady has been our CEO since 2005, and following approval by our shareholders at the June 2016 and
July 2019 annual shareholder meetings, has held that post in addition to serving as our Chairman. As approved by our shareholders at the
July 2019 annual shareholder meeting, for so long as the positions of the Chief Executive Officer and Chairman of the Board are combined,
the non-executive board members will select a Lead Independent Director from among the independent directors of the board, who has served
a minimum of one year as a director. If at any meeting of the board the Lead Independent Director is not present, for the purpose and
duration of such meeting, the Chairman of the Audit Committee, Chairman of the Compensation Committee, or an independent member of the
board appointed by a majority of the independent members of the board present will act as the Lead Independent Director, in the order
listed above. Mr. Tirosh has been our Lead Independent Director since June 2016. The authorities and responsibilities of the Lead Independent
Director include, but are not limited to, the following:
|
o |
providing leadership to the board of directors if circumstances arise in which the role of the Chairman of the Board may be, or may
be perceived to be, in conflict, and responding to any reported conflicts of interest, or potential conflicts of interest, arising for
any director; |
|
o |
presiding as chairman of meetings of the board of directors at which the Chairman of the Board is not present, including executive
sessions of the independent members of the board of directors; |
|
o |
serving as liaison between the Chairman of the Board and the independent members of the Board; |
|
o |
approving meeting agendas for the board of directors; |
|
o |
approving information sent to the board of directors; |
|
o |
approving meeting schedules to assure that there is sufficient time for discussion of all agenda items; |
|
o |
having the authority to call meetings of the independent members of the board; |
|
o |
ensuring that he or she is available for consultation and direct communication with shareholders, as appropriate; |
|
o |
recommending that the board of directors retain consultants or advisers that report directly to the board; |
|
o |
conferring with the Chairman of the Board on important board of directors matters and ensuring the board of directors focuses on
key issues and tasks facing the Company; and |
|
o |
performing such other duties as the board of directors may from time to time delegate to assist the board of directors in the fulfillment
of its duties. |
Audit Committee
Under the Companies Law, the board of directors of a public company must appoint an audit committee. Our
audit committee consists of three independent directors, Ron Gutler (Chairperson), Kim Perdikou, and François Auque.
Audit Committee Composition
Under Nasdaq corporate governance rules, we are required to maintain an audit committee consisting of at
least three independent directors, each of whom is financially literate and one of whom has accounting or related financial management
expertise.
All members of our audit committee meet the requirements for financial literacy under the applicable rules
and regulations of the SEC and Nasdaq corporate governance rules. Our board of directors has determined that each of Ron Gutler, Kim Perdikou
and François Auque is an audit committee financial expert as defined by SEC rules and each has the requisite financial experience
as defined by Nasdaq corporate governance rules.
Each of the members of the audit committee is “independent” as such term is defined in Rule
10A-3(b)(1) under the Exchange Act, which is different from the general test for independence of board members and members of other committees.
Audit Committee Role
Our board of directors has an audit committee charter that sets forth the responsibilities of the audit
committee consistent with the rules of the SEC and the listing requirements of Nasdaq, as well as the requirements for such committee
under the Companies Law. The responsibilities of the audit committee under the audit committee charter include, among others, the following:
|
o |
overseeing of our accounting and financial reporting process and the audits of our financial statements, the effectiveness of our
internal control over financial reporting and making such reports as may be required of an audit committee under the rules and regulations
promulgated under the Exchange Act; |
|
o |
retaining and terminating our independent registered public accounting firm subject to the approval of our board of directors and,
in the case of retention, of our shareholders and recommending the terms of audit and non-audit services provided by the independent registered
public accounting firm for pre-approval by our board of directors and related fees and terms; |
|
o |
establishing systems of internal control over financial reporting, including communication and implementation thereof and the assessment
of the internal controls in accordance with the Sarbanes-Oxley Act, and any attestation by the independent registered public accounting
firm; |
|
o |
determining whether there are deficiencies in the business management practices of our Company, including in consultation with our
internal auditor or the independent registered public accounting firm, and making recommendations to the board of directors to improve
such practices; |
|
o |
determining whether to approve certain related party transactions (see “Item 6.C. Board Practices —Approval of Related
Party Transactions under Israeli Law”); |
|
o |
recommending to the board of directors the retention and termination of our internal auditor, and determining the internal auditor's
fees and other terms of engagement, in accordance with the Companies Law; |
|
o |
approving the working plan proposed by the internal auditor and reviewing and discussing the work of the internal auditor on a quarterly
basis; |
|
o |
reviewing our cybersecurity risks and controls with senior management, keeping our board informed of key issues related to cybersecurity;
|
|
o |
establishing procedures for the handling of employees’ complaints as to the deficiencies in the management of our business
and the protection to be provided to such employees; and |
|
o |
performing such other duties consistent with the audit committee charter, our governing documents, stock exchange rules and applicable
law that may be requested by the board of directors from time to time, including discussing with management policies and practices that
govern the process by which the Company undertakes risk assessment and management in sensitive areas. |
Compensation Committee
Under the Companies Law, the board of directors of any public company must appoint a compensation committee.
