CYBERARK SOFTWARE LTD.
In this annual report, the terms “CyberArk,” “we,”
“us,” “our” and “the Company” refer to CyberArk Software Ltd. and its subsidiaries.
In addition to historical facts, this annual report contains
forward-looking statements within the meaning of Section 27A of the U.S. Securities Act of 1933, as amended, (the “Securities
Act”), Section 21E of the U.S. Securities Exchange Act of 1934, as amended, (the “Exchange Act”), and the safe
harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to risks
and uncertainties, and include information about possible or assumed future results of our business, financial condition, results of operations,
liquidity, plans and objectives. In some cases, you can identify forward-looking statements by terminology such as “believe,”
“may,” “estimate,” “continue,” “anticipate,” “intend,” “should,”
“plan,” “expect,” “predict,” “potential,” or the negative of these terms or other similar
expressions. The forward-looking statements are based on our beliefs, assumptions and expectations of future performance. There are important
factors that could cause our actual results, levels of activity, performance or achievements to differ materially from the results, levels
of activity, performance or achievements expressed or implied by the forward-looking statements, including, but not limited to:
In addition, you should consider the risks provided under “Item
3.D. Risk Factors” in this annual report.
You should not rely upon forward-looking statements as predictions
of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee
that future results, levels of activity, performance and events and circumstances reflected in the forward-looking statements will be
achieved or will occur. Additionally, we may provide information herein that is not necessarily “material” under the U.S.
federal securities laws for Securities Exchange Commission reporting purposes, but that is informed by various environmental, social and
governance (“ESG”) standards and frameworks (including standards for the measurement of underlying data), and the interests
of various stakeholders. Much of this information is subject to assumptions, estimates or third-party information that is still evolving
and subject to change. For example, our disclosures based on any standards may change due to revisions in framework requirements, availability
of information, changes in our business or applicable government policies, or other factors, some of which may be beyond our control.
Except as required by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date
of this annual report, to conform these statements to actual results or to changes in our expectations.
PART
I
| ITEM 1. |
IDENTITY OF DIRECTORS, SENIOR MANAGEMENT AND ADVISERS |
Not applicable.
| ITEM 2. |
OFFER STATISTICS AND EXPECTED TIMETABLE |
Not applicable.
A. [Reserved]
B. Capitalization
and Indebtedness
Not applicable.
C. Reasons
for the Offer and Use of Proceeds
Not applicable.
D. Risk
Factors
Risks Related to Our Business and Our Industry
The IT security market
is rapidly evolving within the increasingly challenging cyber threat landscape. If our solutions fail to adapt to market changes and demands,
sales may not continue to grow or may decline.
We offer identity security solutions, centered on privileged
access, that safeguard privileged accounts’ credentials and secrets, secure access across both human and non-human identities, and
manage entitlements and secure access to cloud environments. If customers do not recognize the benefit of our solutions as a critical
layer of an effective security strategy, our revenues may decline, which could cause our share price to decrease in value. Security solutions
such as ours, which aim to disrupt cyberattacks by insiders and external perpetrators that have penetrated an organization’s IT
environment, represent a security layer designed to respond to advanced threats and provide more rigorous compliance standards and audit
requirements. However, advanced cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access
to organizations’ sensitive data and technology assets. We expect that our customers, and thereby our solutions, will face
new and increasingly sophisticated methods of attack, particularly given the increasing complexity of IT environments, increased attacks
from foreign nation-state actors and the proliferation of privileged access across identities. We face significant challenges in ensuring
that our solutions effectively identify and respond to sophisticated attacks while avoiding disruption to our customers’ businesses.
As a result, we must continually modify, improve, and invest in our products and services in response to market and technology trends
and evolvement, including obtaining interoperability with existing or newly introduced technologies and systems, to ensure we are meeting
market needs and continuing to provide valuable solutions that can be deployed in a variety of IT environments, including cloud and hybrid.
We cannot guarantee that we will be able to anticipate future
market needs and opportunities, or be able to develop or acquire product enhancements or new products or services to meet such needs or
opportunities in a timely manner or at all. Additionally, we cannot guarantee that we will be able to comply with new regulatory requirements
(see “—The dynamic regulatory environment around privacy and data protection may limit our offering or require modification
of our products and services, which could limit our ability to attract new customers and support our current customers and increase our
operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with
regulatory requirements, which could harm our operating results and adversely affect our business.”). Furthermore, new technologies
and solutions that may make our solutions obsolete may be introduced into the market, lowering the demand for our products and reducing
our sales. Even if we are able to anticipate, develop and commercially introduce new features and products and ongoing enhancements to
our existing products, there can be no assurance that such enhancements or new solutions will achieve widespread market acceptance. Delays
in developing, completing or delivering new or enhanced solutions could cause our offerings to be less competitive, impair customer acceptance
of our solutions and result in delayed or reduced revenue and share price decline.
Our quarterly results
of operations may fluctuate for a variety of reasons. We may, as a result, fail to meet publicly announced financial guidance or other
expectations about our business, which could cause our ordinary shares to decline in value.
We began transitioning our business to a subscription model in
January 2021, reaching our subscription selling goals in the first quarter of 2022. We continue to offer our customers multiple
software and delivery models. We recognize revenue differently based on the composition of the selected offering. Specifically, we recognize
revenue from the license portion of self-hosted subscriptions upon the commencement of the subscription period. The revenue recognition
associated with the license portion of self-hosted subscription within a certain quarter is impacted by the duration of the contract.
We recognize revenue from SaaS subscriptions and from maintenance services for self-hosted subscription or perpetual licenses ratably,
over the period of the subscription or maintenance contract. While a relatively small and declining percentage of our bookings are
from perpetual licenses this revenue is recognized upon delivery. The mix of our subscription and perpetual bookings and the mix of self-hosted
and SaaS subscriptions in any given quarter may be difficult to predict and may cause trends in revenue recognition to lag those in sales,
potentially causing us to fall short of investor expectations for revenue even while meeting or exceeding periodic sales targets.
A meaningful portion of our quarterly revenues is typically generated
through transactions of significant size, and purchases of our solutions and services often occur at the end of each quarter. We also
experience quarterly and annual seasonality in our sales, demonstrated by increased sales in the third month of each quarter relative
to the first two months, and increased sales in the fourth quarter of each year. The timing in which SaaS deals close may further exacerbate
the seasonality impact on reported revenues due to the ratable recognition. In addition, our sales cycle can be intensely competitive
and last several quarters from proof of concept to the actual sale and initial delivery of our solutions to our customers. The sales cycle
can be even longer, less predictable and more resource-intensive for larger sales, or with customers implementing complex digital transformation
strategies or facing a complex set of compliance and user requirements. Customers may require additional internal committee or executive
approvals, extensive security reviews, longer product trial periods and prolonged contract negotiation before making a final purchase,
all of which has intensified with the increased volume of SaaS transactions, which are subject to even greater scrutiny.
At times, sales have occurred in a quarter that was either earlier
than, or subsequent to, the anticipated quarter, and some sale opportunities that were expected to close did not close at all. A failure
to close a large transaction in a particular quarter may adversely impact our revenues in that quarter and, in case of a large subscription
transaction pending, may adversely impact our revenues and cash flow in subsequent quarters. Closing an exceptionally large transaction
in a certain quarter may disproportionately increase our revenues in that quarter, which may make it more difficult for us to meet growth
rate expectations in subsequent quarters. Furthermore, even if we close a sale during a given quarter, we may be unable to recognize the
revenues derived from such sale during the same period due to our revenue recognition policy. As a result of the foregoing factors, the
timing of closing sales cycles and the associated revenue from such sales can be difficult to predict and may cause us to miss our guidance
or fall short of market expectations. This may result in the decline of the price of our ordinary shares.
In addition, our results of operations may continue to vary as
a result of a number of other factors, many of which may be outside of our control or difficult to predict, including:
o our
ability to attract new customers and to retain existing customers by and through renewals of maintenance services and subscriptions (see
“—If we are unable to acquire new customers or sell additional products and services to our existing customers, our future
revenues and operating results will be harmed.”);
o the
amount and timing of our operating costs and cash collection, which may vary also as a result of fluctuations in foreign currency exchange
rates or changes in taxes or other applicable regulations (see “—We are exposed to fluctuations in currency exchange rates,
which could negatively affect our financial condition and results of operations.”);
o the
rate at which our customers fully deploy their purchased solutions, and our ability to sell additional solutions and services to current
customers;
o the
impact of economic, social, or political conditions, including conditions resulting from a decline in the macroeconomic environment, rising
interest rates, exchange rate fluctuations, and inflation, and the resulting effect on the demand for our solutions and on our expected
revenue growth rates and costs (see “—Prolonged economic uncertainties or downturns,
globally or in certain regions or industries, could materially adversely affect our business.”).
o the
ability of our support and customer success operations to keep pace with sales to new and existing customers and the expansion of our
solution portfolio and to satisfy customer demands for consultancy and professional services;
o our
ability to successfully expand our business globally;
o the
release, timing, and success of new product and service introductions by us or our competitors or any other change in the competitive
landscape of the cybersecurity market, including consolidation among our competitors;
o the
introduction of new accounting pronouncements or changes in our accounting policies or practices;
o changes
in our pricing policies or those of our competitors;
o the
size and discretionary nature of our prospective and existing customers’ IT budgets; and
o ongoing
effects from the COVID-19 pandemic or other public health crises, and the global economic changes caused by it (see “—The
COVID-19 pandemic, measures taken in response to it and the resulting global economic environment have adversely affected, and may adversely
affect in the future, our business, financial condition, and results of operations.”);
Any of these factors, individually or in the aggregate, may result
in significant fluctuations in our financial and other operating results. These fluctuations could result in our failure to meet our operating
plan or the expectations of investors or analysts for any given period. Such failures may cause the market price of our ordinary shares
to substantially decrease.
If we are unable to acquire
new customers or sell additional products and services to our existing customers, our future revenues and operating results will be harmed.
Our success and continued growth will depend, in part, on our
ability to acquire a sufficient number of new customers while maintaining and expanding our revenues from existing customers, by renewing
contracts for our solutions and selling incremental or new solutions to existing customers. If we are unable to succeed in such efforts,
we will likely be unable to generate revenue growth at desired or projected rates. In addition, competition in the industry may lead us
to acquire fewer new customers or result in us providing more favorable commercial terms to new or existing customers. Macroeconomic effects
may also affect our ability to maintain our customer base and expand it, while also impacting our renewal rates and associated annual
cost increases.
As we expand our market reach to gain new business, including
entering the Access Management market, securing DevOps environments, and expanding into Cloud Privilege Security, we may experience difficulties
in gaining traction and raising awareness among potential customers or in maintaining a market leadership position and obtaining industry
analyst recognition, or we may face more competitive pressure in such markets. As a result, it may be difficult for us to add new customers
to our customer base, retain our existing customers and generate increased growth from sales of these solutions.
With our ongoing introduction of new solutions to meet market
demands, our sales, research and development, support and customer success and IT teams may have difficulties selling, supporting and
maintaining multiple license models and code bases. These may lead to lower rates of software sales, longer sales cycles, customer dissatisfaction,
lower renewal rates and a reduction in our ability to sell add-on business to customers or gain new customers. Further, as part of the
natural lifecycle of our solutions, we may determine that certain products will be reaching their end of development or end of life and
will no longer be supported or receive updates and security patches. Failure to effectively introduce new solutions or manage our product
lifecycles could lead to increased expenses, existing customer dissatisfaction and contractual liabilities.
Further, any changes in compliance standards or audit requirements
that reduce the priority for the types of controls, security, monitoring and analysis that our solutions provide would adversely impact
demand for our solutions. Additional factors that impact our ability to acquire new customers or sell additional products and services
to our existing customers include the consumption of their past purchases, a reduction in the perceived need for IT security, the size
or prioritization of our prospective and existing customers’ IT budgets, the utility and efficacy of our existing and new offerings,
whether proven or perceived, changes in our pricing or licensing models that may impact the size of new business transactions, a downgrade
of our recognized industry leadership position by industry analysts and general economic conditions. These factors may have a material
negative impact on future revenues and operating results.
We face intense competition
from a wide variety of IT security vendors operating in different market segments and across diverse IT environments. This may challenge
our ability to maintain or improve our competitive position or to meet planned growth rates.
The IT Security market in which we operate is characterized by
intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats.
We compete with multiple established and emerging companies that offer a broad array of cybersecurity products and employ different approaches
and delivery models. Specifically, our Identity Security Platform competes across a variety of markets and competitors, including, but
not limited to:
|
• |
Privileged Access Management (PAM), including Endpoint Privilege Management, such as Delinea and BeyondTrust; |
|
• |
Identity and Access Management, such as Okta and Microsoft; and |
|
• |
Secrets Management (including broad DevOps solutions), such as Hashi Corporation. |
The IT Security market’s maturity and growth could also
make it appealing for new players, such as large or emerging cybersecurity vendors or those in related markets (Endpoint, Cloud Security,
DevOps or Infrastructure as a Service (IaaS)), to enter markets where we specialize. Additionally, potential consolidation among cybersecurity
vendors may create an opportunity for our competitors to provide a greater breadth of offerings, including more integrations and bundled
products. This may create a competitive disadvantage, regardless of the performance and features of our offerings if customers prefer
to utilize one vendor for multiple cybersecurity capabilities. Furthermore, organizations continuously evaluate their security priorities
and investments and may allocate their IT security budgets to other solutions and strategies, including solutions offered by our competitors,
and may not adopt or expand use of our solutions. Accordingly, we may also compete for budget priority, to a certain extent, with other
cybersecurity solutions offered by Microsoft, Palo Alto Networks, and CrowdStrike Holdings.
In particular, our competitors may enjoy potential competitive
advantages, such as greater name recognition and longer operating history; larger sales, marketing, research and acquisition resources;
access to larger channel partner and customer bases; lower labor and development costs; lower product pricing; increased effectiveness
in protecting, detecting and responding to cyberattacks; greater or localized resources for customer support and provision of services; greater
speed at which a solution can be deployed and implemented; broader product and service offerings, including bundling; greater operational
flexibility and less stringent accounting, auditing and legal standards, applicable to privately held companies; and greater financial
and technical resources which may result in a larger intellectual property portfolio.
Our current and potential competitors may also establish collaborations
or alliances among themselves or with third parties that may further enhance their resources and capabilities. Our collaborative efforts
with our technology partners could also change if they develop and market competitive solutions, thus intensifying the competitive landscape,
while adversely affecting our partnership efforts and their resale and marketing of our products. If we are not able to compete
effectively under these circumstances, this may result in price reductions, fewer orders, reduced renewals, reduced revenue and gross
margins, and loss of market share. Any failure to adequately address these factors could seriously harm our business and operating results.
Real or perceived security
vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement, manage
and maintain our solutions, may result in significant reputational, financial, and legal adverse impact.
Security products, solutions and services such as ours are
complex in development, design and deployment and may contain errors, bugs, gaps, design failures, misconfigurations or security vulnerabilities,
some of which are potentially incapable of being remediated or detected until after their deployment, if at all. Any real or perceived
errors, bugs, gaps, design failures, defects, vulnerabilities, misconfigurations in our solutions or their accompanying documentation,
or untimely or insufficient remediation thereof, could cause our solutions not to meet their specifications or security standards. The
affected solutions may not fulfil their primary security functions, falsely identify threats or create new security threats, and be vulnerable
to security attacks. There is no guarantee that our products would be free of flaws or vulnerabilities at all times and we may not correct
all known vulnerabilities, gaps or errors promptly, or at all.
Further, our solutions serve as mission-critical applications
in our customers’ operational environments, allowing them to manage access and privileges in their systems and networks. Any breach,
interruption or shut down of our solutions could significantly damage customers’ internal and external operations, and therefore
we may suffer significant reputational, financial and legal adverse impact. Potential vulnerabilities or deficiencies associated with
a product developed or obtained through an acquisition could also deteriorate our solutions’ security and expose our customers to
additional risk (see “—We may fail to fully execute, integrate, or realize the benefits expected from acquisitions, which
may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.”).
Several of our solutions are made available to our customers
as SaaS. Delivering software as a service involves storage and transmission of customers’ proprietary information, including personal
data, related to their assets, employees and users. Security breaches, bugs, vulnerabilities, gaps, defects or improper configuration
of our solutions, cloud accounts or production and development environments (including those embedded in third-party technology used in
our products or by our customers) could result in loss or alteration of, or unauthorized access to this data and compromise of our networks
or our customers’ networks secured by our SaaS solutions. Any such incident, whether or not caused by us, could result in significant
liability or reputational harm.
Our solutions not only reinforce but also rely on the common
security concept of placing multiple layers of security controls throughout an IT environment. The failure of our customers, channel partners,
managed service providers, subcontractors or similar entities to correctly implement or effectively manage and maintain our solutions
and the environments in which they are utilized, or to consistently implement and utilize generally accepted and comprehensive, multi-layered
security measures and processes, may lessen the efficacy of our solutions, in whole or in part. These entities may also independently
develop or change existing application programming interfaces (APIs) that we provide or other customizable components in an incorrect
or insecure manner. Such failures or actions may lead to security breaches and data loss, which could result in a perception that our
solutions or services failed and associated negative business implications. In addition, we are expected to provide high levels of transparency
regarding security vulnerabilities in our products, which, once conveyed, may increase our customers’ exposure to a security breach
until they properly implement the relevant fix. Further, our failure to provide our customers and channel partners with adequate services
or accurate product documentation and training related to the use, implementation and maintenance of our solutions, could lead to claims
against us.
Similarly, a failure by a provider like us to effectively secure
and detect threats within our own resources and networks, such as development or customer-serving production environments, could lead
to threat actors compromising our customers’ environments through a breach or exploitation of our products or services (see “—If
our internal IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or
by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely
affected.”). A similar effect could arise from the use of compromised third-party software in or in relation to our products or
by third parties such as vendors, which could expose our solutions, networks and environments – and thereby our customers –
to additional vulnerabilities and security incidents.
As we increase our developers’ workforce globally to meet
our business goals, including by engaging external developers or through mergers and acquisitions, the risk of errors, misconfigurations,
vulnerabilities or intentional misconduct, may be heightened due to governance difficulties and limited centralized oversight. In addition,
difficulties or delays in hiring and retaining personnel may impact the resources available to us for continuous improvement of our product
security posture and therefore, increase this risk (see “—The highly competitive cybersecurity labor market has made it a
challenge to attract and retain qualified personnel. If we are unable to hire, retain and motivate qualified personnel, our business will
suffer.”).
An actual or perceived error, bug, misconfiguration, vulnerability,
gap, cyberattack or other security breach, regardless of whether the vulnerability or breach is attributable to the failure of our solutions
or the related services we provide, could adversely affect the market’s perception of the efficacy of our solutions and our industry
standing. Such circumstances could cause current or potential customers to look to our competitors for alternatives to our solutions and
subject us to negative media attention, reputational harm, lawsuits, regulatory investigations and other government inquiries, indemnity
claims and financial losses, as well as the expenditure of significant financial resources to, among other actions, analyze, correct or
eliminate any vulnerabilities. Provisions in our agreements that attempt to limit our liability towards our customers, channel partners,
and relevant third parties may not withstand legal challenges, and certain liabilities may not be limited or capped. Additionally, any
insurance coverage we have may not adequately cover all claims asserted against us and may leave a significant portion of such claims
to be directly covered by us. In addition, such insurance may not be available to us in the future on economically reasonable terms, or
at all.
If our IT network systems,
or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption
or failure, then our reputation, financial condition and operating results could be materially adversely affected.
The security and integrity of our IT network systems and of our
third-party providers, and the perception thereof, is critical to our ability to deliver products and services to customers as well as
to run internal operations. While we operate certain of these network systems, we also rely on third-party providers across an array of
technologies and services that enable us to conduct, monitor and/or protect our business operations. For example, we rely on third parties
to host our SaaS products (see “—We increasingly rely on third-party providers of cloud infrastructure services to deliver
our SaaS solutions to customers, and any disruption of or interference with our use of these services, including
any specifications limitations, could adversely affect our business.”)
and support our customer relationship management and financial operation services (provided by our Enterprise Resource Planning system).