Our compensation committee consists of three independent directors, Kim Perdikou (Chairperson), Gadi Tirosh and Ron Gutler.
Compensation Committee Composition
Under Nasdaq corporate governance rules, we are required to maintain a compensation committee consisting
of at least two independent directors. Each of the members of the compensation committee is “independent” as such term is
defined in Rule 10C-1(b)(1) under the Exchange Act, which is different from the general test for independence of board members and members
of other committees.
Compensation Policy pursuant to the Israeli Companies Law
The duties of the compensation committee include the recommendation to the company’s board of directors
of a policy regarding the terms of engagement of office holders, as such term is defined under the Companies Law, to which we refer as
a compensation policy. That compensation policy must be adopted by the company’s board of directors, after considering the recommendations
of the compensation committee, and must be brought for approval by the company’s shareholders at least once every three years, which
approval requires a Special Approval for Compensation (as defined below under “—Approval of Related Party Transactions under
Israeli Law—Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions”).
Under special circumstances, the board of directors may approve the compensation policy
despite the objection of the shareholders on the condition that the compensation committee and then the board of directors decide, on
the basis of detailed grounds and after discussing again the compensation policy, that approval of the compensation policy, despite the
objection of the meeting of shareholders, is for the benefit of the company.
The compensation policy must serve as the basis for decisions concerning the financial terms of employment
or engagement of office holders, including exculpation, insurance, indemnification or any monetary payment, obligation of payment or other
benefit in respect of employment or engagement. The compensation policy must be determined and later re-evaluated according to certain
factors, including the advancement of the company’s objectives, business plan and its long-term strategy and creation of appropriate
incentives for office holders, while considering, among other things, the company’s risk management policy, the size and the nature
of its operations and with respect to variable compensation, the contribution of the office holder towards the achievement of the company’s
long-term goals and the maximization of its profits, all with a long-term objective and according to the position of the office holder.
The compensation policy must include certain principles, such as: a link between variable compensation and long-term performance, which
variable compensation shall, other than with respect to office holders who report to the CEO, be primarily based on measurable criteria;
the relationship between variable and fixed compensation; and the minimum holding or vesting period for variable, equity-based compensation.
The compensation committee is responsible for (a) recommending the compensation policy to a company’s board of directors for
its approval (and subsequent approval by our shareholders) and (b) duties related to the compensation policy and to the compensation
of company’s office holders (as described below). Accordingly, following the recommendation and approval of our compensation committee
and Board, our shareholders approved our compensation policy at the July 2019 annual general meeting.
Compensation Committee Role
Our board of directors has adopted a compensation committee charter that sets forth the responsibilities
of the compensation committee. The responsibilities of the committee set forth in its charter and the Companies Law include, among others,
the following:
|
o |
recommending to the board of directors for its approval a compensation policy and subsequently reviewing it from time to time, assessing
its implementation and recommending periodic updates, whether a new compensation policy should be adopted or an existing compensation
policy should continue in effect; |
|
o |
reviewing, evaluating and making recommendations regarding the terms of office, compensation and benefits for our office holders,
including the non-employee directors, taking into account our compensation policy; |
|
o |
exempting certain compensation arrangements from the requirement to obtain shareholder approval under the Companies Law (including
with respect to the Chief Executive Officer); and |
|
o |
reviewing and granting equity-based awards pursuant to our equity incentive plans to the extent such authority is delegated to the
compensation committee by our board of directors and the reserving of additional shares for issuance thereunder. |
Under our compensation policy, which was approved by our shareholders in July 2019, the compensation committee
is responsible for the general administration of the policy.