In addition, in the ordinary course of business, we and our third-party providers generate, collect, process and store sensitive information
and data, including proprietary and personal data belonging to us and others.
We acknowledge that the threat landscape is broad and that
threats are persistent. Being a prominent Israeli security company that provides solutions centered on privileged access security and
identity management, we are and will remain an attractive target for cyber attackers and malicious actors, including insiders, as well
as cyber terrorists, sophisticated criminal groups or nation-state affiliated actors. We have experienced and expect to continue to experience
cyberattacks and security incidents that have impacted and will impact our IT network systems, physical facilities, our data or our customers’
networks or data. Cyberattacks and security incidents are expected to accelerate in both frequency and impact as the use of cloud-based
solutions expands, the use of AI (Artificial Intelligence) increases and attackers become increasingly sophisticated and utilize tools
and techniques that are designed to circumvent controls, avoid detection, and remove or obfuscate forensic evidence. Our security measures
and controls may not be sufficient to protect us against such attacks, which means that we may be unable to detect, investigate, contain
or recover from future attacks or incidents in a timely or effective manner. Disruptive attacks, such as through ransomware and other
extortion-based tactics, that can temporarily or permanently disable operations are becoming increasingly prevalent. Malicious third
parties or insiders may also attempt to fraudulently induce employees or customers into disclosing sensitive information such as user
names, passwords or other information or otherwise compromise the security of our or our customers’ networks or data. Additionally,
we may be at risk due to the increased frequency of sophisticated cyberattacks coordinated by foreign nation-states. For example, the
ongoing conflict between Russia and Ukraine may result in a heightened threat environment and create unknown cyber risks, including increased
risk of retaliatory cyberattacks from Russian actors against foreign-based companies, or the proliferation of nation-state capabilities
to non-state attack groups. Our solutions’ operation relies at times on third-party, including open-source and other software, services,
networks and environments, which could also serve as an attack vector. The shift to a remote working or hybrid environment due to the
COVID-19 pandemic has expanded the attack surface for cyberattacks against us, our customers, and third-party providers. Cyberattacks
against our Company may also be caused by breaches of our contractors, channel partners, supply chain network, vendors and other third
parties associated with us, which could result from, among other causes, the sophistication of the attackers, human error and insufficient
employee training, or lack of security and compliance oversight and prioritization. In addition, the risk for a cyberattack on our networks
and environments, may be heightened if we fail to identify or remediate any deficiencies in the products, procedures, and policies of
companies that we acquire (see “—We may fail to fully execute, integrate, or realize the benefits expected from acquisitions,
which may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of
operations.”).
We and our third-party providers may also be subject to information
technology system failures or network disruptions caused by a variety of factors, including pandemics, natural disasters (such as increased
frequency and severity of storms, earthquakes, flooding, fires, heatwaves or drought), accidents, power disruptions, telecommunications
failures, acts of terrorism, wars (including the conflict between Russia and Ukraine), computer viruses and malware (such as ransomware),
or other events or disruptions. System redundancy, data back-ups and other continuity measures may be ineffective or inadequate, and our
business continuity and disaster recovery planning may not be sufficient for all eventualities. Cyberattacks, security breaches and other
incidents could result in significant damage to our market position and lead to costly remediation requirements, indemnity claims, legal
claims (including class action litigation), regulatory investigations and fines or penalties, as well as the loss of proprietary and confidential
data, trade secrets and customers (see “—The dynamic regulatory environment around privacy and data protection may limit our
offering or require modification of our products and services, which could limit our ability to attract new customers and support our
current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement actions
alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our business.”).
An actual or perceived failure, disruption, or breach of our network, our operations or privileged account security in our systems could
adversely affect the market perception of our products and services, or of our expertise in this field. Moreover, if critical business
functions or services from third-party providers are breached and become unavailable due to extended outages or interruptions or because
they are no longer available on commercially reasonable terms, our ability to manage our operations could be interrupted, our contractual
service level commitments could be breached, and our ability to provide timely and adequate maintenance and support services to our customers
could be impacted. Any of the foregoing events could have a material and adverse effect on our operations, reputation, financial condition
and operating results and expenses.
With the increase in the likelihood and severity of potential
security breaches and the increase in cybersecurity insurance premiums for our customers, negotiations may require us to assume more risk,
including higher liabilities with regards to security and data breaches. In addition, we are unable to ensure that any limitations of
liability provisions in our contracts with respect to our information security operations or our product liability would be enforceable,
adequate, or would otherwise protect us from any liabilities or damages with respect to any particular claim (including in cases where
existing customers purchase new solutions based on previously agreed contractual terms). We also may not be able to adequately recover
damages from third parties associated with us, who were involved in a security incident. Additionally, any insurance coverage we may have
may not adequately cover any of these claims asserted against us or any related damage and may leave a significant portion of such claims
to be directly covered by us. If any of the foregoing were to occur, our business may suffer extensive costs, our sales may be reduced
and our share price may be negatively impacted.
If we fail to successfully
operate as a subscription company, renew our existing customer base, and retain sufficient subscription or maintenance and support service
renewal rates, our revenues, Annual Recurring Revenue (ARR), operating results and share price may be adversely affected.
We began transitioning our business to a subscription model
in January 2021, reaching our subscription selling goals of at least 85% of our sales through subscriptions, for both SaaS and self-hosted
offerings in the first quarter of 2022. To support our recurring revenue business model, we continue to evolve our business processes,
systems and organizational structure to support and grow our subscription customers. Our strategy requires considerable investments across
the entire organization with significant changes to our go-to-market and research and development organizations and activities, as well
as our operations, reporting and financial resources. We expect our perpetual license revenue to continue to decline and our maintenance
and support revenue to gradually decline over the coming years. Certain customers may view these changes unfavorably and terminate their
engagements with us, or they may still desire perpetual licenses, which may cause fluctuations in our financial performance.
As a recurring revenue company, we are significantly more dependent
on renewals to meet our revenue, including Annual Recurring Revenue (ARR), profitability and cash flow from operating activities targets.
Customer subscription renewal rates may decline or fluctuate due to a number of factors, including offering pricing, implementation and
adoption rates of our solutions, reductions in customer spending levels or activity due to economic downturns or other market uncertainty,
and attractive competitor alternatives. In addition, we, along with our service providers and channel partners, may not be able to provide
adequate services that are responsive, satisfy our customers’ expectations and resolve issues that they encounter with our solutions.
Customers may become dissatisfied with our solutions and their implementation, and decide not to renew, which may have a material and
adverse effect on our business and results of operations.
We may face additional complications or risks in connection with
our subscription model, including the following:
o our
revenues may fluctuate as a result of variations in our booking mix from the different licensing and delivery models and the corresponding
timing of revenue recognition – ratably for SaaS subscriptions and the maintenance portion of self-hosted subscriptions, and upon
delivery for perpetual licenses and the license portion of self-hosted subscriptions (see “—
Our quarterly results of operations may fluctuate for a variety of reasons. We may, as a result, fail to meet publicly announced financial
guidance or other expectations about our business, which could cause our ordinary shares to decline in value.”);
o since
fiscal year 2020, we have incurred net losses with declining operating margins, and we expect to continue to generate operating and net
losses, and our cash flow from operations could fluctuate (see “—We have incurred net losses, and may not be able to
generate sufficient revenue to achieve and sustain profitability.”);
o the
introduction of new product offerings and solutions may result in longer sales cycles, lost opportunities or less predictable revenues
if our new or existing customers, prospects and partners are less receptive of such advancements (including a transition to SaaS in order
to receive certain functionalities) or require a longer period to assess and select the solutions appropriate to them;
o the
introduction of more SaaS offerings may lead to extended presale periods due to, among others, comprehensive product and security reviews
and requirements by customers, extensive contract negotiations and more stringent compliance and operational obligations (such as those
related to data protection or use);
o our
sales force may struggle with selling multiple solutions, pricing, licensing and delivery models to customers, prospects and partners,
which may extend sales cycles, reduce the likelihood of sales closing, or lead to increased turnover rates and lower headcount;
o our
research and development teams may find it difficult to deliver functionality and drive innovation across multiple code bases on a timely
basis; and
o customer
demand for migration from self-hosted solutions to SaaS may happen faster than we anticipate, in which case we might not be able to meet
this demand and associated scalability requirements.
The dynamic regulatory
environment around privacy and data protection may limit our offering or require modification of our products and services, which could
limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject
to investigations, litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our
operating results and adversely affect our business.
Federal, state and international bodies continue to adopt, enact,
and enforce new laws and regulations, as well as industry standards and guidelines, addressing cybersecurity, privacy, data protection
and the collection, processing, storage, cross-border transfer and use of personal information.
We are subject to diverse laws and regulations relating to
data privacy, including but not limited to the EU General Data Protection Regulation 2016/679 (GDPR), the California Consumer Privacy
Act (CCPA), the Health Insurance Portability and Accountability Act as amended by the Health Information Technology for Economic and Clinical
Health Act (HIPAA), the U.K. Data Protection Act 2018, national privacy laws of EU Member States and other laws relating to privacy, data
protection, and cloud computing. These laws are evolving rapidly, as exemplified by the recent adoption by the European Commission of
a new set of Standard Contractual Clauses, the U.K.’s adoption of its own international data transfer agreement, the prospect of
a new European “ePrivacy Regulation” (to replace the existing “ePrivacy Directive,” Directive 2002/58 on Privacy
and Electronic Communications) and the implementation of the California Privacy Rights Act, which expands upon the CCPA and will have
a lookback period until January 2022, as well as privacy legislation in several other U.S. states. Compliance with these laws, as well
as efforts required to understand and interpret new legal requirements, require us to expend significant capital and other resources.
We could be found to not be in compliance with obligations, or suffer from adverse interpretations of such legal requirements either as
directly relating to our business or in the context of legal developments impacting our customers or other businesses, which could impact
our ability to offer our products or services, impact operating results, or reduce demand for our products or services.
Compliance with privacy and data protection laws and contractual
obligations may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced
efficiency, or greater difficulty in competing with firms that are not subject to these laws and regulations. For example, GDPR and the
UK compliance regime impose several stringent requirements for controllers and processors of personal data and increase our obligations
such as, requiring robust disclosures to individuals, establishing an individual data rights regime, setting timelines for data breach
notifications, imposing conditions for international data transfers, requiring detailed internal policies and procedures and limiting
retention periods. Ongoing compliance with these and other legal and contractual requirements may necessitate changes in services and
business practices, which may lead to the diversion of engineering resources from other projects.
As a company that focuses on identity security with a foundation
in Privilege Access Management, our customers may rely on our products and services as part of their own efforts to comply with security
control obligations under GDPR and other laws and contractual commitments. If our products or services are found insufficient to meet
these standards in the context of an investigation into us or our customers, or we are unable to engineer products that meet these standards,
we could experience reduced demand for our products or services. There is also increased international scrutiny of cross-border transfers
of data, including by the EU for personal data transfers to countries such as the United States, following recent case law and regulatory
guidance. This increased scrutiny, as well as evolving legal and other regulatory requirements around the privacy or cross-border transfer
of personal data, including the new potential EU-US Data Privacy Framework or UK-US adequacy arrangement, could increase our costs, restrict
our ability to store and process data as part of our solutions, or, in some cases, impact our ability to offer our solutions or services
in certain jurisdictions.
Enactment of further privacy laws in the United States, at the
state or federal level, or introduction of new services or products that are subject to additional regulations, as well as ensuring compliance
of solutions that we obtained through acquisitions, may require us to expend considerable resources to fulfill regulatory obligations,
and could carry the potential for significant financial or reputational exposure to our business, delay introduction to the market and
affect adoption rates.
Claims that we or our service providers have breached our contractual
obligations or failed to comply with applicable privacy and data protection laws, even if we are not found liable, could be expensive
and time-consuming to defend and could result in adverse publicity that could harm our business. As a data processor, we are required
to process customer data only on the documented instructions of our customers. If we acted outside of these instructions, we could face
regulatory consequences. In addition to litigation, we could face regulatory investigations, negative market perception, potential loss
of business, litigation expenses, enforcement notices and/or fines (which, for example, under GDPR / UK regime can be up to 4% of global
turnover for the preceding financial year or €20 / £17.5 million, whichever is higher).
Prolonged economic uncertainties
or downturns, globally or in certain regions or industries, could materially adversely affect our business.
Our business depends on our current and prospective customers’
ability and willingness to invest money in IT security, which in turn is dependent upon their overall economic health and the strength
of the broader macroeconomic environment. The negative economic conditions in the global economy or certain regions, including conditions
resulting from financial and credit market fluctuations (including rising interest rates), exchange rate fluctuations, or inflation, and
the potential for regional or global recessions could cause a decrease in corporate spending on cybersecurity software. Other matters
that influence customer confidence and spending, such as, political unrest, public health crises, including COVID-19, terrorist attacks,
armed conflicts (such as the ongoing conflict between Russia and Ukraine), rising energy costs, and natural disasters, could also negatively
affect our customers’ spending on our products and services. The armed conflict involving Russia and Ukraine has already resulted
in sanctions which restrict the selling or importing of goods, services, or technology in or from affected regions. The instability in
these regions could further exacerbate the macroeconomic impacts on a global scale, including within specific revenue-generating industry
verticals. In addition, since a significant portion of our operations are based in Israel, any hostilities within the region, as
well as any political uncertainty or reform, or a significant downturn in the economic or financial condition of Israel including conditions
associated with recently proposed legislation by the Israeli government, could materially adversely affect our operations (see “—
Our principal executive offices, most of our research and development activities and other significant operations are located in Israel,
and therefore, our results may be adversely affected by political, economic and military instability in Israel.”). Our international
operations also involve risks that could increase our expenses, adversely affect our operating results, and require increased time and
attention of our management. A significant portion of our business operations are concentrated in core geographic areas, and economic
downturns in these areas could severely affect our business operations. In addition, some of our business operations depend on emerging
markets that are less resilient to fluctuations in the global economy. In 2022, we generated 52.9% of our revenues from the United States,
30.1% of our revenues from Europe, the Middle East and Africa and 17% from the rest of the world, which includes countries from the Asia
Pacific and Japan region, the Latin America region and Canada.
Negative economic conditions may cause key customers, or specific
revenue-generating verticals, to reduce their IT spending. Customers may delay or cancel IT projects, choose to focus on in-house development
efforts or seek to lower their costs by renegotiating subscription renewals or maintenance and support agreements, thus making it difficult
to adequately forecast and plan future business activities accurately, or prolonging our sales cycles. Further, customers or channel partners
may be more likely to make late payments in worsening economic conditions, which could lead to increased collection efforts and require
us to incur additional associated costs to collect expected revenues. If the economic conditions of the general economy or industries
in which we operate continue to worsen from present levels, our business, results of operation and financial condition could be adversely
affected.
The highly competitive
cybersecurity labor market has made it a challenge to attract and retain qualified personnel. If we are unable to hire, retain and
motivate qualified personnel, our business will suffer.
Our future success, productivity, revenue growth, profitability
and cash flow from operating activities depend, in part, on our ability to continue to timely attract and retain highly skilled personnel.
The highly competitive cybersecurity labor market has created an intense hiring environment, resulting in us experiencing increased difficulty
in attracting and retaining qualified personnel. Since we require a highly skilled workforce in order to successfully compete in an increasingly
competitive cybersecurity market, we have experienced and may continue to experience difficulty in hiring, high employee turnover, and
considerable costs and productivity as well as time to market losses, which, over time, may impact our productivity, ability to meet customers’
expectation and overall profitability levels. Many corporations and startup companies have greater resources and compensation tools at
their disposal for talent acquisition, which may not be available at our Company. Our compensation relies partially on different equity
vehicles (such as RSUs or our ESPP). Volatility within the stock market, including fluctuations in the stock prices of technology companies,
or poor stock performance may affect our employee attrition and ability to attract new talent. Our inability to attract or retain qualified
personnel or delays in hiring such personnel may seriously harm our performance, business and financial condition and results of operations.
Furthermore, if we hire employees who previously worked for our competitors, we may be subject to allegations that such employees have
been improperly solicited or divulged proprietary or other confidential information, which could subject us to potential liability and
litigation.
In order to meet our business goals and address the challenges
of the labor market, we are expanding our workforce to additional regions globally, including by engaging external service providers.
If we fail to manage this expansion in a manner that preserves the key aspects of our corporate culture, the quality of our solutions
may suffer, which could negatively affect our brand and reputation and harm our ability to retain and attract customers and employees.
We increasingly rely on
third-party providers of cloud infrastructure services to deliver our SaaS solutions to customers, and any disruption of or interference
with our use of these services, including any specifications limitations, could adversely affect our business.
Our SaaS solutions are hosted by and dependent upon third-party
providers of cloud infrastructure services (Cloud Service Providers), primarily Amazon Web Services (AWS). We do not have control over
the operations or the facilities of the Cloud Service Providers that we use. If any of the services provided by the Cloud Service
Providers fail, become unavailable, or experience service degradation due to earthquakes, flooding, fires, heatwaves, power loss, telecommunication
failures, natural disasters, extended outages, cyberattacks, or other interruptions or similar events, our ability to operate our platform
and deliver our SaaS solutions to customers could be negatively impacted, and the quality or perception of the quality, of our products
and services could be diminished, which may result in a decrease in revenues, damage to our reputation, contractual liability, including
for failure to meet service level agreements, regulatory actions and interruption of our ability to manage our finances and our processes
for managing sales of our offerings. If we are unable to rapidly and cost-effectively substitute one Cloud Service Provider with another
in circumstances of a failure or unavailability, or maintain or renew our agreements with our Cloud Service Providers on commercially
reasonable terms, or we need to add new Cloud Services Providers to increase capacity and uptime, we could experience interruptions, downtime,
delays, and additional expenses related to transferring to and providing support for these new platforms. Any of the above circumstances
or events may harm our reputation and brand, expose us to liability, reduce the availability or usage of our platform, and impair our
ability to attract new users, any of which could adversely affect our business, financial condition and results of operations.
Delivery of our SaaS solutions to our customers and operation
of our platform depends on the ability of data centers and cloud infrastructure to allow for our customers’ configuration, architecture,
features and interconnection requirements and other specifications. Any limitation on the capacity of these data centers or cloud infrastructure
to meet or maintain such specification requirements could impede our ability to onboard new customers or expand the usage of our existing
customers, host our platform or serve our customers, any of which could adversely affect our business, financial condition and results
of operations.
We have incurred net losses,
and may not be able to generate sufficient revenue to achieve and sustain profitability.
We have incurred net losses of $83.9 million and $130.4 million
in each of the years ended December 31, 2021 and 2022, respectively, and anticipate our cash flow from operating activities could fluctuate.
Our ability to generate cash flow from operating activities as a subscription company will depend on the combination of our success in
retaining high renewal rates with our customers, expanding sales with our existing customers, generating sales from new customers and
executing and collecting annual or multi-year contracts which are paid for up front. We cannot be certain we will achieve the required
renewal rates, increased sales from existing and new customers nor generate or collect from the contract terms for the sales which will
improve our cash flow from operating activities. In addition, due to our continued investment in the growth of our business, we
expect our operating expenses to increase over the next several years as we hire additional personnel, retain existing personnel in a
competitive market and continue to develop features and applications for our solutions. Any failure to increase our revenue could prevent
us from achieving profitability or maintaining or increasing cash flow from operating activities on a consistent basis. In addition, we
may have difficulty achieving profitability under U.S. GAAP due to share-based compensation expense and other non-cash charges. If we
are unable to navigate these challenges as we encounter them, our business, financial condition, and operating results may suffer.
The successful execution
of our planned transition in executive leadership of the Chief Executive Officer (CEO) role, as well as the integration of new executives,
will be critical to achieving our operational and financial results. If we do not successfully manage such change, our business, financial
condition and results of operations may be adversely affected.
In February 2023, we announced the separation of the roles
of CEO and Chairman of the Board effective April 3, 2023. Our Founder, Chairman and CEO, Udi Mokady, will assume the role of Executive
Chairman of the Board, and Matthew Cohen, currently our Chief Operating Officer, will be appointed as CEO and join the Board at that time.
Further, in 2022 and early 2023, the Company expanded its executive team to include a Chief Revenue Officer and named a new Chief Product
Officer and a Chief Information Technology Officer. The planned CEO transition and the changes within the executive team may be disruptive
to the Company’s business operations and impact its ability to attract and retain top talent and deliver on its near-term sales
and research and development targets. If we are unable to execute an orderly executive leadership transition and successfully manage the
changes within our executive team, our business, financial condition and results of operations may be adversely affected.
A portion of our revenues
is generated by sales to government entities, which are subject to a number of challenges and risks, such as increased competitive pressures,
administrative delays and additional approval requirements.
A portion of our revenues is generated by sales to U.S. and foreign
federal, state, and local governmental agency customers, and we may in the future increase sales to government entities. Selling to government
entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance
that we will complete a sale, or imposing terms of sale which are less favorable than the prevailing market terms. Government demand and
payment for our products and services may be impacted by public sector budgetary cycles and funding authorizations, funding reductions,
government shutdowns or delays, adversely affecting public sector demand for our products. The foregoing may be intensified due to macroeconomic
impacts (see “—Prolonged economic uncertainties or downturns, globally or in certain regions or industries, could materially
adversely affect our business.”). Additionally, for purchases by the U.S. government, the government may require certain products
to be manufactured, maintained or developed in the United States and other high-cost locations, and we may not manufacture, maintain or
develop all products in locations that meet the requirements of the U.S. government. Finally, some government entities require products
such as ours to be certified by industry-approved security agencies as a pre-condition of purchasing them. We are in the process of, and
have begun incurring costs, to obtain authorization from the Federal Risk and Authorization Management Program (“FedRAMP”)
for certain of our SaaS products. The grant of such certifications depends on the then-current requirements of the certifying agency and
our ability to meet them. We cannot be certain that any certificate will be granted, remain in effect or renewed, or that we would be
able to satisfy the technological and other requirements to maintain certifications. The loss of any of our current product certificates,
or the failure to obtain new ones, could result in the imposition of various penalties, reputational harm, loss of existing customers,
or could deter new and existing customers from purchasing our solutions, additional products or our services, any of which could adversely
affect our business, operating results or financial condition.
We may fail to fully execute,
integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business,
dilute shareholder value, and adversely affect our results of operations.
As part of our business strategy and to remain competitive, we
continue to evaluate acquiring or making investments in complementary companies, products, or technologies. We may not be able to find
suitable acquisition candidates or complete such acquisitions on favorable terms. We may incur significant expenses, divert employee and
management time and attention from other business-related tasks and our organic strategy, and incur other unanticipated complications
while engaging with potential target companies where no transaction is eventually completed. If we do complete acquisitions, we may not
ultimately strengthen our competitive position or achieve our goals or expected growth, and any acquisitions we complete could be viewed
negatively by our customers, analysts, and investors, or create unexpected competition from market participants. Any integration process
may require significant time and resources. We may not be able to manage the process successfully and may experience a decline in our
profitability as we incur expenses prior to fully realizing the benefits of the acquisition. We could expend significant cash and incur
acquisition related costs and other unanticipated liabilities associated with the acquisition, the product, or the technology, such as
contractual obligations, potential security vulnerabilities of the acquired company and its products and services and potential intellectual
property infringement. In addition, any acquired technology or product may not comply with legal or regulatory requirements and may expose
us to regulatory risk and require us to make additional investments to make them compliant. Further, we may not be able to provide the
same support service levels to the acquired technology or product that we generally offer with our other products.
We may not successfully evaluate or utilize the acquired technology
or personnel, or accurately forecast the financial impact of an acquisition transaction, including accounting charges and tax liabilities.
Further, the issuance of equity or securities convertible to equity to finance any such acquisitions could result in dilution to our shareholders
and the issuance of debt could subject us to covenants or other restrictions that would impede our ability to manage our operations. We
could become subject to legal claims following an acquisition or fail to accurately forecast the potential impact of any claims. Any of
these issues could have a material adverse impact on our business and results of operations.
We are exposed to fluctuations
in currency exchange rates, which could negatively affect our financial condition and results of operations.
Our functional and reporting currency is the U.S. dollar. In
2022, most of our revenues were denominated in U.S. dollars and the remainder primarily in Euros and British pounds sterling. In 2022,
most of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily
in Euros and British pounds sterling. Our foreign currency-denominated expenses consist primarily of personnel, marketing programs, travel,
rent, and other overhead costs. Since the portion of our expenses generated in NIS and British pounds sterling is greater than our revenues
in NIS and British pounds sterling, respectively, any appreciation of the NIS or the British pounds sterling relative to the U.S. dollar
could adversely impact our operating loss. In addition, since the portion of our revenues generated in Euros is greater than our expenses
incurred in Euros, any depreciation of the Euro relative to the U.S. dollar would adversely impact our operating loss. We estimate that
a 10% strengthening or weakening in the value of the NIS against the U.S. dollar would have increased or decreased, respectively, our
operating loss by approximately $16.0 million in 2022. We estimate that a 10% strengthening or weakening in the value of the Euro against
the U.S. dollar would have decreased or increased, respectively, our operating loss by approximately $2.3 million in 2022. We estimate
that a 10% strengthening or weakening in the value of the British pounds sterling against the U.S. dollar would have increased or decreased,
respectively, our operating loss by approximately $1.0 million in 2022. These estimates of the impact of fluctuations in currency exchange
rates on our historic results of operations may be different from the impact of fluctuations in exchange rates on our future results of
operations since the mix of currencies comprising our revenues and expenses may change. For example, fluctuations in the different currencies
in 2022, as compared to 2021 exchange rates, increased total operating loss by approximately $2.2 million. We evaluate periodically the
various currencies to which we are exposed and, as appropriate, may enter into hedging transactions designed to reduce or eliminate certain
currency exchange rate impacts. We expect that most of our revenues will continue to be generated in U.S. dollars with the balance primarily
in Euros and British pounds sterling for the foreseeable future, and that a significant portion of our expenses will continue to be denominated
in NIS, U.S. dollars, British pounds sterling and in Euros. We cannot provide any assurances that our hedging activities will be successful
in protecting us from adverse impacts from currency exchange rate fluctuations. In addition, we have monetary assets and liabilities that
are denominated in non-U.S. dollar currencies. For example, we have a significant NIS linked liability related to our operational leases
in Israel. As a result, significant exchange rate fluctuations could have a negative effect on our net income (see “Item 11—
Quantitative and Qualitative Disclosures About Market Risk—Foreign Currency Risk.”).
The COVID-19 pandemic,
measures taken in response to it and the resulting global economic environment have adversely affected, and may adversely affect in the
future, our business, financial condition, and results of operations.
The COVID-19 pandemic has impacted, and may continue to impact,
worldwide economic activity and financial markets. The duration and extent of the pandemic’s impact, including how it will influence
our future results of operations and overall financial performance remains uncertain. Despite the development
of recovery and preparedness initiatives by customers, partners, and suppliers to limit the human and financial impact of COVID-19,
the unpredictable nature of the pandemic may continue to create volatility within specific industries, geographies, and heighten market
risk aversion in certain financial markets, which could negatively affect our customers and partners, and harm our results of operations
and financial performance. Our business has taken precautionary measures intended to address our
ability to execute our operating plans, but, notwithstanding these measures, our business operations may still be harmed.
The COVID-19 pandemic, along with other
macroeconomic impacts, may continue to influence the financial and purchasing decisions of our customers, resulting in the allocation
of funds to other initiatives, a reduction in the duration of subscription contracts, lower renewals, delayed spending, reduced or delayed
payment frequencies, or higher attrition rates, all of which could adversely affect our future sales, operating and business results.
If we fail to maintain
successful relationships with our channel partners, or if our channel partners fail to perform, our ability to market, sell and distribute
our solutions will be limited, and our business, financial condition and results of operations will be harmed.
We rely on our channel partners to market, sell, support and
implement our solutions. We expect that indirect sales through our channel partners will continue to account for a significant percentage
of our revenue. In the year ended December 31, 2022, we generated approximately 76% of our revenues from sales to channel partners, such
as distributors, systems integrators, value-added resellers, managed security service providers and marketplaces, and we expect that channel
partners will represent a substantial portion of our revenues for the foreseeable future. Further, we cooperate with advisory firms in
marketing our solutions and providing implementation services to our customers, in both direct and indirect sales. Our agreements with
channel partners are non-exclusive, meaning our partners may offer customers IT security products from other companies, including products
that compete with our solutions.
If our channel partners do not effectively market and sell our
solutions or choose to use greater efforts to market and sell their own products and services or the products and services of our competitors
or adjacent security solutions, our ability to grow our business will be adversely affected. Further, new channel partners require training
and may take several months or more to achieve productivity. The loss of key channel partners, the inability to replace them or the failure
to recruit additional channel partners, due to a variety of factors, including introduction of new partner program terms, could materially
and adversely affect our results of operations. Our reliance on channel partners could also subject us to lawsuits or reputational harm
if, for example, a channel partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our
solutions or violates applicable laws, and, in addition, this may result in termination of such partner’s agreement and potentially
curb future revenues associated with this channel partner. If we are unable to maintain our relationships with channel partners or otherwise
develop and expand our indirect sales channel, or if we are unable to train our channel partners to independently sell, install and support
our solutions, or if our channel partners fail to perform, our business, financial condition and results of operations could be adversely
affected.
We are subject to a number
of regulatory and geopolitical risks associated with global sales and operations, which could materially affect our business.
We are a global company subject to varied and complex laws, regulations,
and customs. The application of these laws and regulations to our business is often unclear, subject to interpretation and may at times
conflict. Compliance with these laws and regulations may involve significant costs or require changes in our business practices or our
products that result in reduced revenue and profitability. Furthermore, business practices in the global markets that we serve may differ
from those in the United States and may require us to include non-standard terms in customer contracts, such as extended payment or warranty
terms. Further, there may be higher costs of doing business globally, including costs incurred by maintaining office space, securing adequate
staffing, and localizing our contracts.
Additionally, our global sales and operations are subject to
a number of risks, including the following:
o failure
to fully comply with various global data privacy and data protection laws (see “—The dynamic regulatory environment around
privacy and data protection may limit our offering or require modification of our products and services, which could limit our ability
to attract new customers and support our current customers and increase our operational expenses. We could also be subject to investigations,
litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results
and adversely affect our business.”);
o continuing
uncertainty of the long term economic, financial, regulatory, trade, tax and legal impact of the withdrawal of the U.K. from the European
Union (“Brexit”). Our U.K. subsidiary is the main entity for sales into Europe. In 2022, the revenues generated by our U.K.
subsidiary from the European Union countries (excluding the U.K.) accounted for 21.7% of our total global revenue. Our London office is
also our European headquarters and third largest office globally;
o fluctuations
in exchange rates between the U.S. dollar and foreign currencies in markets where we do business (see “—We are exposed to
fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.”);
o social,
economic and political instability, war, civil disturbance or acts of terrorism, conflicts (including the ongoing conflict between Russia
and Ukraine) and security concerns in general, and any pandemics or epidemics, such as COVID-19;
o greater
difficulty in enforcing contracts and managing collections, as well as longer collection periods;
o noncompliance
with specific anti-bribery laws, without limitation, the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act of 2010 and the heightened
risk of unfair or corrupt business practices in certain geographies, which may include the improper or fraudulent sales arrangements by
us or by our channel partners or service providers that may impact financial results and result in restatements of, or irregularities
in, financial statements;
o certain
of our activities and products are subject to U.S., European Union, Israeli, and possibly other export and trade control and economic
sanctions laws and regulations, which have and may additionally prohibit or restrict our ability to engage in business with certain countries
and customers. If the applicable requirements related to export and trade controls change or expand, if we change the encryption functionality
in our products, or if we develop other products or export products from additional jurisdictions, we may need to satisfy additional requirements
or obtain specific licenses to continue to export our products in the same global scope. Various countries also regulate the import or
export of certain encryption products and other technologies and services and have enacted laws that could limit our ability to distribute
or implement our products in those countries. In addition, applicable export control and sanctions laws and regulations may impact our
ability to sell our products, directly or indirectly, to countries or territories that are the target of comprehensive sanctions, or to
prohibited parties;
o unexpected
changes in regulatory practices and foreign legal requirements, may adversely affect our business. The introduction of new cybersecurity
laws and regulations and changes in existing ones or their enforcement, may impair our ability to sell our solutions in certain jurisdictions
if we are not able to adapt our products and offerings to conform with such regulations. In addition, changes in tax regulations and uncertain
tax obligations and effective tax rates, may result in recognizing tax losses or lower than anticipated earnings in jurisdictions where
we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, or changes in
the valuation of our deferred tax assets and liabilities;
o compliance
with, and the uncertainty of, laws and regulations that apply to our areas of business, including cybersecurity, corporate governance,
anti-trust and competition, local and regional employment (including cross-border travel), employee and third-party complaints, supply
chain regulation, limitation of liability, conflicts of interest, securities regulations and other regulatory requirements affecting trade,
local tariffs, product localization and investment;
o reduced
or uncertain protection of intellectual property rights in some countries; and
o management
communication and integration problems resulting from cultural and geographic dispersion.
These and other factors could harm our ability to generate future
global revenues and, consequently, materially impact our business, results of operations and financial condition. Non-compliance could
also result in government investigations, fines, damages, or criminal sanctions against us, our officers or our employees, prohibitions
on the conduct of our business, and damage to our reputation.
If we do not effectively
expand, train and retain our sales, customer success and marketing personnel, we may be unable to acquire new customers or sell additional
products and services to existing customers, and our business will suffer.
We depend significantly on our sales force and go-to-market organization
to attract new customers and expand sales to existing customers. Our ability to grow our revenues depends, in part, on our success in
recruiting, training, and retaining enough sales, customer success and marketing personnel to support our growth. The number of our sales,
customer success and marketing personnel increased from 941 as of December 31, 2021 to 1,157 as of December 31, 2022. We expect
to continue to expand our sales, customer success, and marketing personnel and to do so, we may face a number of challenges in achieving
our hiring, retention, and integration goals (see “—The highly competitive cybersecurity labor market has made it a challenge
to attract and retain qualified personnel. If we are unable to hire, retain and motivate qualified personnel, our business will suffer.”).
The training and integration of a large number of sales, customer success, and marketing personnel in a short time requires the allocation
of significant internal resources. Based on our past experience, it takes an average of approximately six to nine months before a new
sales force member operates at target performance levels. We may not be able to recruit at our anticipated rate or achieve or maintain
our target performance levels with large numbers of new sales personnel as quickly as we have done in the past, which may materially and
adversely impact our business and results of operations. In addition, significant turnover in our sales, customer success, or marketing
organizations, may impact our ability to retain and expand our customers, obtain new customers, or deliver on our revenue, profitability,
or cash flow generation goals.
If our products fail to
help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and results
of operations could be materially and adversely affected.
We generate a substantial portion of our revenues from our products
and services that enable our customers to achieve and maintain compliance with certain government regulations and industry standards,
and we expect that to continue for the foreseeable future. Governments and other customers may require our products to comply with certain
privacy, security or other certifications and standards with respect to those solutions utilized by them as a control demonstrating compliance
with government regulations and industry standards. We have maintained a SOC 2 certification for multiple products since 2019. Additionally,
we have maintained the ISO 27001 annual certification since April 2017. We are pursuing the evaluation of having our Privilege Access
Management solution for international Common Criteria certification. We are also in the process of seeking authorization from the Federal
Risk and Authorization Management Program (FedRAMP), for certain SaaS products. However, we are unable to guarantee that we will achieve
the foregoing authorizations in a timely manner, or at all. If our products are late in achieving or fail to achieve or maintain compliance
with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified
from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business,
results of operations, and financial condition.
Additionally, industry standards may change with little or no
notice, including changes that could make them more or less onerous for businesses. If we are unable to adapt our solutions to changing
government regulations and industry standards in a timely manner, or if our solutions fail to expedite our customers’ compliance
initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors. In addition, if
government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers
may view compliance as less critical to their businesses and may be less willing to purchase our products and services. In either case,
our sales and financial results would suffer (see also “—The dynamic regulatory environment around privacy and data protection
may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and
support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement
actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our
business.”).
Intellectual property
claims may increase our costs or require us to cease selling certain products, which could adversely affect our financial condition and
results of operations.
The IT security industry is characterized by the existence of
a large number of relevant patents and frequent claims and litigations regarding patent and other intellectual property rights. Leading
companies in the IT security industry have extensive patent portfolios. From time to time, third parties have asserted, and in the future
may assert, their patent, copyright, trademark and other intellectual property rights against us, our channel partners, or our customers.
Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property rights pursuant to our
agreements with our customers and channel partners. Such indemnification provisions are customary for our industry. We cannot ensure that
we will have the resources to defend against such claims. Successful claims of infringement or misappropriation by a third party against
us or a third party that we indemnify, could prevent us from distributing certain products or performing certain services or could require
us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased
statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us
to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others, to expend
additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology, to
enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual
property rights, and to indemnify our customers and channel partners (and parties associated with them). The failure to obtain a license
or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely
affected. Defending against claims of infringement, regardless of their validity, or being deemed to be infringing the intellectual property
rights of others could be very expensive and time consuming to defend, harm our reputation and impair our ability to innovate, develop,
distribute, and sell our current and planned products and services.
If we are unable to adequately
protect our proprietary technology and intellectual property rights, our business could suffer substantial harm.
The success of our business depends on our ability to protect
our proprietary technology, brands and other intellectual property and to enforce our rights in that intellectual property. We attempt
to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a combination of confidentiality
procedures, contractual provisions and other methods, all of which offer only limited protection.
As of December 31, 2022, we had 130 issued patents in the
United States and 49 pending U.S. patent applications. We also had 59 issued patents and 20 applications pending for examination in non-U.S.
jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in
the future.
The process of obtaining patent protection is expensive and time-consuming,
and we may not be able to complete all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way
to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue
patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not be approved, that the scope
of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with
any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through
administrative processes or litigation. Finally, issuance of a patent does not guarantee that we have an absolute right to practice the
patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property
included in our products) to execute written agreements in which they assign to us their rights, if such exist, in potential inventions
and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their
engagement to develop such intellectual property. We cannot be certain that we have adequately protected our rights in every such agreement
or that we have executed an agreement with every such party. Finally, in order to benefit from the protection of patents and other intellectual
property rights, we must monitor and detect infringement and pursue infringement claims under certain circumstances in relevant jurisdictions.
Litigating claims related to the enforcement of intellectual property rights is very expensive and can be burdensome in terms of management
time and resources. Any litigation related to intellectual rights or claims against us could result in loss or compromise of our intellectual
property rights or could subject us to significant liabilities. As a result, we may not be able to obtain adequate protection or to effectively
enforce our issued patents or other intellectual property rights.
In addition to patents, we rely on trade secret rights, copyrights
and other rights to protect our unpatented proprietary intellectual property and technology. Unauthorized parties, including our employees,
consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other
confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors,
channel partners, subcontractors and customers, and generally limit access to and distribution of our proprietary information and proprietary
technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual
property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property
or technology. We cannot be certain that the steps taken by us will prevent misappropriation of our intellectual property or technology
or infringement of our intellectual property rights. In addition, the laws of some foreign countries where we sell our products do not
protect intellectual property rights and technology to the same extent as the laws of the United States, and these countries may not enforce
these laws as diligently as government agencies and private parties in the United States. If we are unable to protect our intellectual
property, we may find ourselves at a competitive disadvantage to others who do not incur the additional expense, time and effort to create
the innovative products nevertheless benefiting from such innovation due to misappropriation.
Our use of open-source
software, third-party software, and other intellectual property may negatively affect our ability to offer our solutions and expose us
to litigation or other risks.