Nominating and Corporate Governance Committee
Our nominating and corporate governance committee consists of three independent directors, Gadi Tirosh
(Chairperson), Kim Perdikou and Amnon Shoshani.
Nominating and Corporate Governance Committee Role
Our board of directors has a nominating and corporate governance committee charter that sets forth the
responsibilities of the nominating and corporate governance committee, which include:
|
o |
overseeing and assisting our board of directors in reviewing and recommending nominees for election as directors and as members of
the committees of the board of directors; |
|
o |
establishing procedures for, and administering the performance of the members of our board and its committees; |
|
o |
evaluating and making recommendations to our board of directors regarding the termination of membership of directors; |
|
o |
reviewing, evaluating and making recommendations regarding management succession and development; |
|
o |
reviewing and making recommendations to our board of directors regarding board member qualifications, composition and structure and
the nature and duties of the committees and qualifications of committee members; |
|
o |
establishing and maintaining effective corporate governance policies and practices, including, but not limited to, developing and
recommending to our board of directors a set of corporate governance guidelines applicable to our Company; and |
|
o |
provide oversight of the Company’s efforts with regard to environmental, social and governance (“ESG”) matters,
disclosure and strategy, as well as coordinate, as necessary, with other committees of the board of directors and the Company’s
ESG committee and steering committee, which are comprised of key Company employees and management. |
Disclosure of Compensation of Executive Officers
For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules
applicable to U.S. domestic companies, including the requirement applicable to certain domestic issuers that do not qualify as emerging
growth companies to disclose on an individual, rather than an aggregate basis, the compensation of our named executive officers as defined
in Item 402 of Regulation S-K. Nevertheless, the Companies Law requires that we disclose the annual compensation of our five most highly
compensated office holders (as defined under the Companies Law) on an individual basis. Under the Companies Law regulations, this disclosure
is required to be included in the annual proxy statement for our annual meeting of shareholders each year, which we will furnish to the
SEC under cover of a Report of Foreign Private Issuer on Form 6-K. Because of that disclosure requirement under Israeli law, we are also
including such information in this annual report, pursuant to the disclosure requirements of Form 20-F.
For additional information, see “Item 6.B. Compensation—Compensation of Directors and Senior
Management.”
Compensation of Directors
Under the Companies Law, compensation of directors requires the approval described below under “Approval
of Related Party Transactions under Israeli Law - Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions.”
The directors are also entitled to be paid reasonable travel, hotel and other expenses expended by them
in attending board meetings and performing their functions as directors of the Company, all of which is to be determined by the board
of directors.
For additional information, see “Item 6.B. Compensation—Compensation of Directors and Senior
Management.”
Internal Auditor
Under the Companies Law, the board of directors of an Israeli public company must appoint an internal auditor
recommended by the audit committee. An internal auditor may not be:
|
o |
a person (or a relative of a person) who holds more than 5% of the company’s outstanding shares or voting rights; |
|
o |
a person (or a relative of a person) who has the power to appoint a director or the general manager of the company; |
|
o |
an office holder (including a director) of the company (or a relative thereof); or |
|
o |
a member of the company’s independent accounting firm, or anyone on his or her behalf. |
The role of the internal auditor is to examine, among other things, our compliance with applicable law
and orderly business procedures. The audit committee is required to oversee the activities and to assess the performance of the internal
auditor as well as to review the internal auditor’s work plan. Chaikin, Cohen, Rubin & Co. served as our internal auditor
for the year ended December 31, 2021. As of January 2, 2022 Mr. Dror Bar Moshe serves as our internal auditor.
Approval of Related Party Transactions under Israeli Law
Fiduciary Duties of Directors and Office Holders
The Companies Law codifies the fiduciary duties that office holders owe to a company. The term “office
holder” is defined under the Companies Law as a general manager, chief business manager, deputy general manager, vice general manager,
any other person assuming the responsibilities of any of these positions (regardless of that person’s title), a director and any
other manager directly subordinate to the general manager.
An office holder’s fiduciary duties consist of a duty of care and a duty of loyalty. The duty of
care requires an office holder to act with the level of care with which a reasonable office holder in the same position would have acted
under the same circumstances. The duty of loyalty requires that an office holder act in good faith and in the best interests of the company.
The duty of care includes a duty to use reasonable means to obtain:
|
o |
information on the advisability of a given action brought for his or her approval or performed by virtue of his or her position;
and |
|
o |
all other important information pertaining to any such action. |
The duty of loyalty includes a duty to:
|
o |
refrain from any conflict of interest between the performance of his or her duties to the company and his or her duties or personal
affairs; |
|
o |
refrain from any action which competes with the company’s business; |
|
o |
refrain from exploiting any business opportunity of the company in order to receive a personal gain for himself or herself or others;
and |
|
o |
disclose to the company any information or documents relating to the company’s affairs which the office holder received as
a result of his or her position as an office holder. |
We may approve an act specified above that would otherwise constitute a breach of the duty of loyalty of
an office holder, provided, that the office holder acted in good faith, the act or its approval does not harm the company, and the office
holder discloses his or her personal interest, including any related material information or document, a sufficient time before the approval
of such act. Any such approval is subject to the terms of the Companies Law, setting forth, among other things, the organs of the company
entitled to provide such approval, and the methods of obtaining such approval.
Disclosure of Personal Interests of an Office Holder and Approval
of Certain Transactions
The Companies Law requires that an office holder promptly disclose to the board of directors any personal
interest that he or she may be aware of and all related material information or documents concerning any existing or proposed transaction
with the company. An interested office holder’s disclosure must be made promptly and in any event no later than the first meeting
of the board of directors in which the transaction is considered.
Under the Companies Law, a “personal interest” includes an interest of any person in an act
or transaction of a company, including a personal interest of such person’s relative or of a corporate body in which such person
or a relative of such person is a 5% or greater shareholder, director or general manager, or in which he or she has the right to appoint
at least one director or the general manager, but excluding a personal interest stemming from one’s ownership of shares in the company.
A personal interest furthermore includes the personal interest of a person for whom the office holder holds a voting proxy or the personal
interest of the office holder with respect to his or her vote on behalf of a person for whom he or she holds a proxy even if such shareholder
has no personal interest in the matter. An office holder is not, however, obliged to disclose a personal interest if it derives solely
from the personal interest of his or her relative in a transaction that is not considered an extraordinary transaction. Under the Companies
Law, an extraordinary transaction is defined as any of the following:
|
o |
a transaction other than in the ordinary course of business; |
|
o |
a transaction that is not on market terms; or |
|
o |
a transaction that may have a material impact on a company’s profitability, assets or liabilities. |
If it is determined that an office holder has a personal interest in a transaction, approval by the board
of directors (and, in certain circumstances, of its applicable committee) is required for the transaction, unless the company’s
articles of association provide for a different method of approval. Further, so long as an office holder has disclosed his or her personal
interest in a transaction and acted in good faith and the transaction or action does not harm the company’s best interests, the
board of directors may approve an action by the office holder that would otherwise be deemed a breach of duty of loyalty.
The compensation of, or an undertaking to indemnify or insure, an office holder requires approval first
by the company’s compensation committee, then by the company’s board of directors, and, if such compensation arrangement or
an undertaking to indemnify or insure is that of a director, the approval of the shareholders by an ordinary majority. If such compensation
arrangement or an undertaking to indemnify or insure is inconsistent with the company’s stated compensation policy then such arrangement
is subject to the approval of a majority vote of the shares present and voting at a shareholders meeting, provided that either, which
we refer to as the Special Approval for Compensation:
(a) such majority includes at least a majority of the shares held by all shareholders
who do not have a personal interest in such compensation arrangement and are not controlling shareholders, excluding abstentions; or
(b) the total number of shares of shareholders who do not have a personal interest
in the compensation arrangement and who vote against the arrangement does not exceed 2% of the company’s aggregate voting rights.