We integrate certain open-source software components from third
parties into our software, and we expect to continue to use open-source software in the future. Some open-source software licenses require,
among other things, that users who distribute or make available as a service, open-source software with their own software products, add
appropriate copyright notices and disclaimers, publicly disclose all or part of the source code of the users’ developed software
or make available any derivative works of the open-source code under open-source license terms or at no cost. Our efforts to use the open-source
software in a manner consistent with the relevant license terms that would not require us to disclose our proprietary code or license
our proprietary software at no cost may not be successful. We may face claims by third parties seeking to enforce the license terms applicable
to such open-source software, including by demanding the release of our proprietary source code, or we may face termination of such licenses
if the owner of the open-source software asserts we are in breach of its license terms. In addition, if the license terms for the open-source
code change or the license is terminated, we may be forced to re-engineer our software or incur additional costs. In addition, open-source
software typically comes without warranties or indemnities from the owner, whereas we are expected to offer our customers both. Accordingly,
if there were technical problems with open-source software that we used in our products, or if such open-source software infringed third-party
intellectual property rights, we could have a warranty obligation or infringement indemnity obligation to our customer without a corresponding
warranty or indemnification obligation from the owner of the open-source software. In addition, regardless of the validity of claims against
us, our business, financial condition, and results of could be harmed by litigation and defense costs, payment of damages, the disclosure
of our source code, additional expenditure to enter into royalty or licensing agreements, and additional expenses and research and development
time to render existing products non-infringing.
While we scan the open-source software that we use in our products
and patch discovered vulnerabilities, we have no assurance that they will be free from vulnerabilities or malicious code. The use of open-source
software in our solutions may expose us, and our customers using our solutions, to additional vulnerabilities and security breaches, which
may result in significant adverse impacts to us and our customers (see “—Real or perceived security vulnerabilities and gaps
in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions,
may result in significant reputational, financial, and legal adverse impact.”).
Further, some of our products and services include other software
or intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties
for our own business operations. This exposes us to risks over which we may have little or no control. For example, a licensor may have
difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licenses
to us. There can be no assurance that the licenses we use will be available on acceptable terms, if at all. In addition, a third party
may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such third party the
right to terminate a license or seek damages from us, or both. Our inability to obtain or maintain certain licenses or other rights or
to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation regarding these matters, could result
in delays in releases of new products, and could otherwise disrupt our business, until equivalent technology can be identified, licensed,
or developed.
Risks Related to Our Ordinary Shares
Our share price may be
volatile, and our shareholders may lose all or part of their investment.
From January 2020 through January 2023, our ordinary shares have
traded on the Nasdaq Global Select Market (“Nasdaq”) at a price per share between a range of $69.50 and $201.68. In addition,
the market price of our ordinary shares could be highly volatile and may fluctuate substantially as a result of many factors, some of
which are beyond our control, including, but not limited to:
| o |
actual or anticipated fluctuations in our results of operations and the results of other similar companies; |
| o |
variance in our financial performance from the expectations of market analysts; |
| o |
announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions
or expansion plans; |
| o |
changes in the prices of our products and services or in our pricing models; |
| o |
our involvement in litigation; |
| o |
our sale of ordinary shares or other securities in the future; |
| o |
market conditions in our industry; |
| o |
changes in key personnel (see also “— The successful execution of our planned transition in executive leadership of the
Chief Executive Officer (CEO) role, as well as the integration of new executives, will be critical to achieving our operational and financial
results. If we do not successfully manage such change, our business, financial condition and results of operations may be adversely affected.”);
|
| o |
speculation in the press or the investment community; |
| o |
the trading volume of our ordinary shares; |
| o |
changes in the estimation of the future size and growth rate of our markets; |
| o |
any merger and acquisition activities; and |
| o |
general economic and market conditions. |
The price of our ordinary shares could also be affected by possible
sales of our ordinary shares by investors who view our Convertible Notes as a more attractive means of equity participation in our Company,
and by hedging and arbitrage trading activity that such investors may engage in.
In addition, the stock markets have experienced price and volume
fluctuations. Broad market and industry factors may materially harm the market price of our ordinary shares, regardless of our operating
performance, and may affect our ability to access new capital, which may materially harm our liquidity, and limit our ability to
grow our business. In the past, following periods of volatility in the market price of a company’s securities, securities class
action litigation has often been instituted against that company. If we were involved in any similar litigation, we could incur substantial
costs and our management’s attention and resources could be diverted, which could materially adversely affect our business.
Our business could be
negatively affected as a result of the actions of activist shareholders, and such activism could impact the trading value of our securities.
In recent years, U.S. and non-U.S. companies listed on securities
exchanges in the United States have been faced with governance-related demands from activist shareholders, unsolicited tender offers and
proxy contests. Although as a foreign private issuer we are not subject to U.S. proxy rules, responding to any action of this type by
activist shareholders could be costly and time-consuming, disrupting our operations and diverting the attention of management and our
employees. Such activities could interfere with our ability to execute our strategic plans. In addition, a proxy contest for the election
of directors at our annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant
time and attention by management and our board of directors. The perceived uncertainties due to such actions of activist shareholders
also could affect the market price of our securities.
As a foreign private issuer
whose ordinary shares are listed on Nasdaq, we may follow certain home country corporate governance practices instead of otherwise applicable
SEC and Nasdaq requirements and are exempt from a number of requirements under U.S. securities laws. This may result in less protection
for, or limit the information available to, our shareholders.
As a foreign private issuer whose ordinary shares are listed
on Nasdaq, we are permitted to follow certain home country corporate governance practices instead of certain rules of Nasdaq. We currently
follow Israeli home country practices with regard to the quorum requirement for shareholder meetings and the requirements relating to
distribution of our annual report to shareholders. As permitted under the Israeli Companies Law, 5759-1999 (the “Companies Law”),
our articles of association provide that the quorum for any meeting of shareholders shall be at least two shareholders present in person
or by proxy who hold at least 25% of the voting power of our shares instead of 33 1/3% of our issued share capital (as prescribed by Nasdaq’s
rules). Further, as permitted by the Companies Law and in accordance with the generally accepted business practice in Israel, we do not
distribute our annual report to shareholders but make it available through our public website. We may in the future elect to follow Israeli
home country practices with regard to other matters such as director nomination procedures, separate executive sessions of independent
directors and the requirement to obtain shareholder approval for certain dilutive events (such as for the establishment or amendment of
certain equity-based compensation plans, issuances that will result in a change of control of the Company, certain transactions other
than a public offering involving issuances of a 20% or more interest in the Company and certain acquisitions of the stock or assets of
another company). Accordingly, our shareholders may not be afforded the same protection as provided under Nasdaq corporate governance
rules. Following our home country governance practices as opposed to the requirements that would otherwise apply to a U.S. company listed
on Nasdaq may provide less protection than is accorded to shareholders of domestic issuers. See “Item 16G. Corporate Governance.”
As a foreign private issuer, we are exempt from a number of requirements
under U.S. securities laws that apply to public companies that are not foreign private issuers. In particular, we are exempt from the
rules and regulations under the Exchange Act related to the furnishing and content of proxy statements, and our officers, directors and
principal shareholders are exempt from the reporting and short-swing profit recovery provisions contained in Section 16 of the Exchange
Act. In addition, we are not required under the Exchange Act to file annual, quarterly, and current reports and financial statements with
the SEC, as frequently or as promptly as domestic companies whose securities are registered under the Exchange Act. We are also exempt
from the provisions of Regulation FD, which prohibits issuers from making selective disclosure of material nonpublic information. Even
though we intend to comply voluntarily with Regulation FD, these exemptions and leniencies will reduce the frequency and scope of information
and protections to which our shareholders are entitled as investors. For so long as we qualify as a foreign private issuer, we are not
required to comply with the proxy rules applicable to U.S. domestic companies, although pursuant to the Companies Law, we disclose the
annual compensation of our five most highly compensated office holders (as defined under the Companies Law) on an individual basis, including
in this annual report. Because of these exemptions for foreign private issuers, our shareholders do not have the same information generally
available to investors holding shares in public companies that are not foreign private issuers.
Our Convertible Notes
may impact our financial results, result in the dilution of existing shareholders, create downward pressure on the price of our ordinary
shares, and restrict our ability to take advantage of future opportunities.
In November 2019, we issued $575.0 million aggregate principal
amount of 0.00% Convertible Senior Notes due 2024 (the “Convertible Notes”). The sale of the Convertible Notes may affect
our earnings per share figures, as accounting procedures may require that we include in our calculation of earnings per share the number
of ordinary shares into which the Convertible Notes are convertible. The Convertible Notes may be converted, under the conditions and
at the premium specified in the Convertible Notes, into cash and our ordinary shares, if any (subject to our right to pay cash in lieu
of all or a portion of such shares). If our ordinary shares are issued to the holders of the Convertible Notes upon conversion, there
will be dilution to our shareholders’ equity and the market price of our ordinary shares may decrease due to the additional selling
pressure in the market. Any downward pressure on the price of our ordinary shares caused by the sale or potential sale of ordinary shares
issuable upon conversion of the Convertible Notes could also encourage short sales by third parties, creating additional downward pressure
on our share price.
In addition, in connection with the pricing of the Convertible
Notes, we entered into privately negotiated capped call transactions (the “Capped Call Transactions”), with certain of the
purchasers of the Convertible Notes. The Capped Call Transactions cover, collectively, the number of our ordinary shares underlying the
Convertible Notes, subject to anti-dilution adjustments substantially similar to those applicable to the Convertible Notes. The cost of
the Capped Call Transactions was approximately $53.6 million. The Capped Call Transactions are expected generally to reduce the potential
dilution to the ordinary shares upon any conversion of the Convertible Notes and/or offset any cash payments we are required to make in
excess of the principal amount upon conversion of the Convertible Notes under certain events described in the Capped Call Transactions.
We are subject to the risk that one or more of the counterparties to the Capped Call Transactions may default, or otherwise fail to perform,
or may exercise certain rights to terminate, their obligations under the Capped Call Transactions. Our exposure will depend on many factors
but, generally, our exposure will increase if the market price or the volatility of our common stock increases. Upon a default, a failure
to perform or a termination of obligations by a counterparty to the Capped Call Transactions, we may suffer adverse tax consequences or
experience more dilution than we currently anticipate with respect to our ordinary shares.
Furthermore, the indenture for the Convertible Notes will prohibit
us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the
Convertible Notes. These and other provisions in the indenture could deter or prevent a third party from acquiring us even when the acquisition
may be favorable.
We currently anticipate that we will be able to rely on and to
implement certain clarifications from the Israeli Tax Authorities, with respect to the administration of our Israeli withholding tax obligations
in relation to considerations to be paid to the holders of the Convertible Notes upon their future conversion and settlement. Unexpected
failure to ultimately obtain such anticipated clarifications from the Israeli Tax Authorities could under certain conditions potentially
result in increased Israeli withholding tax gross-up costs and implications.
We may not have the ability
to raise the funds necessary to settle conversions of the Convertible Notes, repurchase the Convertible Notes upon a fundamental change
or repay the Convertible Notes in cash at their maturity, and our future debt may contain limitations on our ability to pay cash upon
conversion or repurchase of the Convertible Notes.
Holders of the Convertible Notes will have the right under the
indenture governing the Convertible Notes to require us to repurchase all or a portion of their Convertible Notes upon the occurrence
of a fundamental change before the applicable maturity date, at a repurchase price equal to 100% of the principal amount of such Convertible
Notes to be repurchased, plus accrued and unpaid interest, excluding the applicable fundamental change repurchase date, if any. Moreover,
we will be required to repay the Convertible Notes in cash at their maturity, unless earlier converted, repurchased, or redeemed. We may
not have enough available cash or be able to obtain financing, or obtain financing on favorable terms, at the time we are required to
make such repurchases of the Convertible Notes and/or repay the Convertible Notes upon maturity.
In addition, we have the right to elect to settle conversions
of the Convertible Notes in cash. Although we entered into the Capped Call Transactions which are expected generally to offset any cash
payments we are required to make in excess of the principal amount upon conversion of the Convertible Notes (subject to a cap), we may
not ultimately receive such cash payments from the counterparties to the Capped Call Transactions in case of a default, a failure to perform
or a termination of obligations by a relevant counterparty.
Our ability to repurchase or to pay cash upon conversion of Convertible
Notes may be limited by law, regulatory authority or agreements governing our future indebtedness. Our failure to repurchase the Convertible
Notes at a time when the repurchase is required by the indenture or to pay cash upon conversion of the Convertible Notes or at maturity
as required by the indenture would constitute a default under the indenture. A default under the indenture or the fundamental change itself
could also lead to a default under agreements governing our future indebtedness. If the payment of the related indebtedness were to be
accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the
Convertible Notes or to pay cash upon conversion of the Convertible Notes or at maturity.
We may lose our foreign
private issuer status, which would then require us to comply with the rules and regulations applicable to U.S. domestic issuers and cause
us to incur significant legal, accounting and other expenses.
Since a majority of our voting securities are either directly
or indirectly owned of record by residents of the United States, we would lose our foreign private issuer status if any of the following
were to occur: (i) the majority of our executive officers or directors were U.S. citizens or residents, (ii) more than 50 percent of our
assets were located in the United States, or (iii) our business was administered principally in the United States. Similarly, if we were
to acquire a U.S. company in the future, it could put us at heighted risk of losing our foreign private issuer status. Although we have
elected to comply with certain U.S. regulatory provisions, our loss of foreign private issuer status would make such provisions mandatory.
In addition, we would lose our ability to rely on Nasdaq exemptions from certain corporate governance requirements that are available
to foreign private issuers. If we were to lose our foreign private issuer status, the regulatory and compliance costs to us under U.S.
securities laws as a U.S. domestic issuer may be significantly higher.
If
we are unable to satisfy the requirements of Sections 404(a) and 404(b) of the Sarbanes-Oxley Act of 2002 or if our internal control
over financial reporting is not effective, investors may lose confidence in the accuracy and the completeness of our financial reports, and
the trading price of our ordinary shares may be negatively affected.
Pursuant to Section 404(a) of the Sarbanes-Oxley Act of
2002 (the “Sarbanes-Oxley Act”), we are required to furnish a report by management on the effectiveness of our internal control
over financial reporting. Additionally, pursuant to Section 404(b) of the Sarbanes-Oxley Act, we must include an auditor attestation on
our internal control over financial reporting.
Our business transition into a subscription model affected our
internal control over financial reporting, and requires us to enhance existing, and implement new, financial reporting and management
systems, procedures and controls in order to address new risks raised from our business transition to a subscription model and to manage
our business effectively and support our growth in the future. If we identify material weaknesses in our internal control over financial
reporting, if we are unable to comply with the requirements of Section 404(a) or 404(b) in a timely manner or to assert that our
internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an
opinion or issues an adverse opinion in its attestation as to the effectiveness of our internal control over financial reporting required
by Section 404(b), investors may lose confidence in the accuracy and completeness of our financial reports and the trading price of our
ordinary shares could be negatively affected. We could also become subject to investigations by Nasdaq, the SEC or other regulatory authorities,
which could require additional financial and management resources.
Our U.S. shareholders
may suffer adverse tax consequences if we are classified as a “passive foreign investment company.”
Generally, if for any taxable year, after the application of
certain look-through rules, 75% or more of our gross income is passive income, or at least 50% of the average quarterly value of our assets
(which may be measured in part by the market value of our ordinary shares, which is subject to change) are held for the production of,
or produce, passive income (as defined in the relevant provisions of the Internal Revenue Code of 1986, as amended (the “Code”)),
we would be characterized as a “passive foreign investment company” (“PFIC”), for U.S. federal income tax purposes
under the Code. Based on our market capitalization and the nature of our income, assets and business, we believe that we should not be
classified as a PFIC for the taxable year that ended December 31, 2022. However, PFIC status is determined annually and requires
a factual determination that depends on, among other things, the composition of our income, assets and activities in each taxable year,
and can only be made after the close of each taxable year. Furthermore, because the value of our gross assets is likely to be determined
in part by reference to our market capitalization, a decline in the value of our ordinary shares may result in our becoming a PFIC. Accordingly,
there can be no assurance that we will not be considered a PFIC for any taxable year. If we are a PFIC for any taxable year during which
a U.S. Holder (as defined in “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences”) holds our
ordinary shares, certain adverse U.S. federal income tax consequences could apply to such U.S. Holder. Prospective U.S. Holders should
consult their tax advisors regarding the potential application of the PFIC rules to them. See “Item 10.E. Taxation— Certain
United States Federal Income Tax Consequences—Passive Foreign Investment Company Considerations.”
If a U.S. person is treated
as owning at least 10% of our ordinary shares, such holder may be subject to adverse U.S. federal income tax consequences.
If a U.S. person is treated as owning (directly, indirectly or
constructively) at least 10% of the value or voting power of our ordinary shares, such person may be treated as a “U.S. shareholder”
with respect to each controlled foreign corporation (“CFC”), in our group (if any). If our group includes one or more U.S.
subsidiaries (as has been the case for 2022), certain of our non-U.S. subsidiaries will be treated as CFCs regardless of whether or not
we are treated as a CFC. A U.S. shareholder of a CFC may be required to report annually and include in its U.S. taxable income its pro
rata share of such CFC’s “Subpart F income,” “global intangible low taxed income” and investments in U.S.
property by CFCs, regardless of whether we make any distributions. An individual who is a U.S. shareholder with respect to a CFC generally
would not be allowed certain tax deductions or foreign tax credits that would be allowed to a U.S. shareholder that is a U.S. corporation.
Failure to comply with these reporting obligations may subject a U.S. shareholder to significant monetary penalties and may prevent the
statute of limitations with respect to such U.S. shareholder’s U.S. federal income tax return for the year for which reporting was
due from starting. We cannot provide any assurances that we will be able to assist holders of ordinary shares in determining whether any
of our non U.S. subsidiaries is treated as a CFC or whether any holder of ordinary shares should be treated as a U.S. shareholder with
respect to any such CFC or furnish to any U.S. shareholders information that may be necessary to comply with the aforementioned reporting
and tax paying obligations. The United States Internal Revenue Service provided limited guidance on situations in which investors may
rely on publicly available alternative information to comply with their reporting and tax paying obligations with respect to foreign controlled
CFCs. U.S. investors are strongly advised to consult their own tax advisors regarding the potential application of these rules to their
investment in our ordinary shares.
Changes in tax law relating
to multinational corporations could adversely affect our tax position.
There can be no assurance that our effective tax rate will not
increase over time as a result of changes in corporate income tax rates or other changes in the tax laws in the jurisdictions in which
we operate. Any changes in tax laws could have an adverse impact on our financial results. Corporate tax reform, base-erosion efforts
and tax transparency continue to be high priorities in many tax jurisdictions where we have business operations. As a result, policies
regarding corporate income and other taxes in numerous jurisdictions are under heightened scrutiny, and tax reform legislation is being
proposed or enacted in a number of jurisdictions.
For example, the recent Inflation Reduction Act enacted in the
United States introduced, among other changes, a 15% corporate minimum tax on certain United States corporations. In addition, there is
growing pressure in many jurisdictions and from multinational organizations such as the Organization for Economic Cooperation and Development
(“OECD”) and the EU to amend existing international taxation rules in order to align the tax regimes with current global business
practices. Specifically, in October 2015, the OECD published its final package of measures for reform of the international tax rules as
a product of its Base Erosion and Profit Shifting (“BEPS”) initiative, which was endorsed by the G20 finance ministers. Many
of the initiatives in the BEPS package required and resulted in specific amendments to the domestic tax legislation of various jurisdictions
and to existing tax treaties. We continuously monitor these developments. Although many of the BEPS measures have already been implemented
or are currently being implemented globally (including, in certain cases, through adoption of the OECD’s “multilateral convention”
(to which Israel is also a party) to effect changes to tax treaties which entered into force on July 1, 2018 and through the European
Union’s “Anti Tax Avoidance” Directives), it is still difficult in some cases to assess to what extent these changes
will have on our tax liabilities in the jurisdictions in which we conduct our business or to what extent they may impact the way in which
we conduct our business or our effective tax rate due to the unpredictability and interdependency of these potential changes. In January
2019, the OECD announced further work in continuation of the BEPS project, focusing on two “pillars.” In October, 2021, 137
countries approved a statement known as the OECD BEPS Inclusive Framework, which builds upon the OECD’s continuation of the BEPS
project. The first pillar is focused on the allocation of taxing rights between countries for in-scope large multinational enterprises
(with revenue in excess of €20 billion and profitability of at least 10%) that sell goods and services into countries with little
or no local physical presence. We do not expect to be within the scope of the first Pillar. The second pillar is focused on developing
a global minimum tax rate of at least 15% applicable to in-scope multinational enterprises (with revenue in excess of €750 million).