Generally, a person who has a personal interest in a matter which is considered at a meeting of the board
of directors or the audit committee may not be present at such a meeting or vote on that matter unless the chairman of the relevant committee
or board of directors (as applicable) determines that he or she should be present in order to present the transaction that is subject
to approval, in which case such person may do so but may not vote on the matter. If a majority of the members of the audit committee or
the board of directors (as applicable) has a personal interest in the approval of a transaction, then all directors may participate in
discussions of the audit committee or the board of directors (as applicable) on such transaction and the voting on approval thereof. However,
in the event that a majority of the members of the board has a personal interest in a transaction, shareholder approval is also required
for such transaction.
Disclosure of Personal Interests of Controlling Shareholders and
Approval of Certain Transactions
We currently do not have a controlling shareholder. If in the future we would have a controlling shareholder,
disclosure requirements regarding personal interests will apply and shareholder approval (meeting a special majority requirement) will
be required with respect to transactions specified in the Companies Law involving the controlling shareholder, parties having certain
relationships with the controlling shareholder and certain other specific transactions. In such cases, the votes of a controlling shareholder
and certain parties associated with it would be excluded for purposes of special majority voting requirements. Additionally, the Companies
Law provides a different, broader definition of a controlling shareholder with respect to the provisions pertaining to the approval of
related party transactions.
Shareholder Duties
Pursuant to the Companies Law, a shareholder has a duty to act in good faith and in a customary manner
toward the company and other shareholders and to refrain from abusing his or her power in the company, including, among other things,
in voting at a general meeting and at shareholder class meetings with respect to the following matters:
|
o |
an amendment to the company’s articles of association; |
|
o |
an increase of the company’s authorized share capital; |
|
o |
the approval of related party transactions and acts of office holders that require shareholder approval. |
In addition, a shareholder also has a general duty to refrain from discriminating against other shareholders.
Certain shareholders also have a duty of fairness toward the company. These shareholders include any controlling
shareholder, any shareholder who knows that he or she has the power to determine the outcome of a shareholder vote and any shareholder
who has the power to appoint or to prevent the appointment of an office holder of the company or other power towards the company. The
Companies Law does not define the substance of the duty of fairness, except to state that the remedies generally available upon a breach
of contract will also apply in the event of a breach of the duty to act with fairness.
Exculpation, Insurance and Indemnification of Directors and Officers
Under the Companies Law, a company may not exculpate an office holder from liability for a breach of the
duty of loyalty. An Israeli company may exculpate an office holder in advance from liability to the company, in whole or in part, for
damages caused to the company as a result of a breach of duty of care but only if a provision authorizing such exculpation is included
in its articles of association. Our articles of association include such a provision. The company may not exculpate in advance a director
from liability arising out of a prohibited dividend or distribution to shareholders.