The agreement reached by 137 of the 140 members of the OECD BEPS Inclusive Framework calls for law enactment by OECD and G20 members in
2022 to take effect in 2023 and 2024. On December 20, 2021, the OECD published model rules to implement the Pillar Two rules and released
commentary to the Pillar Two model rules in March 2022. The model rules and commentary allow the OECD BEPS Inclusive Framework members
to begin implementing the Pillar Two rules in accordance with the agreement reached in October 2021. Israel is one of the 137 jurisdictions
that has agreed in principle to the adoption of the global minimum tax rate. As the Two Pillar solution is subject to implementation by
each member country, the timing and ultimate impact of any such changes on our tax obligations, including the impact on Preferred Technological
Enterprises currently eligible for reduced corporate tax rate of 12%, is uncertain. Further, given these developments, it is generally
expected that tax authorities in various jurisdictions in which we operate may increase their audit activity and may seek to challenge
some of the tax positions we have adopted. It is difficult to assess if and to what extent such challenges, if raised, might impact and
potentially increase our future effective tax rate.
We do not intend to pay
dividends on our ordinary shares for the foreseeable future so any returns will be limited to changes in the value of our ordinary shares.
We have never declared or paid any cash dividends on our ordinary
shares. We currently anticipate that we will retain future earnings for the development, operation, and expansion of our business and
do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to shareholders will therefore be limited
to the increase, if any, of our share price, which may or may not occur.
Risks Relating to Our Incorporation and Location
in Israel
Our principal executive
offices, most of our research and development activities and other significant operations are located in Israel, and therefore, our results
may be adversely affected by political, economic and military instability in Israel.
Our principal executive offices and research and development
facilities are located in Israel and therefore may be influenced by regional instability and extreme security tension. Accordingly, political,
economic and security conditions in Israel and the surrounding region could directly affect our business. Any political instability, terrorism,
armed conflicts, cyberattacks or any other hostilities involving Israel or the interruption or curtailment of trade between Israel and
its present trading partners could adversely affect our operations. Additionally, we may also be targeted by cyber terrorists specifically
because we are an Israeli company. Ongoing and revived hostilities or other Israeli political or economic factors, could harm our operations
and cause any future sales to decrease.
Our commercial insurance does not cover
losses that may occur as a result of events associated with war and terrorism. Although the Israeli government currently covers the reinstatement
value of direct damages that are caused by terrorist attacks or acts of war, we cannot guarantee that this government coverage will be
maintained or that it will sufficiently cover our potential damages. Any losses or damages incurred by us could have a material adverse
effect on our business.
Further, our operations could be disrupted by the obligations
of personnel to perform military reserves service. As of December 31, 2022, approximately 31.4% of our personnel are based in Israel,
certain of whom may be called upon to perform military reserve duty, which could materially adversely affect our business and results
of operations.
Several countries restrict doing business with Israel and Israeli
companies, and additional countries may impose restrictions on doing business with Israel and Israeli companies whether as a result of
hostilities in the region or otherwise. In addition, there have been increased efforts by activists to cause companies and consumers to
boycott Israeli goods based on Israeli government policies. Such actions, if accelerated, could adversely affect our business, financial
condition and results of operations.
Furthermore, the Israeli government has recently been pursuing
legislative changes which, if adopted, will alter the current state of separation of powers among the three branches of government and,
as a result, have sparked a considerable political debate. Many individuals, organizations and institutions, within and outside of Israel,
have voiced concerns over the potential negative impacts of such changes and the controversy surrounding them on the business and financial
environment in Israel. Such negative impacts may include, among others, a downgrade in Israel’s sovereign credit rating, increased
interest rates, currency fluctuations, inflation, civil unrest and volatility in securities markets, which could adversely affect the
conditions in which we operate and potentially deter foreign investors and organizations from investing or transacting business in
Israel. If any of the foregoing risks were to materialize, it may have an adverse effect on our business, our results of operations and
our ability to raise additional funds.
The tax benefits that
are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase
our costs and taxes.
We were granted an Approved Enterprise status under the Israeli
Law for the Encouragement of Capital Investments, 5719-1959 (the “Investment Law”). In the past, we elected the alternative
benefits program, pursuant to which income derived from the Approved Enterprise program was tax-exempt for two years and enjoyed a reduced
tax rate of 10.0% to 25.0% for up to a total of eight years, depending on the percentage of foreign investors’ ownership. We were
also eligible for certain tax benefits provided to Benefited Enterprises under the Investment Law. In March 2013, we notified the Israel
Tax Authority that we applied the new tax Preferred Enterprise regime under the Investment Law instead of our Approved Enterprise and
Benefited Enterprise. Accordingly, we were eligible for certain tax benefits provided to Preferred Enterprises under the Investment Law.
If we do not meet the conditions stipulated in the Investment Law and the regulations promulgated thereunder, as amended, for the Preferred
Enterprise, any of the associated tax benefits may be canceled, and we would be required to repay the amount of such benefits, in whole
or in part, including interest and CPI linkage (or other monetary penalties). Starting from 2017, we were recognized as eligible for the
Technological Preferred Enterprise regime, a sub-category of the Preferred Enterprise regime, which grants enhanced tax benefits to enterprises
with significant research and development activities. In the future these tax benefits may be reduced or discontinued. If these tax benefits
are reduced, cancelled or discontinued, our Israeli taxable income could be subject to regular Israeli corporate tax rates, which could
negatively affect our financial condition and results of operation. Additionally, if we increase our activities outside of Israel through
acquisitions, for example, our expanded activities may not be eligible for inclusion under future Israeli tax benefit regimes. See “Item
5. Operating and Financial Review and Prospects—Critical Accounting Estimates—Law for the Encouragement of Capital Investments,
5719-1959.”
We may become subject
to claims for remuneration or royalties for assigned service invention rights by our employees.
We enter into assignment-of-invention agreements with our employees
pursuant to which such individuals agree to assign to us all rights to any inventions created in the scope of their employment or engagement
with us. A significant portion of our intellectual property has been developed by our employees during the course of their employment
by us. Under the Israeli Patent Law, 5727-1967, inventions conceived by an employee during the scope of his or her employment with a company
are regarded as “service inventions” which belong to the employer, absent a specific agreement between the employee and employer
giving the employee service invention rights. Although our employees have agreed to assign to us service invention rights, as a result
of uncertainty under Israeli law with respect to service invention rights and the efficacy of related waivers, including with respect
to remuneration and its extent, we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of
such claims, we could be required to pay additional remuneration or royalties to our current and/or former employees, or be forced to
litigate such claims, which could negatively affect our business.
As a public company incorporated
in Israel, we may become subject to further compliance obligations and market trends or restrictions, which may strain our resources and
divert management’s attention.
Being an Israeli publicly traded company in the United States
and being subject to both U.S. and Israeli rules and regulations may make it more expensive for us to obtain directors and officers liability
insurance, and we may be required to continue incurring substantially higher costs for reduced coverage. These factors could also make
it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee,
and qualified executive officers. In accordance with the provisions of the Companies Law, approval of our directors’ and officers’
insurance is limited to the terms of our duly approved compensation policy, unless otherwise approved by our shareholders.
Provisions of Israeli
law and our articles of association may delay, prevent, or otherwise impede a merger with or an acquisition of us, even when the terms
of such a transaction are favorable to us and our shareholders.
Our articles of association contain certain provisions that may
delay or prevent a change of control. These provisions include that our directors (other than external directors, if applicable) are elected
on a staggered basis, and therefore a potential acquirer cannot readily replace our entire board of directors at a single annual general
shareholder meeting. In addition, Israeli corporate law regulates acquisitions of shares through tender offers and mergers, requires special
approvals for transactions involving directors, officers or significant shareholders and regulates other matters that may be relevant
to such types of transactions.
Furthermore, Israeli tax considerations may make potential transactions
unappealing to us or to our shareholders whose country of residence does not have a tax treaty with Israel exempting such shareholders
from Israeli tax. For example, Israeli tax law does not recognize tax-free share exchanges to the same extent as U.S. tax law. With
respect to mergers involving an exchange of shares, Israeli tax law allows for tax deferral in certain circumstances but makes the deferral
contingent on the fulfillment of a number of conditions, including, in some cases, a holding period of two years from the date of the
transaction during which sales and dispositions of shares of the participating companies are subject to certain restrictions. Moreover,
with respect to certain share swap transactions, the tax deferral is limited in time, and when such time expires, the tax becomes payable
even if no disposition of the shares has occurred. These provisions of Israeli law and our articles of association could have the effect
of delaying or preventing a change in control in us and may make it more difficult for a third party to acquire us, even if doing so would
be beneficial to our shareholders, and may limit the price that investors may be willing to pay in the future for our ordinary shares.
It may be difficult to
enforce a judgment of a U.S. court against us, our officers and directors or the Israeli auditors named in this annual report in Israel
or the United States, to assert U.S. securities laws claims in Israel or to serve process on our officers and directors and these auditors.
We are incorporated in Israel, the majority of our directors
and executive officers, and the Israeli auditors listed in this annual report reside outside of the United States, and most of our assets
and most of the assets of these persons are located outside of the United States. Therefore, a judgment obtained against us, or any of
these persons, including a judgment based on the civil liability provisions of the U.S. federal securities laws, may not be collectible
in the United States and may not be enforced by an Israeli court. It also may be difficult for our shareholders to effect service of process
on these persons in the United States or to assert U.S. securities law claims in original actions instituted in Israel. Israeli courts
may refuse to hear a claim based on an alleged violation of U.S. securities laws reasoning that Israel is not the most appropriate forum
in which to bring such a claim. In addition, even if an Israeli court agrees to hear a claim, it may determine that Israeli law and not
U.S. law is applicable to the claim. If U.S. law is found to be applicable, the content of applicable U.S. law must be proven as a fact
by expert witnesses, which can be a time consuming and costly process. Certain matters of the procedure will also be governed by Israeli
law. There is little binding case law in Israel that addresses the matters described above. As a result of the difficulty associated with
enforcing a judgment against us in Israel, our shareholders may not be able to collect any damages awarded by either a U.S. or foreign
court.
The rights and responsibilities
of our shareholders are, and will continue to be, governed by Israeli law which differs in some material respects from the rights and
responsibilities of shareholders of U.S. corporations.
The rights and responsibilities of the holders of our ordinary
shares are governed by our articles of association and by Israeli law. These rights and responsibilities differ in some material respects
from the rights and responsibilities of shareholders in U.S. corporations. In particular, a shareholder of an Israeli company has a duty
to act in good faith and in a customary manner in exercising its rights and performing its obligations towards the company and other shareholders,
and to refrain from abusing its power in the company, including, among other things, in voting at a general meeting of shareholders on
matters such as amendments to a company’s articles of association, increases in a company’s authorized share capital, mergers
and acquisitions and related party transactions requiring shareholder approval. In addition, shareholders have a general duty to refrain
from discriminating against other shareholders and a shareholder who is aware that it possesses the power to determine the outcome of
a shareholder vote or to appoint or prevent the appointment of a director or chief executive officer in the company has a duty of fairness
toward the company with regard to such vote or appointment. There is limited case law available to assist us in understanding the nature
of this duty or the implications of these provisions. These provisions may be interpreted to impose additional obligations and liabilities
on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations. See “Item 6.C. Board
Practices — Approval of Related Party Transactions under Israeli Law—Fiduciary Duties of Directors and Office Holders.”
ITEM 4.
INFORMATION
ON THE COMPANY
|
A. |
History and Development of the Company |
Our History
CyberArk Software Ltd. was founded in 1999 with the vision of
protecting high-value business data and pioneering our Digital Vault technology. That same year, we began offering our first product,
the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provided a secure platform for our
customers’ employees to share sensitive files. We began with our early vaulting technology, which has enabled us to evolve into
a company that provides a comprehensive solution to secure identities anchored on Privileged Access Management. In 2005, we introduced
our Privileged Access Management Solution, upon which we built our leadership position in the Privileged Access Management market, providing
a layer of security that protects high level and high value access across an organization. In September 2014, we listed our ordinary shares
on the Nasdaq Stock Market LLC (Nasdaq). In addition to investing in organic research and development, in 2015 we began to execute a merger
and acquisition strategy and acquired Viewfinity, Inc., a provider of Windows least privilege management and application control software,
as well as Cybertinel Ltd., a cybersecurity company specializing in cyber threat detection technology. In May 2017, we acquired Conjur
Inc., a provider of DevOps security software. In May 2020, we acquired IDaptive Holdings, Inc., an Identity as a Service (IDaaS) provider.
In March 2022, we acquired Aapi.io, a provider of no-code application integration and workflow automation solutions, and in July 2022,
we acquired C3M, LLC, a provider of multi-cloud security and compliance solutions. Based on our organic investment in research and development
to drive new product releases and innovation, coupled with the incremental acquisitions of selected technologies and the execution of
our go-to-market strategy, today CyberArk is the global leader in Identity Security, centered on intelligent privileged controls. We enable
secure access for human or machine identities to help organizations secure critical business assets and applications, protect their distributed
workforce and customers, and accelerate business across cloud, hybrid and self-hosted environments. Our solutions enable Zero Trust
by enforcing least privilege with continuous identity threat detection and protection.
We are a company limited by shares organized under the laws of
the State of Israel. We are registered with the Israeli Registrar of Companies. Our registration number is 51-229164-2. Our principal
executive offices are located at 9 Hapsagot St., Park Ofer B, POB 3143, Petach-Tikva, 4951040, Israel, and our telephone number is +972
(3) 918-0000. Our website address is www.cyberark.com. Information contained on, or that can be accessed through, our website is
not part of this annual report and is not incorporated by reference herein. We have included our website address in this annual report
solely for informational purposes. Our SEC filings are available to you on the SEC’s website at http://www.sec.gov. This site contains
reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC. Our agent for
service of process in the United States is CyberArk Software, Inc., located at 60 Wells Avenue, Newton, MA 02459, and our telephone
number is (617) 965-1544.
Principal Capital Expenditures
Our cash capital expenditures for fiscal years 2020, 2021 and
2022 amounted to $7.2 million, $8.9 million, and $12.5 million, respectively. Capital expenditures consist primarily of investments in
leasehold improvements for our office space, purchases of furniture, computers and related equipment and internal use software capitalization.
We anticipate our capital expenditures in fiscal year 2023 to be less than 3% of revenues. We anticipate our capital expenditures in 2023
will be financed with cash on hand and cash provided by operating activities.
CyberArk is the global leader in Identity Security, centered
on intelligent privilege controls, with a focus on protecting organizations against identity-based cyberattacks. We apply intelligent
privilege controls to all identities – human & machine – with continuous threat detection and prevention across the entire
identity lifecycle. With CyberArk, organizations can enable Zero Trust and least privilege with complete visibility, ensuring that every
identity can securely access any approved resource, located anywhere, from everywhere – with a single Identity Security Platform.
As the category-defining leader in Privileged Access Management,
we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the kingdom.”
These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications; keeping them
out of the hands of malicious or careless insiders or external attackers and preventing disruption to the business.
With
the rapid rise in mobile workers, hybrid and multi-cloud adoption, and digitalization of the enterprise, physical and network security
barriers are less relevant for securing data and assets than ever before. Compromised identities and their associated privileges now represent
the fastest attack path to an organization’s most valuable assets. As a result, identity controls are now becoming the new security
perimeter and are a critical foundation for implementing Zero Trust strategies. Our
approach is unique as CyberArk recognizes that every identity can become privileged under certain conditions, and we offer the broadest
range of security controls to reduce that risk while delivering a high-quality experience to the end user. This includes securing workforce,
partner and customer identities by replacing complex, patchworked and siloed legacy access and privileged access management solutions
to improve security and operational efficiencies.
During 2022, we continued to add new customers and cross sell
to existing customers directly and through channels. As of December 31, 2022, we had more than 8,000 customers, including more than 55%
of Fortune 500 companies and more than 35% of Global 2000 companies. Our customers include leading organizations in a diverse set of industries,
including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology, and telecommunications,
as well as federal and local government agencies in multiple countries. We sell our solutions through a high-touch hybrid model that includes
direct sales, channel sales, managed security service providers, and advisory firm partners.
In the first quarter of 2022, we successfully accomplished our
goal to have at least 85% of sales comprised of subscriptions, including both SaaS and self-hosted subscriptions. As we continue to sell
more subscription licenses and services, we expect perpetual licenses to continue to decline as a percentage of overall sales. Throughout
2023, we will continue to build on this momentum and operate as a subscription company.
Our Growth Strategy
The key elements of our long-term growth strategy include:
|
• |
Strengthening
our Identity Security leadership position by delivering ongoing innovation. We
intend to extend our leadership position by enhancing our solutions, introducing new functionality
and developing new offerings to address additional use cases. Our strategy includes both internal development and an active mergers and
acquisition program in which we acquire or invest in complementary businesses or technologies.
|
|
• |
Extending
our global go-to-market reach. We market and sell our solutions through a high-touch hybrid model that includes direct and indirect
sales. We leverage our sophisticated marketing capabilities, such as account-based and inbound marketing, GTM plays, and our IMPACT and
IMPACT World Tour conferences, to drive demand and generate pipeline. We plan to expand our sales reach by adding new direct sales capacity,
expanding our indirect channels by deepening our relationships with existing partners and by adding new partners, including value-added
resellers, system integrators, managed security service providers, distributors, and C3
Alliance partners. We are also expanding our routes to market to include cloud provider marketplaces. |
|
• |
Growing
our customer base. The
global threat landscape, digitalization of the enterprise, cloud migration and the broad security skills shortage are contributing to
the need for Identity Security solutions. We believe that every organization, regardless of
size or vertical, needs Identity Security. We plan to pursue new customers in the enterprise and corporate segments of the market with
our sales and partner teams, as well as through our brand awareness and lead generation campaigns. |
|
• |
Expanding
our relationships with existing customers. As
of December 31, 2022, we had more than 8,000 customers. We have worked hard to develop strong relationships with our customers. Our Customer
Success team will focus on expanding these relationships by growing the number of users who access our solutions and cross-selling additional
products and services. |
|
• |
Driving
strong adoption of our solutions and retaining our customer base. An important
part of our overall strategy, particularly for our SaaS and self-hosted subscription customers, is delivering fast time to value from
our solutions. We will continue to deliver high levels of customer service and support and invest in our Customer Success team to help
ensure that our customers are up and running quickly and derive benefit from our software, which we believe will result in higher customer
retention rates. |
|
• |
Attracting,
developing and retaining a diverse and inclusive employee base. A key pillar
of our growth strategy is attracting, developing and retaining our employees. Our people are one of our most valuable assets, and
our culture is a key business differentiator for CyberArk. We value diversity and inclusion, which allows for the exchange of ideas, creates
a strong community, and helps ensure our employees feel valued and respected. |
Industry Background
Securing identities and their associated privileges are a main
focus of product investment due to the growth of our market and several key drivers that we have identified based on multi-year trends.
Digital
Transformation and Shift Left: The digitalization of business creates a
larger digital landscape full of opportunities for improved engagement with customers, vendors and employees, but also greater exposure
to cyber threats. New digital technologies require expanded privileged access for both humans and machines that must be properly secured.
Companies are adopting DevOps methodologies to speed the pace of innovation. Hybrid and multi-cloud adoption drive the need for
centralized solutions that help secure access of all types enterprise-wide. This trend has continued as companies provide hybrid and remote
capabilities for the workforce and look for additional online options to stay viable.
Cloud Migration and SaaS Applications:
Broad acceptance and adoption of hybrid and cloud-based infrastructure, the level of speed and automation across IT environments, and
an increasing reliance on SaaS applications, significantly impact how organizations approach security. Until a few years ago, organizations
would typically prioritize protection of their most critical systems and data, with a particular focus on protecting privileged access.
“Privileged users” were understood at the time to be mostly IT administrators accessing shared administrative accounts in
systems and applications. However, in today’s cloud and SaaS environment, every identity can become privileged under certain conditions.
All identities operating in a modern environment (such as employees,
partners, IT administrators, DevOps team members and developers, applications and robots, vendors and customers) might have some level
of privilege that, if improperly secured, can provide an attack path into an organization’s most valuable assets. This trend is
coupled with the rapid expansion and adoption of hybrid and cloud infrastructure, applications and application programming interfaces
(APIs), mobile and remote workers, and use of third parties. We now live in a world where the number, types and interrelationships of
identities have exploded, creating new dimensions to the threat landscape.
In addition, the underlying environments are highly dynamic with
much more ephemeral infrastructure where compute capacity is easily scaled up or scaled down. The rates of change in these modern
environments are exponentially faster, which requires organizations to implement more automation into their identity security controls
for both traditional and cloud native applications built using DevOps methodologies.
Zero
Trust Security: A conventional security approach that relies on perimeter-based
security is relatively less effective and applicable in a modern environment, as organizations adopt cloud and SaaS applications and as
more of the workforce continues to work remotely. In parallel, it has become increasingly difficult to keep attackers out of an organization’s
network altogether. The expansion of the attack surface and prevalence of threats has led to a growing application of a Zero Trust approach
to security.
While traditional, perimeter-based security relies on a strategy of trying to separate legitimate users from
threat actors and assumes that systems and traffic within the corporate networks and datacenters can be trusted, Zero Trust assumes that
the threat actors have already established a network presence and have access to an organization’s applications and systems. In
a Zero Trust security model, organizations aim to have every identity continuously authenticated and authorized before granting it access.
Zero Trust is not a single technology, but an approach that ensures
every user’s identity is verified, their device is validated, and their access is intelligently limited to just what they need –
and taken away when they no longer need it. CyberArk’s Identity Security solutions deliver capabilities that are foundational to
adopting a Zero Trust approach.
Skills
Gap: The skills gap in cybersecurity creates meaningful challenges, not
only for Chief Security Officers (CISOs), but also for implementing mission-critical strategic initiatives. As cloud adoption accelerates
the speed of business, companies are relying more heavily on applications, technology and automation to compete. CISOs are evaluating
staffing requirements for adding new security tools and implementing new projects and business initiatives. To address the staffing shortage
and skills gap, organizations are looking at opportunities to consolidate vendors and increase the implementation of automation to free
up security and IT teams to focus on more value-added initiatives.
Governance
and Compliance: Industry regulations such as Sarbanes Oxley (SOX), Payment
Card Industry Data Security Standard (PCI), SWIFT Customer Security Controls Framework, Health Insurance Portability and Accountability
Act (HIPAA), General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA) and security frameworks such as National
Institute of Standards (NIST) and the Center for Internet Security (CIS), for example, all have stringent requirements to uphold strong
Identity Security controls to maintain data privacy and sovereignty. Interest in CyberArk’s Identity Security solutions is also
being fueled by customers who are purchasing cyber insurance policies and need to provide proof of implementation of proper Identity Security
controls to obtain insurance coverage and lower their premiums.
Our Solutions
Our Identity
Security Platform provides a complete and flexible set of Identity Security capabilities across six main solution areas: Workforce and
Customer Access, Endpoint Privilege Security, Privileged Access Management, Secrets Management, Cloud Privilege Security, and Identity
Management.
Privileged Access Management
CyberArk’s Privileged Access Management solutions can be
used to secure, manage, and monitor privileged access. Privileged accounts can be found on endpoints, in applications, and from hybrid
to multi-cloud environments.
|
o |
Privileged
Access Manager. CyberArk Privileged Access Manager and CyberArk Privilege
Cloud include risk-based credential security and session management to protect against attacks involving privileged access. CyberArk’s
self-hosted Privileged Access Manager solution can be deployed in a self-hosted data center or in a hybrid cloud or a public cloud environment.
CyberArk Privileged Cloud is a SaaS solution. |
|
o |
Vendor Privileged
Access Manager. CyberArk Vendor Privileged Access Manager combines Privileged
Access Manager or Privilege Cloud and Remote Access, a SaaS solution, to provide fast, easy and secure privileged access to third-party
vendors who need access to critical internal systems via CyberArk, without the need to use passwords. By not requiring VPNs or agents,
Vendor Privileged Access Manager removes operational overhead for administrators, makes it easier and quicker to deploy and improves organizational
security. |
|
o |
Dynamic Privileged
Access. CyberArk Dynamic Privileged Access is a SaaS solution that provisions
just-in-time (JIT), privileged access to Linux Virtual Machines (VMs hosted in AWS and Azure and on-premises windows servers). The solution
leverages attribute-based access control (ABAC) and full session isolation to drive measurable risk reduction. Dynamic Privileged Access
allows organizations to unify controls for JIT and standing privileged access across public cloud and on-premises systems, enabling operational
efficiencies while progressing towards Zero Standing Privileges (ZSP) and Zero Trust initiatives. |
Endpoint Privilege Security
|
o |
Endpoint Privilege
Manager. CyberArk Endpoint Privilege Manager is a SaaS solution that secures
privileges on the endpoint (Windows servers, Windows desktops and Mac desktops) and helps contain attacks early in their lifecycle. It
enables revocation of local administrator rights, while minimizing impact on user productivity, by seamlessly elevating privileges for
authorized applications or tasks. Application control, with automatic policy creation, allows organizations to prevent malicious applications
from executing, and runs unknown applications in a restricted mode. This, combined with credential theft protection, helps prevent malware
such as ransomware from gaining a foothold and contains attacks on the endpoint. |
|
o |
Secure Desktop.
CyberArk Secure Desktop solution lets businesses protect access to endpoints and enforce the principle of least privilege without complicating
IT operations or hindering user productivity. The unified endpoint multifactor authentication and privilege management solution helps
organizations strengthen access security, optimize user experiences, and eliminate the manually intensive, error-prone administrative
processes that can lead to over provisioning and privilege abuse. |
Workforce & Customer
Access
We deliver robust Identity as a Service (IDaaS) which provides
a comprehensive Artificial Intelligence (AI)-based and security-first approach to managing identities that is both adaptive and context-aware.
CyberArk Identity includes capabilities to secure both workforce and customer identities.
Workforce
Identity offers:
|
o |
Adaptive Multi-factor
Authentication (MFA). Adaptive MFA enables an enterprise to enforce risk-aware
and strong identity assurance controls within the organization. |
|
o |
Single Sign-On
(SSO). SSO is the ability to use a single secure identity to access all
applications and resources within an organization. CyberArk Identity enables SSO for all types of users (workforce, partners, and consumers)
to all types of workstations, systems, VPNs, and applications both in the cloud and on-premises. |
|
o |
Secure Web
Sessions. Secure Web Sessions records, audits and protects end-user activity
within designated web applications. The solution uses a browser extension on an end-user’s endpoint to monitor and segregate web
apps that are accessed through SSO and deemed sensitive by business application owners, enterprise IT and security administrators.
|
|
o |
Workforce Password
Management. CyberArk Workforce Password Management is an enterprise-focused
password manager providing a user-friendly solution to store data from business applications -like website URLs, usernames, passwords
and notes – in a centralized vault and securely share it with other users in the organization. |
|
o |
Application
Gateway. With the CyberArk Identity Application Gateway service, customers
can enable secure remote access and expand SSO benefits to on-premises web apps — like SharePoint and SAP — without the complexity
of installing and maintaining VPNs. |
|
o |
Identity Lifecycle
Management. This module enables CyberArk Identity customers to automate
the joiner, mover, and leaver processes within the organization. This automation is critical to ensure that privileges don’t accumulate,
and a user’s access is turned off as soon as the individual changes roles or leaves the organization. |
|
o |
Directory Services.
Allows customers to use identity where they control it. In other words, we do not force our customers to synchronize their on-premises
Active Directory implementation with our cloud. Our cloud architecture can work seamlessly with any existing directory, such as Active
Directory, LDAP-based directories, and other federated directories. CyberArk Identity also provides its own highly scalable and flexible
directory for customers who choose to use it. |
Customer
Identity offers authentication and authorization services, MFA, directory,
and user management to enable organizations to provide customers and partners with easy and secure access to websites and applications.
In alignment with our Identity Security strategy, we sell packaged
offerings that align with the requirements of workforce users, privileged users, and external vendors. The workforce user offering includes
credential vaulting and sharing, Adaptive MFA, and SSO. The privileged users offering includes full credential management, session management,
and Remote Access. The external vendor offering aligns to the capabilities detailed above for Vendor Privileged Access Manager.
Secrets Management
Our capabilities in the area of Secrets Management are focused
on securing secrets used by machine identities such as applications, scripts, containers, DevOps tools, and third-party security solutions.
Secrets Manager enables organizations to avoid the need to store secrets within applications and instead allows them to easily and securely
access the required credentials from the CyberArk Vault. Secrets Manager supports traditional applications with its Credential Providers
and dynamic applications with Conjur.
|
o |
Secrets Manager
Credential Providers. Credential Providers can be used to provide and manage
the credentials used by third-party solutions such as security tools, RPA, and IT management software, and also supports internally developed
applications built on traditional monolithic application architectures. Credential Providers works with CyberArk’s on-premises and
SaaS based solutions. |
|
o |
Conjur Secrets
Manager and Conjur Cloud Secrets Manager. For cloud-native applications
built using DevOps methodologies, Conjur Enterprise and Conjur Cloud provide a secrets management solution tailored specifically to the
unique requirements of these environments delivered either on-premises or in the cloud. We also provide an open-source version to better
meet the needs of the developer community. |
|
o |
AWS Secrets
Hub. For organizations developing in AWS Secrets Manager, Secrets Hub centrally
manages and rotates secrets in CyberArk’s Conjur while enabling developers to continue to develop in the native AWS environment.
|
Cloud Privilege Security
|
o |
Cloud Entitlements
Manager. CyberArk Cloud Entitlements Manager is a SaaS solution that reduces
risks that arise from excessive privileges by implementing Least Privilege across cloud environments. From a centralized dashboard, Cloud
Entitlements Manager provides visibility and control of permissions across an organization’s cloud landscape. Within this single
display, Cloud Entitlements Manager offers automatically deployable remediations based on the principle of Least Privilege, to help organizations
strategically remove excessive permissions without disrupting cloud operations. |
Identity Management
Our capabilities in Identity Management include Lifecycle Management,
Identity Flows, Identity Compliance and directory services. Our Identity Management solutions are designed to provide a single view of
who has access to what, ensuring that the right access is granted for the right amount of time to the right people. CyberArk Lifecycle
Management streamlines provisioning and management of entitlements throughout a user’s employment, including approval workflows,
access certifications and providing and revoking access. CyberArk Identity Flows is a no-code identity management workflow solution that
reduces complexity and manual tasks to easily create workflows and automate business processes. CyberArk Identity Compliance enables customers
to discover, certify, remediate and audit access, ensuring that an organization can implement Zero Trust across the enterprise.
Our Technology
Our portfolio provides a complete and flexible set of Identity
Security capabilities that leverage the following core technologies:
Identity
Security Platform Shared Services. Our Shared Services enable operational
efficiencies, leveraging a single admin portal with unified audit, consistent authentication and authorization for all identities and
Identity Security intelligence. The platform allows for secure role-based access to CyberArk SaaS through a single user interface to improve
operational efficiencies for CyberArk solutions.
Secure
Digital Vault Technology. Our proprietary Digital Vault technology provides
a highly secure, isolated environment, independent of other software, and is engineered with multiple layers of security. Our on-premises
and SaaS PAM solutions use the highly secured Digital Vault to safely store, audit and manage passwords, privileged credentials, policy
information and privileged access session data.
Privileged
Session Recording and Controls. Our innovative privileged session recording
and control mechanisms provide the ability to isolate an organization’s IT systems from end-user desktops, while monitoring and
auditing privileged session activities. The architecture blocks direct communication between an end-user’s desktop and a target
system, thus preventing potential malware on the desktop from infiltrating the target system. This architecture further ensures that privileged
credentials will remain protected and will not be exposed to the end-user or reach the desktop. CyberArk session monitoring solutions
support native connectivity, whether from browser, native RDP or SSH tools, and via the CLI (Command Line Interface). Risk scoring can
be applied to each recorded session, automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize
workloads based on risk.
Secure
Remote Access. The cloud-based, multifactor authentication provided with
Remote Access leverages the biometric capabilities from smartphones which in turn allows authorized remote vendors simple just-in-time
secure privileged access. Once authenticated, all privileged sessions are automatically recorded for full audit and monitored in real-time.
Strong
Application Authentication and Credential Management. The Secrets Manager
architecture allows an organization to eliminate hard-coded application credentials, such as passwords and encryption keys, from applications
and scripts. Our secure, proprietary technology permits authentication of an application during run-time, based on any combination of
the application’s signature, executable path or IP address, and operating system user. Following application authentication, the
authenticated application uses a secure application programming interface (API), to request privileged account credentials during run-time
and, based on the application permissions in Privileged Access Manager, up-to-date credentials are provided to the application.
Strong
Endpoint Security. Our endpoint agent technology provides policy-based privilege
management, application control and credential theft protection capabilities. The agent detects privileged commands, and application installation
or invocation on the endpoint to validate whether it is permissible in accordance with the organization’s security policy, otherwise
blocking the operation or allowing it to run in a restricted mode. Having users operate in a least privilege mode together with our agent-based
technology effectively reduces the attack surface that attackers or malware can exploit. The solution leverages third-party threat and
reputation information to further strengthen controls and block bad or malicious applications based on such security intelligence.
Adaptive
Multi-factor Authentication. Our Adaptive Multi-factor Authentication (MFA)
enforces risk-aware and strong identity assurance controls within an organization. These controls include a broad range of built-in authentication
factors such as passwordless authenticators like Windows Hello and Apple TouchID, high assurance authenticators like USB security keys,
and our patented Zero Sign-on certificate-based authentication.
Single
Sign-on. Our Single Sign-on (SSO) solution facilitates the secure access
to many different applications, systems, and resources while only requiring a single authentication. Our SSO solution offers a modern
identity provider supporting popular SSO protocols to any system or app that supports SAML, WS-Fed, OIDC and OAuth2, as well as an extensive
application catalog with out-of-the-box integration for thousands of applications.
Our Customers
As of December 31, 2022, we had more than 8,000 customers, including more
than 55% of Fortune 500 companies and more than 35% of Global 2000 companies. Our customers include leading organizations in a diverse
set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology
and telecommunications, as well as government agencies.
Our business is not dependent on any particular customer. No
customer or channel partner accounted for more than 10% of our revenues in the last three years. Our diverse global footprint is evidenced
by the fact that in 2022, we generated 52.9% of our revenues from customers in the United States, 30.1% from the EMEA region and
17.0% from the rest of the world, including countries in North and South America other than the United States, and countries in the
Asia Pacific and Japan region.
Go-to-Market
Marketing
Our marketing strategy is focused on further strengthening
our brand, communicating the benefits of our solutions to our target audiences, driving market engagement, and creating a pipeline with
prospects, resulting in an increase in sales to existing and new customers. We are uniquely positioned as the global leader in Identity
Security. Centered on intelligent privilege controls, we provide comprehensive security solutions for human or machine identities across
business applications, distributed workforces, hybrid cloud workloads, and throughout DevOps pipelines. The world’s leading organizations
trust CyberArk to help secure their most critical assets.
We execute our strategy by leveraging a combination of internal
marketing professionals and a network of channel partners to communicate our value proposition and differentiation for our products, generating
qualified leads for our sales force and channel partners. Our marketing efforts include global inbound and outbound demand generation
campaigns, account-based marketing, public relations in multiple geographies and the publication of a broad array of content made available
through our website. We also participate at key industry events around the world, engaging with audiences through exhibits and demonstrations,
speaking sessions and executive meetings.
In July 2022, we hosted our 16th annual CyberArk IMPACT Conference
for customers, partners and prospects in Boston, MA, with more than 1,000 attendees. The event included a hybrid/virtual component for
those who could not travel to attend in-person. Later in the year, we extended this concept to a global series, branded CyberArk IMPACT
World Tour and hosted similar events in 14 other cities around the globe, with hundreds of customers, partners and prospects attending
at each city. With more than 3,000 attendees in-person, IMPACT and IMPACT World Tour represent the largest Identity Security conference
worldwide.
Sales
We believe that our hybrid sales model, which combines the leverage
of high-touch, channel sales with the account control of direct sales, has played an important role in the growth of our customer base
to date. We maintain a highly trained sales force that is responsible for developing and closing new business, the management of relationships
with our channel partners and the support and expansion of relationships with existing customers. Our sales organization is organized
by geographic regions, consisting of the Americas, EMEA, Asia Pacific and Japan. As of December 31, 2022, our global network of channel
partners consisted of more than 450 resellers, distributors, and managed service providers. Our channel partners generally complement
our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers, introducing new products
to existing customers, and offering post-sale professional services and technical support. In 2022, we generated approximately 24% of
our revenues from direct sales from our field offices located throughout the world. We work with many global systems integration partners
and several leading regional security value added resellers, such as Optiv Security Inc., Merlin International, Computacenter United States
Inc., Netpoleon, SHI, M.Tech and GuidePoint Security. These companies were each among our top 15 channel partners in 2021 and 2022 by
revenues, and we have derived a meaningful amount of revenues from sales to each of them during the last two years. Further, we work with
advisory firms such as Deloitte, PricewaterhouseCoopers LLP, and KPMG in co-marketing and co-delivery of our solutions and providing implementation
services to our customers.
Through CyberArk’s C3
Alliance, our global technology partner program, we bring together enterprise software, IT, Security, and cloud providers to build on
the power of Identity Security to better protect customers from cyber threats. Our CyberArk Marketplace provides a trusted platform for
customers to easily find and deploy integrations from the C3
Alliance, partners, and community members.
Our sales cycle varies by size of the customer, the number
of products purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks for incremental sales to
existing customers to several months for large deployments. We also typically experience seasonality in our sales, particularly demonstrated
by increased sales in the last month of a quarter and the last quarter of the year. To support our broadly dispersed global channel partners
and customer base in our hybrid model, we had sales personnel in 41 countries as of December 31, 2022. We plan to continue investing
in our sales organization to support both the growth of our channel partners and our direct sales organization.
Professional and Support Services
Maintenance and Support
Our maintenance and support program provides all customers who
purchase maintenance and support in conjunction with their perpetual licenses, and customers who purchase self-hosted and SaaS subscriptions,
the right to software bug repairs, the latest software enhancements, and updates on an if-and-when available basis during the maintenance
period or subscription term, and access to our technical support services. Customers who purchase maintenance and support in conjunction
with their initial perpetual license purchase typically buy for one year or three years, and can subsequently continue to renew maintenance
and support for additional one- or three-year periods. These two alternative maintenance and support periods are common in the software
industry. Customers typically pay for each alternative in full at the beginning of their terms. However, in select situations, customers
can opt for annual payments.
Our technical support services are provided to perpetual and
subscription customers via our online support center, which enables customers to submit new support queries and monitor the status of
open and past queries. Our online support system also provides customers with access to our CyberArk Knowledge Base, an online user-driven
information repository that provides customers the ability to address their own queries. Additionally, we offer email and telephone support
during business hours to customers that purchase a standard support package and 24/7 availability to customers that purchase our 24/7
support or subscription package.
Our global customer support organization has expertise in our
software and how it interacts with complex IT environments. We typically provide all levels of support directly to our customers. However,
when sales are made through channels, the channel partner may provide the first and second level support, and we typically provide third
level support if the issue cannot be resolved by the channel partner.