Under the Companies Law and the Securities Law, a company may indemnify an office holder in respect of
the following liabilities, payments and expenses incurred for acts performed by him or her as an office holder, either pursuant to an
undertaking made in advance of an event or following an event, provided its articles of association include a provision authorizing such
indemnification:
|
o |
a monetary liability incurred by or imposed on him or her in favor of another person pursuant to a judgment, including a settlement
or arbitrator’s award approved by a court. However, if an undertaking to indemnify an office holder with respect to such liability
is provided in advance, then such undertaking must be limited to certain events which, in the opinion of the board of directors, can be
foreseen based on the company’s activities when the undertaking to indemnify is given, and to an amount or according to criteria
determined by the board of directors as reasonable under the circumstances, and such undertaking shall detail the foreseen events and
described above amount or criteria; |
|
o |
reasonable litigation expenses, including reasonable attorneys’ fees, incurred by the office holder (1) as a result of
an investigation or proceeding instituted against him or her by an authority authorized to conduct such investigation or proceeding, provided
that (i) no indictment was filed against such office holder as a result of such investigation or proceeding; and (ii) no financial
liability was imposed upon him or her as a substitute for the criminal proceeding as a result of such investigation or proceeding or,
if such financial liability was imposed, it was imposed with respect to an offense that does not require proof of criminal intent; or
(2) in connection with a monetary sanction or liability imposed on him or her in favor of an injured party in certain Administrative
proceedings; |
|
o |
expenses incurred by an office holder in connection with Administrative proceedings instituted against such office holder, or certain
compensation payments made to an injured party imposed on an office holder by Administrative proceedings, including reasonable litigation
expenses and reasonable attorneys’ fees; and |
|
o |
reasonable litigation expenses, including attorneys’ fees, incurred by the office holder or imposed by a court in proceedings
instituted against him or her by the company, on its behalf, or by a third party, or in connection with criminal proceedings in which
the office holder was acquitted, or as a result of a conviction for an offense that does not require proof of criminal intent. |
Under the Companies Law and the Securities Law, a company may insure an office holder against the following
liabilities incurred for acts performed by him or her as an office holder if and to the extent provided in the company’s articles
of association:
|
o |
a breach of duty of care to the company or to a third party, to the extent such a breach arises out of the negligent conduct of the
office holder; |
|
o |
a breach of the duty of loyalty to the company, provided that the office holder acted in good faith and had a reasonable basis to
believe that the act would not harm the company; |
|
o |
a monetary liability imposed on the office holder in favor of a third party; |
|
o |
a monetary liability imposed on the office holder in favor of an injured party in certain Administrative proceedings; and |
|
o |
expenses incurred by an office holder in connection with certain Administrative proceedings, including reasonable litigation expenses
and reasonable attorneys’ fees. |
Under the Companies Law, a company may not indemnify, exculpate or insure an office holder against any
of the following:
|
o |
a breach of the duty of loyalty, except for indemnification and insurance for a breach of the duty of loyalty to the company to the
extent that the office holder acted in good faith and had a reasonable basis to believe that the act would not prejudice the company;
|
|
o |
a breach of duty of care committed intentionally or recklessly, excluding a breach arising out of the negligent conduct of the office
holder; |
|
o |
an act or omission committed with intent to derive illegal personal benefit; or |
|
o |
a civil or criminal fine, monetary sanction or forfeit levied against the office holder. |
Under the Companies Law, exculpation, indemnification and insurance of office holders in a public company
must be approved by the compensation committee and the board of directors and, with respect to certain office holders or under certain
circumstances, also by the shareholders. See “Item 6.C. Board Practices—Approval of Related Party Transactions under Israeli
Law.”
We have entered into indemnification agreements with our office holders to exculpate, indemnify and insure
our office holders to the fullest extent permitted or to be permitted by our articles of association and applicable law (including without
limitation), the Companies Law, the Securities Law and the Israeli Restrictive Trade Practices Law, 5758-1988. We have obtained director
and officer liability insurance for the benefit of our office holders and intend to continue to maintain such insurance as deemed adequate
and to the extent permitted by the Companies Law.
As of December 31, 2021, we had 2,140 employees and subcontractors with 702 located in Israel,
761 in the United States, 145 in the United Kingdom and 532 across 37 other countries. The following table shows the breakdown of our
global workforce of employees and subcontractors by category of activity as of the dates indicated:
|
|
|
|
|
|
|
|
|
|
|
|
As of December 31, |
|
Department |
|
2019 |
|
|
2020 |
|
|
2021 |
|
Sales and marketing
|
|
|
656 |
|
|
|
772 |
|
|
|
941 |
|
Research and development
|
|
|
349 |
|
|
|
464 |
|
|
|
643 |
|
Services and support
|
|
|
253 |
|
|
|
309 |
|
|
|
381 |
|
General and administrative
|
|
|
122 |
|
|
|
144 |
|
|
|
175 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total
|
|
|
1,380 |
|
|
|
1,689 |
|
|
|
2,140 |
|
All our employment agreements are governed by local labor laws. None of our employees work under any collective
bargaining agreements, except for our employees in Italy who work under the national collective bargaining agreement for trade and commerce
sector (CCNL Commercio), which affects matters such as length of working, annual holidays entitlement,
sick leave, travel expenses and pension rights, and our employees in France who work under the collective bargaining agreement for offices
of technical studies, offices of consulting engineers and consulting firms (SYNTEC CBA), and our
employees in Spain who work under the collective bargaining agreement for the sale of Metal of the Region of Madrid or the collective
bargaining agreement for the sale of Metal of the province of Barcelona, depending on their location.