Professional Services
Our products are designed to allow for online trials, or to allow
customers to download, install and deploy them on their own or with training and professional assistance. Our solutions are highly configurable,
and many customers will select either one of our many trained channel partners or our CyberArk Security Services team to provide expert
professional services. Our Security Services team can be contracted to assist customers in planning, installing, and configuring our solution
to meet the needs of their security and IT environment, and provide technical account management services. Our Security Services team
provides ongoing consulting services regarding best practices for achieving Identity Security, and recommended ways to implement our solutions
to meet specific customer requirements. Additionally, they share best practices associated with Identity Security to educate customers
and partners on such best practices through virtual classroom, live face-to-face, or self-paced classes. We also have Red Team services,
which specialize in adversary simulations to test customers’ and prospects’ cloud and hybrid environments, DevOps pipelines
and processes to help make their environment more secure.
In 2021, we introduced new professional services solutions aimed
at delivering faster time to value and helping customers streamline the deployment of certain CyberArk SaaS products, while providing
a resource to help to implement a phased approach to a Privileged Access Management program, from planning, to pilot, to production.
In addition, in 2022, we expanded our professional services packages by offering outcome-based services that corresponded with each of
our SaaS solutions.
The most comprehensive program of its kind, CyberArk Blueprint
is designed to help customers take a future-proof, phased and measurable approach to reducing Identity Security risks. The experience
of the CyberArk Labs and Red Team (CyberArk teams involved in cybersecurity research) and incident response engagements shows that nearly
every targeted attack follows a similar pattern of identity and privileged credential compromise. These patterns influenced CyberArk Blueprint’s
three guiding principles, which are foundational to the program: prevent credential theft; stop lateral and vertical movement; and limit
privilege escalation and abuse. The CyberArk Blueprint uses a simple, prescriptive approach based on these guiding principles to reduce
risk across five stages of Identity Security maturity. Customers benefit from being able to prioritize quick wins, progressively address
advanced Identity Security use cases, and align security controls to digital transformation efforts across hybrid environments.
Research and Development
Continued investment in research and development is critical
to our business. Our research and development efforts are focused primarily on improving and continuing to enhance existing products and
services, as well as developing new solutions, services, products, features and functionality to meet market needs. We believe the timely
development of new products and capabilities is essential to maintaining our competitive position. The majority of our solutions are delivered
as SaaS, in which we regularly incorporate new features and enhancements to existing features. We also maintain a dedicated CyberArk Labs
team that researches reported cyber-attacks, the attackers’ techniques and post-exploit methods that lead to new security development
initiatives for our products, and provides thought-leadership on new product capabilities and targeted attack mitigation.
As of December 31, 2022, we had 901 employees focused on
research and development. We conduct our research and development activities primarily in Israel, as well as other locations such as the
United States and India. We believe this provides access to world class engineering talent. Our research and development expenses were
$95.4 million, $142.1 million, and $190.3 million in 2020, 2021, and 2022, respectively.
Intellectual Property
We rely on a combination of patent, trademark, copyright and
trade secret laws, confidentiality procedures and contractual provisions to protect our technology and the related intellectual property.
As
of December 31, 2022, we had 130 issued patents in the U.S., and 49 pending U.S. patent applications.
We also had 59 issued patents and 20 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts
of our U.S. patent applications. We expect to file additional patent applications in the future.
The inventions for which we have sought patent protection relate
to current and future elements of our products and technology. The following list of products identifies some of those with patent-protected
features, but other products may also be protected by one or more patents: Privileged Access Security (PAS) solutions, including Privileged
Access Manager, Vendor Privileged Access Manager, Privileged Session Manager (PSM), Enterprise Password Vault (EPV), Privilege Cloud,
CyberArk DNA (Discovery and Audit), Privileged Threat Analytics (PTA), Endpoint Privilege Manager (EPM), Sensitive Information Management
(SIM) and Cloud Entitlements Manager (CEM); Secret Management Solutions, including Conjur Secrets Manager Enterprise, Conjur Secrets Manager
Open Source, Credential Providers, Secretless and Secretless Broker; and Access Management Solutions, including CyberArk Identity, Workforce
Identity, Customer Identity and Secure Web Sessions.
We generally enter into confidentiality agreements with our employees,
consultants, service providers, resellers and customers and generally limit internal and external access to, and distribution of, our
proprietary information and proprietary technology through certain procedural safeguards. These agreements and measures may not effectively
prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event
of unauthorized use or disclosure of our intellectual property or technology.
Our industry is characterized by the existence of many relevant
patents and frequent claims and related litigation regarding patent and other intellectual property rights. Leading companies in the security
industry have extensive patent portfolios. As our market position continues to grow, we believe that competitors will be more likely to
try to develop products that are like ours and that may infringe our proprietary rights. It may also be more likely that competitors or
third parties will claim that our products infringe their proprietary rights. From time to time, third parties have asserted and may assert
their patent, copyright, trademark and other intellectual property rights against us, our channel partners, users, or customers, whom
our standard license and other agreements may obligate us to indemnify against such claims under certain circumstances. Successful claims
of infringement or misappropriation by a third party could prevent us from developing, distributing, licensing, using certain products,
performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to
have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or
other fees. Such claims also could require us to expend additional development resources to attempt to redesign our products or services
or otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements to obtain the right
to use necessary technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with
them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the
failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition
to be materially and adversely affected.
Competition
The IT security market in which we operate is characterized by
intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats.
We compete with multiple established and emerging companies that offer a broad array of IT security products that employ different
approaches and delivery models.
Specifically, our Identity Security Platform competes across
a variety of markets and competitors, including, but not limited to:
|
• |
Privileged Access Management (PAM), including Endpoint Privilege Management, such as Delinea and BeyondTrust; |
|
• |
Identity and Access Management, such as Okta and Microsoft; and |
|
• |
Secrets Management, including broad DevOps solutions, such as Hashi Corporation. |
The maturity and growth of the IT Security market could also
make it appealing for new players, such as large or emerging cybersecurity vendors or those in related markets (Endpoint, Cloud Security,
DevOps or Infrastructure as a Service (IaaS)), to enter markets where we specialize. Additionally, consolidation among cybersecurity vendors
may create an opportunity for our competitors to provide a greater breadth of offerings, including more integrations and bundled products.
This may create a competitive disadvantage, regardless of the performance and features of our offerings if customers prefer to utilize
one vendor for multiple cybersecurity capabilities. Furthermore, organizations continuously evaluate their security priorities and investments
and may allocate their IT security budgets to other solutions and strategies, including solutions offered by our competitors, and may
not adopt or expand use of our solutions. Accordingly, we may also compete for budget priority, to a certain extent, with other cybersecurity
solutions offered by Microsoft, Palo Alto Networks, and Crowdstrike Holdings. The principal competitive factors in our market include:
|
o |
the breadth and completeness of a security solution; |
|
o |
reliability and effectiveness in protecting, detecting and responding to cyberattacks; |
|
o |
analytics and accountability at an individual user level; |
|
o |
ability of customers to achieve and maintain compliance with compliance standards and audit requirements; |
|
o |
strength of sale and marketing efforts, including advisory firms and channel partner relationships; |
|
o |
global reach and customer base; |
|
o |
scalability and ease of integration with an organization’s existing IT infrastructure and security investments; |
|
o |
brand awareness and reputation; |
|
o |
innovation and thought leadership; |
|
o |
quality of customer support and professional services; |
|
o |
speed at which a solution can be deployed and implemented; and |
|
o |
price of a solution and cost of maintenance and professional services. |
We believe we compete favorably with our
competitors based on these factors. However, some of our current competitors may enjoy one or some combination of potential competitive
advantages, such as greater name recognition, longer operating history, larger market share, larger existing user base and greater financial,
technical, and operational capabilities.
Properties
Our corporate headquarters are in Petach-Tikva, Israel in an
office consisting of approximately 139,100 square feet to which we moved in September 2017. The current lease expires in September 2027
with an extension option for one successive 24-month period. Our U.S. headquarters are in Newton, Massachusetts in an office consisting
of approximately 32,463 square feet. The lease expires in June 2026 with an extension option for the entire premises through 2034. We
maintain additional offices in Israel, the U.S., the U.K., Singapore, France, Germany, Australia, Japan, India, and the Netherlands.
We believe that our facilities are sufficient to meet our current needs and that we will be able to obtain additional facilities on commercially
reasonable terms if we require additional space to accommodate our growth.
Internal Cybersecurity
As we offer Identity Security solutions and services, we are
sensitive to potential cyber-attacks that may result in unauthorized access to our information, and potentially that of our customers.
We are also aware that, being an Israeli company, we may be targeted by cyber terrorists, cyber criminals, nation-state actors, or nation-state
affiliated actors. Any actual or perceived breach of our networks, systems or data may have an adverse impact on the market perception
of our solutions and services and may expose us to potential liability.
For more information regarding the risks
involved with cybersecurity, see “Item 3.D. Risk Factors— Real or perceived security vulnerabilities and gaps in our solutions
or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in
significant reputational, financial, and legal adverse impact” and“—If our internal IT network systems, or those of
our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure,
then our reputation, financial condition and operating results could be materially adversely affected.”
We are focused on continuously implementing
and maintaining technologies and solutions to assist in the prevention of potential cyber-attacks, as well as protective measures and
contingency plans in the event of an actual attack. We maintain cybersecurity risk management policies and procedures, including internal
controls, audits and disclosure protocols for handling and responding to cybersecurity events. These policies and procedures include internal
notifications and engagements and, as necessary, cooperation with law enforcement. Our controls are designed to limit and monitor access
to our systems, networks, and data, prevent inappropriate or unauthorized access or modification, and monitor for threats or vulnerabilities.
We periodically review and modify our cybersecurity risk management policies and procedures to reflect changes in technology, the regulatory
environment, industry and security practices and other business needs. We conduct periodic trainings for our employees, including on phishing,
malware and other cybersecurity risks, and we have mechanisms in place designed to promote rapid internal reporting of potential or actual
cybersecurity breaches.
We made significant investments in technical
and organizational measures to establish and manage compliance with laws and regulations governing our activities regarding protected
data (such as GDPR), which enhance our data protection and cybersecurity. Furthermore, we monitor cybersecurity risks, certifications
or assessments at our third-party cloud infrastructure providers and other IT service providers and reevaluate those contractual relationships
as appropriate.
The audit committee of our board periodically reviews our cybersecurity
risks and controls with senior management, keeping our board informed of key issues.
Government Regulations
For information regarding the material effects of government
regulations, see “—Industry Background” above, “Item 3.D. Risk Factors— The dynamic regulatory environment
around privacy and data protection, may limit our offering or require modification of our products and services, which could limit our
ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to
investigations, litigation, or enforcement actions alleging that we fail to comply with the regulatory requirements which could harm our
operating results and adversely affect our business,” “—We are subject to a number of regulatory and geopolitical risks,
associated with global sales and operations, which could materially affect our business,” and “The tax benefits that are available
to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs
and taxes,” and “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations
and Government Programs.”
Legal Proceedings
See “Item 8.A. Consolidated Statements and Other Financial
Information—Legal Proceedings.”
|
C. |
Organizational Structure |
The legal name of our Company is CyberArk Software Ltd. and we
are organized under the laws of the State of Israel.
The following table sets forth our key subsidiaries all of which
are 100% owned directly or indirectly by CyberArk Software Ltd.:
|
Name of Subsidiary |
Place of Incorporation |
|
CyberArk Software, Inc. |
Delaware, United States |
|
Cyber-Ark Software (UK) Limited |
United Kingdom |
|
CyberArk Software (Singapore) PTE. LTD. |
Singapore |
|
CyberArk Software (DACH) GmbH |
Germany |
|
CyberArk Software Italy S.r.l. |
Italy |
|
CyberArk Software (France) SARL |
France |
|
CyberArk Software (Netherlands) B.V. |
Netherlands |
|
CyberArk Software (Australia) Pty Ltd.
CyberArk Software (Japan) K.K.
CyberArk Software Canada Inc.
CyberArk USA Engineering, GP, LLC |
Australia
Japan
Canada
Delaware, United States |
|
CyberArk Software (Spain), S.L. |
Spain |
|
CyberArk Software (India) Private Limited
C3M India Private Limited |
India
India |
|
D. |
Property, Plant and Equipment |
See “Item 4.B.—Business Overview—Properties”
for a discussion of property, plant and equipment, as applicable.
ITEM 4A.
UNRESOLVED STAFF COMMENTS
Not applicable.
ITEM 5
OPERATING AND FINANCIAL REVIEW
AND PROSPECTS
The following discussion and analysis should
be read in conjunction with our consolidated financial statements and the related notes contained elsewhere in this annual report. This
discussion and analysis may contain forward-looking statements based upon current expectations that involve risks and uncertainties. Our
actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including
those set forth in “Item 3.D. Risk Factors” of this annual report. Our financial statements have been prepared in accordance
with U.S. GAAP.
Company Overview
CyberArk is a global leader in Identity Security, centered
on intelligent privilege controls, with a focus on protecting organizations against identity-based cyberattacks. CyberArk applies intelligent
privilege controls to all identities – human and machine – with continuous threat detection and prevention across the entire
identity lifecycle. With CyberArk, organizations can enable Zero Trust and least privilege with complete visibility, ensuring that every
identity can securely access any approved resource, located anywhere, from everywhere – with a single Identity Security Platform.
We secure access for human or machine identities to help organizations
secure critical business assets, protect their distributed workforce and customers, and accelerate business in the cloud. CyberArk’s
vision is to deliver an Identity Security Platform that contextually authenticates each identity, dynamically authorizes the
least amount of privilege required, secures credentials, and thoroughly audits the entire cycle – giving organizations
peace of mind to drive their businesses fearlessly forward.
As the category-defining leader in Privileged Access Management,
we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the kingdom.”
These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications, keeping them
out of the hands of malicious or careless insiders or external attackers and preventing disruption to the business.
Securing these human and machine identities is now more important
than ever. With the rapid rise in mobile workers, hybrid and multi-cloud adoption, and digitalization of the enterprise, physical and
network security barriers are less relevant at securing data and assets than ever before. Compromised identities and their associated
privileges represent an attack path to an organization’s most valuable assets. We believe that identity has become the new security
perimeter and is at the foundation of Zero Trust security models. Our approach is unique since CyberArk recognizes that every identity
can become privileged under certain conditions, and we offer the broadest range of security controls to reduce risk while delivering a
high-quality experience to the end user. This includes securing workforce, partner, and customer identities by replacing complex, patchworked,
and siloed legacy access management solutions to improve security and operational efficiencies.
Prior to 2020, we primarily derived our revenues by licensing
our cybersecurity software, selling maintenance and support contracts, and providing professional services. We began executing our transition
to a subscription business model in early 2021, and, in the first quarter of 2022, we reached our subscription selling goals of at least
85% of our sales through subscriptions, including both SaaS and self-hosted subscriptions. We believe that annual recurring revenue (ARR),
subscription portion of ARR, recurring revenues, Remaining Performance Obligations (RPO), and total deferred revenue are indicators of
the overall health of the business. For the full year 2022, we increased our ARR by 45% to $570 million as of December 31, 2022. The growth
in ARR was driven by an increase in our self-hosted and SaaS subscriptions revenues. Our subscription revenues increased by 108.5%
to $280.6 million in 2022, and recurring revenues increased by 43% to $498.3 million in 2022.
We plan to continue to invest in research and development in
order to continue to develop technology to protect modern enterprises from Identity Security risk from hybrid to cloud-native environments.
During the years ended December 31, 2020, 2021 and 2022, our revenues were $464.4 million, $502.9 million and $591.7 million, respectively,
representing year-over-year growth of 8.3% and 17.7% in 2021 and 2022, respectively. Our net loss for the years ended December 31,
2020, 2021 and 2022 was $(5.8) million, $(83.9) million and $(130.4) million, respectively.
We have also increased our number of employees and subcontractors
from 2,140 as of December 31, 2021 to 2,768 as of December 31, 2022. We intend to continue to execute on our strategy of growing our business
to meet the needs of our customers and to pursue opportunities in new and existing verticals, geographies, and products. We intend to
continue to invest in our sales and marketing teams, with a particular focus on expanding our channel partnerships, targeting new customers,
expanding our relationships with existing customers, creating technology partnerships and further building out our customer success operations
for existing customers.
Key Performance Indicators and Recent Business
Developments
In early 2021, we began to actively transition our business
to a subscription model by incentivizing our team to shift our sales from perpetual licenses to recurring subscriptions, including SaaS
and self-hosted subscriptions. In the first quarter of 2022, we reached our subscription selling goals of at least 85% of our sales through
subscriptions, including both SaaS and self-hosted subscriptions. Revenue recognition for our subscription offerings is ratable compared
to sales of perpetual licenses, which results in the entire perpetual license portion recognized as revenue upfront and only revenue from
the related maintenance contract recognized ratably. As a result of our business model transition, our revenues, operating income (loss)
and net loss continue to be adversely impacted by the increase in ratable revenue recognition, while actual and planned operating expenses
continue to increase to support our growth, innovation and scaling of our business. We also expect maintenance revenues associated with
perpetual license contracts to decline in the near term. Over the medium term we expect maintenance revenues associated with perpetual
license contracts to decline annually as part of our transition to a subscription business model. In addition, the shift toward a recurring
revenue business is resulting in an increase in single year payment terms for our customer contracts, which is customary in a subscription
business model, in contrast to upfront payments for multi-year maintenance contracts and upfront payments for perpetual licenses we experienced
in the perpetual license model. Lastly, the duration of our contract length for our self-hosted subscriptions also impacts the amount
of recognized revenue in a period. These dynamics are having an adverse impact on our profitability and net cash provided by operating
activities in the near term. Over the long term, we expect the subscription model to result in higher visibility, stronger durability
of our business and the return to profitability and strong cash flow. The subscription business model is directly aligned with the broad
market trends related to digital transformation and cloud migration as well as our Identity Security strategy.
As we move forward with the transition,
we are focusing on the following metrics to evaluate the health of our business:
| |
|
Year ended December 31, |
|
| |
|
2020 |
|
|
2021 |
|
|
2022 |
|
| |
|
($ in millions) |
|
|
Total ARR (as of period-end) |
|
$ |
274 |
|
|
$ |
393 |
|
|
$ |
570 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription Portion of Annual Recurring Revenue (as of period-end) |
|
$ |
74 |
|
|
$ |
183 |
|
|
$ |
364 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
Recurring revenues |
|
$ |
247 |
|
|
$ |
349 |
|
|
$ |
498 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
Deferred revenue (as of period-end) |
|
$ |
243 |
|
|
$ |
317 |
|
|
$ |
408 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
RPO (as of period-end)
|
|
$ |
363 |
|
|
$ |
516 |
|
|
$ |
713 |
|
ARR.
Annual Recurring Revenue (ARR) is a performance indicator that provides more visibility into
the growth of our recurring business in the upcoming year. ARR is defined as the annualized value of active SaaS, self-hosted subscriptions
and maintenance contracts in effect at the end of the reported period. ARR should be viewed independently of revenues and total deferred
revenue as it is an operating measure and is not intended to be combined with or to replace either of those measures. ARR provides management
with more visibility into our revenue stream for the upcoming year. This visibility allows us to make informed decisions about our capital
allocation and level of investment.
Subscription
Portion of Annual Recurring Revenue. Subscription portion
of ARR is a performance indicator that provides more visibility into the
area of the business that will drive the long-term growth of our recurring business. Subscription portion of ARR is defined
as the annualized value of active SaaS and self-hosted subscription contracts in effect at the end of the reported period. The subscription
portion of ARR excludes maintenance contracts related to perpetual licenses. Subscription portion of ARR should be viewed independently
of revenues and total deferred revenue as it is an operating measure and is not intended to be combined with or to replace either of those
measures. Subscription portion of ARR provides management with more visibility into our revenue stream for the upcoming year. This visibility
allows us to make informed decisions about our capital allocation and level of investment.
Recurring
Revenue. Recurring revenue refers to the portion of our total revenue
that includes our SaaS subscriptions, self-hosted subscriptions and recurring maintenance revenues related to our perpetual license contracts.