With respect to our Israeli employees, Israeli labor laws govern the length of the workday, minimum wages
for employees, procedures for hiring and dismissing employees, determination of severance pay, annual leave, sick days, advance notice
of termination of employment, equal opportunity and anti-discrimination laws and other conditions of employment. Subject to certain exceptions,
Israeli law generally requires severance pay upon the retirement, death or dismissal of an employee, and requires us and our employees
to make payments to the National Insurance Institute, which is similar to the U.S. Social Security Administration. Our Israeli employees
have pension plans that comply with the applicable Israeli legal requirements and we make monthly contributions to severance pay funds
for all Israeli employees, which cover potential severance pay obligations.
Extension orders issued by the Israeli Ministry of Economy and Industry (formerly the Israeli Ministry
of Industry, Trade and Labor) apply to our employees in Israel and affect matters such as, living adjustments to salaries, length of working
hours and week, recuperation pay, travel expenses, and pension rights. We have never experienced labor-related work stoppages or strikes
and believe that our relations with our employees are satisfactory.
Human Capital Resources
Our Culture
Our culture is an important contributing factor to our success and a key differentiator in our strategy.
We value diversity and inclusion which allows for the exchange of ideas, creates a strong community and helps ensure our employees are
valued and respected. We are committed to hiring talented smart, bold but humble employees who love a challenge. Our Chief Human Resource
Officer, who reports directly to our Chief Executive Officer, oversees our broad and comprehensive initiatives to promote a strong culture
including formal as well as real time employee recognition programs, matching charitable donations, a wide range of community volunteering
opportunities, team building events, regular executive round table discussions and employee engagement surveys.
Diversity, Equity & Inclusion
Diversity, Equity and Inclusion are critical to the successful execution of our strategy of bringing different
perspectives to the table, strengthening decision-making processes, driving innovation, and creating a strong community that helps ensure
our employees are given fair and equal opportunities. Given its importance to our overall strategy execution, our diversity, equity and
inclusion program is overseen by the compensation committee and the Board.
Talent and Career Development
We encourage all our employees to shape their own learning journey and take advantage of the learning and
development opportunities we provide. Learning and development helps everyone become more impactful in both their current role as well
as in future roles. All employees participate in our Feedback and Dialogue Process designed to empower employees to be “the best
version of you.” In addition, we deliver learning solutions using various methodologies including classroom-based sessions, virtual
webinars, coaching and experiential learning to meet the needs of our employees. Some of these learning efforts include an effective onboarding
process for new employees and management training for managers, as well as learning opportunities aligned with our strategic direction.
Likewise, we provide all employees with access to multiple platforms for various self-paced, on-demand learning opportunities. In 2021,
we enhanced our career development program, taking a lattice approach to identify how employees can grow their careers and skill sets
as well as identify various career paths. We also began conducting quarterly leadership conferences to help strengthen our employees’
leadership skills and further develop the next layer of talent in the Company.
Compensation, Benefits and Recognition
We offer a pay-for-performance total rewards approach. Our methodology includes competitive base salaries,
variable pay programs to drive target achievements, long-term incentives such as equity grants and customized benefits packages across
all our regions. We encourage work-life alignment, career development opportunities and excellence in performance. These principles align
with our values and support our journey towards building an equitable, diverse and inclusive environment. We regularly review our total
rewards offering to address constantly changing trends and developments in the complex global and local markets in which we operate. We
offer rewards and recognition programs to our employees, including a formal rewards program, spot bonuses and awards for employees who
exemplify our values.
Employee Engagement, Recognition & Satisfaction
We regularly engage with our employees through programs such as our quarterly All-Hands Meetings as well
as quarterly Leadership Conferences. Using a third party, we regularly conduct comprehensive employee engageme