Management monitors the growth of our recurring revenue to evaluate the health of our business.
Recurring revenue also provides enhanced visibility and predictability of future revenues.
Total
Deferred Revenue. Our total deferred revenue consists of maintenance and
support and professional services that have been invoiced and collected but that have not yet been recognized as revenues because they
do not meet the applicable criteria, and of self-hosted and SaaS subscription contracts, where there are unconditional rights for a consideration,
that have been invoiced but have not yet been recognized. In 2022, an increasing percentage of our total deferred revenue and the substantial
portion of our total deferred revenue growth was related to SaaS contracts that have not been recognized. Management monitors our
total deferred revenue because it represents a significant portion of revenues to be recognized in future periods. The material factors
driving changes in our license revenues are discussed under “—Comparison of Period to Period Results of Operations.”
Remaining
Performance Obligations. Remaining performance obligations (RPO) represent
non-cancelable contracts that have not yet been recognized, which includes deferred revenues and amounts not yet received that will be
recognized as revenue in future periods. Management monitors the value of RPO to provide visibility into near term and multi-year
revenue streams. This visibility allows us to make informed decisions about our capital allocations and level of investment.
For a discussion of our results of operations
for the year ended December 31, 2020, including a year-to-year comparison between 2021 and 2020, refer to Item 5. “Operating and
Financial Review and Prospects” in our annual report on Form 20-F for the fiscal year ended December 31, 2021 filed with the SEC
on March 10, 2022.
Components of Statements of Operations
Revenues
Our revenues consist of the following:
o Subscription
Revenues. Subscription revenues include SaaS and self-hosted subscription revenues, as well as maintenance and support services
associated with self-hosted subscriptions. Subscription revenues are generated primarily from sales of our Privileged Access Manager (Privilege
Cloud and self-hosted), Endpoint Privilege Manager, Conjur Secrets Manager Enterprise and Credential Providers, Vendor Privileged Access
Manager and Workforce Identity solutions. We are seeing an increasing percentage of our business coming from our SaaS solutions, which
have ratable revenue recognition, increasing our total deferred revenue that will be recognized over time. Our SaaS and self-hosted subscriptions
are becoming a larger percentage of our total revenues, and we expect our subscription revenues to continue to grow in the near and long
term. Privileged Access Manager and Workforce Identity are both licensed per user. Endpoint Privilege Manager is licensed by target
system (workstations and servers). Conjur Secrets Manager Enterprise and Credential Providers have two different licensing approaches
based on the types of applications being secured. The first is licensed by agent for mission-critical and static applications, and the
second is licensed by site/region and number of clusters for more dynamic cloud native applications and DevOps pipelines.
o Perpetual
License Revenues. Perpetual license revenues are generated primarily from sales of our Privileged Access Manager. We are seeing
a decreasing percentage of our business coming from perpetual licenses, which have upfront revenue recognition. We expect revenues from
perpetual licenses to continue to decrease as we continue to operate as a subscription company.
o Maintenance
and Professional Services Revenues. Maintenance revenues are generated from maintenance and support contracts purchased by our
customers who purchase perpetual licenses in order to gain access to the latest software enhancements and updates on an if-and-when available
basis and to telephone and email technical support. With the continued decline of new perpetual licenses and related new maintenance contracts,
we are expecting our total maintenance revenues to begin to decline in the near term, and we expect total maintenance revenues will continue
to decline in absolute dollars over the long term, as we continue to sell more new subscriptions and fewer new perpetual licenses. We
also offer professional services for consulting, deployment and training of our customers to fully leverage the use of our products.
Geographic Breakdown of
Revenues
The United States is our biggest market,
with the balance of our revenues generated from the EMEA region and the rest of the world, which includes Canada, Central and South America,
and the Asia Pacific and Japan region. The following table sets forth the geographic breakdown of our revenues by region for the periods
indicated:
| |
|
Year
ended December 31,
|
|
| |
|
2020 |
|
|
2021 |
|
|
2022 |
|
| |
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
|
Amount |
|
|
% of Revenues |
|
| |
|
|
|
|
|
($ in thousands) |
|
|
|
|
|
United States |
|
$ |
246,811 |
|
|
|
53.1 |
% |
|
$ |
253,811 |
|
|
|
50.5 |
% |
|
$ |
312,816 |
|
|
|
52.9 |
% |
|
EMEA |
|
|
141,866 |
|
|
|
30.6 |
|
|
|
163,328 |
|
|
|
32.5 |
|
|
|
178,344 |
|
|
|
30.1 |
|
|
Rest of World |
|
|
75,754 |
|
|
|
16.3 |
|
|
|
85,778 |
|
|
|
17.0 |
|
|
|
100,550 |
|
|
|
17.0 |
|
|
Total revenues |
|
$ |
464,431 |
|
|
|
100.0 |
% |
|
$ |
502,917 |
|
|
|
100.0 |
% |
|
$ |
591,710 |
|
|
|
100.0 |
% |
Cost of Revenues
Our total cost of revenues consists of the following:
| o |
Cost of Subscription Revenues. Cost of
subscription revenues consists primarily of cloud infrastructure costs, personnel costs associated with our global cloud organization
(that consist primarily of salaries, benefits, bonuses and share-based compensation), amortization of intangible assets and depreciation
of internal use software capitalization. As we shift more of our sales to SaaS and self-hosted subscription offerings, we expect the absolute
cost of subscription revenues to increase. |
| o |
Cost of Perpetual License Revenues. Cost of perpetual license revenues
consists primarily of appliance expenses and allocated personnel costs to support delivery and operations related to perpetual licenses.
Personnel costs consist primarily of salaries, benefits, bonuses and share-based compensation. As we shift more of our sales to SaaS and
self-hosted subscription contracts, we expect the absolute cost of perpetual license revenues and the cost of perpetual license revenues
as a percentage of total revenues to decrease. |
| o |
Cost of Maintenance
and Professional Services Revenues. Cost of maintenance related to perpetual
license contracts and professional services revenues primarily consists of allocated personnel costs for our global customer support and
professional services organization. Such costs consist primarily of salaries, benefits, bonuses, share-based compensation and subcontractors’
fees. We expect the absolute cost of maintenance and professional services revenues to increase as our customer base grows and as we hire
additional professional services and technical support personnel. |
Gross Profit and Gross
Margin
Gross profit is total revenues less total cost of revenues. Gross
margin is gross profit expressed as a percentage of total revenues. Our gross margin has historically fluctuated from period to period
as a result of changes in the mix of license revenues and maintenance and professional services revenues. Since costs of subscription
revenues as a percent of subscription revenues are higher than costs of perpetual licenses as a percent of perpetual revenues, as we continue
to operate as a subscription company with an increasing mix of subscription revenues and more investments in our cloud infrastructure,
our gross margin may decline.
Operating Expenses
Our operating expenses are classified into three categories:
research and development, sales and marketing and general and administrative. For each category, the largest component is personnel costs,
which consists primarily of salaries, employee benefits (including commissions and bonuses) and share-based compensation expense. Operating
expenses also include software and related expenses and allocated overhead costs for facilities and office expenses as well as depreciation
and amortization. Allocated costs for facilities and office expenses primarily consist of rent, office maintenance and utilities and office
supplies. We expect personnel and all allocated costs to continue to increase in absolute dollars as we hire new employees and add facilities
to continue to grow our business.
Research
and Development. Research and development expenses consist primarily of
personnel costs attributable to our research and development personnel, consultants and contractors, cloud infrastructure, software and
related expenses and allocated overhead costs. We continue to expect that our research and development expenses will continue to increase
in absolute dollars as we continue to grow our research and development headcount to further strengthen our technology platform and invest
in the development of both existing and new solutions, products and services.
Sales
and Marketing. Sales and marketing expenses are the largest component of
our operating expenses and consist primarily of personnel costs, including commission, as well as marketing programs and business development
costs, software and related expenses, travel expenses and allocated overhead costs. We expect that sales and marketing expenses will continue
to increase in absolute dollars as we plan to expand our sales and marketing efforts globally. We continue to expect sales and marketing
expenses will remain our largest category of operating expenses.
General
and Administrative. General and administrative expenses consist primarily
of personnel costs for our executive, finance, human resources, legal and administrative personnel. General and administrative expenses
also include insurance premiums and external legal, audit, accounting and other professional service fees. We continue to expect that
general and administrative expense will increase in dollars as we grow and expand our operations.
Financial Income (Expense),
Net
Financial income (expense), net consists of mainly interest income,
foreign currency exchange gains or losses, foreign exchange forward transactions expenses and amortization of debt discount and issuance
costs. Interest income consists of interest earned on our cash, cash equivalents, short and long-term bank deposits and marketable securities.
We expect interest income to vary depending on our average investment balances and market interest rates during each reporting period.
Foreign currency exchange changes reflect gains or losses related to transactions denominated in currencies other than the U.S. dollar.
Tax benefit (taxes on
income)
Tax benefit (taxes on income) consists of taxes related to our
activity in Israel, the United States, and numerous other foreign jurisdictions in which we conduct business.
The ordinary corporate tax rate in Israel is 23.0%.
As discussed in greater detail below under “Israeli Tax
Considerations and Government Programs”, we have been entitled to various tax benefits under the Investment Law. Under the Investment
Law, our tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is generally 12.0%.
Under the Investment Law and other Israeli legislation, we are
entitled to certain additional tax benefits, including accelerated deduction of research and development expenses, accelerated depreciation
and amortization rates for tax purposes on certain intangible assets and deduction of public offering expenses in three equal annual installments.
Our non-Israeli subsidiaries are taxed according to the tax laws
in their respective jurisdictions of tax residency. Due to our multi-jurisdictional operations, we apply significant judgment to determine
our consolidated income tax position.
For a reconciliation of our Tax benefit (taxes on income) to
the theoretical income tax benefit according to Israeli statutory rate of 23% and for further explanation of our provision for income
taxes, refer to Note 13 to our consolidated financial statements included in Item 18 of this annual report.
Comparison of Period to Period Results of
Operations
The following table sets forth our results of operations in dollars
and as a percentage of revenues for the periods indicated:
| |
|
Year ended December 31, |
|
| |
|
2020 |
|
|
2021 |
|
|
2022 |
|
| |
|
Amount |
|
|
% of
Revenues |
|
|
Amount |
|
|
% of
Revenues |
|
|
Amount |
|
|
% of
Revenues |
|
| |
|
($ in thousands) |
|
|
Revenues: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription |
|
$ |
56,425 |
|
|
|
12.1 |
% |
|
$ |
134,628 |
|
|
|
26.8 |
% |
|
$ |
280,649 |
|
|
|
47.4 |
% |
|
Perpetual license
|
|
|
176,061 |
|
|
|
37.9 |
|
|
|
115,738 |
|
|
|
23.0 |
|
|
|
49,964 |
|
|
|
8.5 |
|
|
Maintenance and professional services |
|
|
231,945 |
|
|
|
50.0 |
|
|
|
252,551 |
|
|
|
50.2 |
|
|
|
261,097 |
|
|
|
44.1 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total revenues |
|
|
464,431 |
|
|
|
100.0 |
|
|
|
502,917 |
|
|
|
100.0 |
|
|
|
591,710 |
|
|
|
100.0 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cost of revenues: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription |
|
|
17,513 |
|
|
|
3.8 |
|
|
|
25,837 |
|
|
|
5.2 |
|
|
|
46,249 |
|
|
|
7.8 |
|
|
Perpetual license
|
|
|
4,925 |
|
|
|
1.1 |
|
|
|
3,904 |
|
|
|
0.8 |
|
|
|
2,893 |
|
|
|
0.5 |
|
|
Maintenance and professional services |
|
|
60,133 |
|
|
|
12.9 |
|
|
|
63,566 |
|
|
|
12.6 |
|
|
|
76,904 |
|
|
|
13.0 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total cost of revenues
|
|
|
82,571 |
|
|
|
17.8 |
|
|
|
93,307 |
|
|
|
18.6 |
|
|
|
126,046 |
|
|
|
21.3 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Gross profit |
|
|
381,860 |
|
|
|
82.2 |
|
|
|
409,610 |
|
|
|
81.4 |
|
|
|
465,664 |
|
|
|
78.7 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Operating expenses: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Research and development
|
|
|
95,426 |
|
|
|
20.5 |
|
|
|
142,121 |
|
|
|
28.2 |
|
|
|
190,321 |
|
|
|
32.2 |
|
|
Sales and marketing
|
|
|
219,999 |
|
|
|
47.4 |
|
|
|
274,401 |
|
|
|
54.6 |
|
|
|
345,273 |
|
|
|
58.4 |
|
|
General and administrative
|
|
|
60,429 |
|
|
|
13.0 |
|
|
|
71,425 |
|
|
|
14. 2 |
|
|
|
82,520 |
|
|
|
13.9 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total operating expenses
|
|
|
375,854 |
|
|
|
80.9 |
|
|
|
487,947 |
|
|
|
97. 0 |
|
|
|
618,114 |
|
|
|
104.5 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Operating income (loss)
|
|
|
6,006 |
|
|
|
1.3 |
|
|
|
(78,337 |
) |
|
|
(15.6 |
) |
|
|
(152,450 |
) |
|
|
(25.8 |
) |
|
Financial income (expense), net
|
|
|
(6,395 |
)
|
|
|
(1.4 |
) |
|
|
(12,992 |
)
|
|
|
(2.6 |
) |
|
|
15,432 |
|
|
|
2.6 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Loss before taxes on income
|
|
|
(389 |
) |
|
|
(0.1 |
) |
|
|
(91,329 |
) |
|
|
(18.2 |
) |
|
|
(137,018 |
) |
|
|
(23.2 |
) |
|
Tax benefit (taxes on income)
|
|
|
(5,369 |
) |
|
|
(1.2 |
) |
|
|
7,383 |
|
|
|
1.5 |
|
|
|
6,650 |
|
|
|
1.1 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Net loss |
|
$ |
(5,758 |
)
|
|
|
(1.2 |
)% |
|
$ |
(83,946 |
)
|
|
|
(16.7 |
)% |
|
$ |
(130,368 |
)
|
|
|
(22.0 |
)% |
As of the first quarter of 2021, we revised
the presentation of our lines of revenue and cost of revenue. We believe that the revised categories for revenue and cost of revenue as
presented in the income statement align with how management evaluates the business and the shift toward recurring revenue.
Year Ended December 31,
2021 Compared to Year Ended December 31, 2022
Revenues
| |
|
Year ended December 31, |
|
| |
|
2021 |
|
|
2022 |
|
|
Change |
|
| |
|
Amount |
|
|
% of
Revenues |
|
|
Amount |
|
|
% of
Revenues |
|
|
Amount |
|
|
% |
|
| |
|
($ in thousands) |
|
|
Revenues: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription
|
|
$ |
134,628 |
|
|
|
26.8 |
% |
|
$ |
280,649 |
|
|
|
47.4 |
% |
|
$ |
146,021 |
|
|
|
108.5 |
% |
|
Perpetual license
|
|
|
115,738 |
|
|
|
23.0 |
|
|
|
49,964 |
|
|
|
8.4 |
|
|
|
(65,774 |
) |
|
|
(56.8 |
) |
|
Maintenance and professional services |
|
|
252,551 |
|
|
|
50.2 |
|
|
|
261,097 |
|
|
|
44.1 |
|
|
|
8,546 |
|
|
|
3.4 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total revenues
|
|
$ |
502,917 |
|
|
|
100.0 |
% |
|
$ |
591,710 |
|
|
|
100.0 |
% |
|
$ |
88,793 |
|
|
|
17.7 |
% |
Revenues increased by $88.8 million, or 17.7%, from $502.9 million
in 2021 to $591.7 million in 2022. This increase was primarily due to increased subscription sales. The largest increase in revenue
occurred in United States, where revenues increased by $59.0 million, while the increase in EMEA and the rest of the world was $15.0 million
and $14.8 million, respectively. We increased our number of customers from approximately 7,500 as of December 31, 2021 to more than
8,000 as of December 31, 2022.
Subscription revenues increased by $146.0 million, or 108.5%,
from $134.6 million in 2021 to $280.6 million in 2022 as we increased the mix of our subscription sales.
Perpetual license revenues declined by $65.8 million, or 56.8%,
from $115.7 million in 2021 to $50.0 million in 2022. The decline in perpetual license revenue is due to our transition from selling perpetual
licenses to selling SaaS and self-hosted subscription licenses.
Maintenance
and professional services revenues increased by $8.6 million, or 3.4%, from $252.6 million in 2021 to $261.1 million in
2022. Maintenance revenues increased by $3.7 million from $214.0 million in 2021 to $217.7 million in 2022, with renewals
increasing by approximately $22.5 million, partially offset by a decrease in initial maintenance contracts of approximately $18.8
million. Professional services revenues increased by $4.9 million from $38.5 million in 2021 to $43.4 million in 2022.
Cost of Revenues and Gross
Profit
| |
|
Year ended December 31, |
|
| |
|
2021 |
|
|
2022 |
|
|
Change |
|
| |
|
Amount |
|
|
% of
Revenues |
|
|
Amount |
|
|
% of
Revenues |
|
|
Amount |
|
|
% |
|
| |
|
($ in thousands) |
|
|
Cost of revenues: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscription
|
|
$ |
25,837 |
|
|
|
5.2 |
% |
|
$ |
46,249 |
|
|
|
7.8 |
% |
|
$ |
20,412 |
|
|
|
79.0 |
% |
|
Perpetual license
|
|
|
3,904 |
|
|
|
0.8 |
|
|
|
2,893 |
|
|
|
0.5 |
|
|
|
(1,011 |
) |
|
|
(25.9 |
)% |
|
Maintenance and professional services |
|
|
63,566 |
|
|
|
12.6 |
|
|
|
76,904 |
|
|
|
13.0 |
|
|
|
13,338 |
|
|
|
21.0 |
% |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total cost of revenues
|
|
$ |
93,307 |
|
|
|
18.6 |
% |
|
$ |
126,046 |
|
|
|
21.3 |
% |
|
$ |
32,739 |
|
|
|
35.1 |
% |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Gross profit
|
|
$ |
409,610 |
|
|
|
81.4 |
% |
|
$ |
465,664 |
|
|
|
78.7 |
% |
|
$ |
56,054 |
|
|
|
13.7 |
% |
Cost of subscription revenues increased by $20.4 million, or
79%, from $25.8 million in 2021 to $46.2 million in 2022. The increase in cost of subscription revenues was primarily driven
by an $8.9 million increase in personnel costs and related expenses, an $8.0 million increase in cloud infrastructure costs to support
the growth in our SaaS subscription revenues, a $1.4 million increase in amortization of intangible assets, a $0.7 million increase in
the use of third party consultants for services rendered and a $0.6 million increase in amortization of capitalized software costs.
Cost of perpetual license revenues decreased by $1.0 million,
or 25.9%, from $3.9 million in 2021 to $2.9 million in 2022. The decrease in cost of perpetual license revenues was primarily
driven by a $0.6 million decrease in personnel costs and related expenses and a $0.5 million decrease in amortization of intangible assets.
Cost of maintenance and professional services revenues increased
by $13.3 million, or 21%, from $63.6 million in 2021 to $76.9 million in 2022. The increase in cost of maintenance and
professional services revenues was driven primarily by an $11.4 million increase in personnel costs and related expenses, a $1.2
million increase in software and cloud infrastructure costs and a $0.5 million increase in travel costs.
Our headcount related to cost of revenues grew from 381 at
the end of 2021 to 493 at the end of 2022.
Gross profit increased by approximately $56 million, or
13.7%, from $409.6 million in 2021 to $465.7 million in 2022. Gross margins decreased from 81.4% in 2021 to 78.7% in 2022. This
was driven by the increase in SaaS sales which have incremental costs related to cloud infrastructure and, as a result, a lower margin
contribution.
Operating Expenses
| |
|
Year ended December 31, |
|
| |
|
2021 |
|
|
2022 |
|
|
Change |
|
| |
|
Amount |
|
|
% of
Revenues |
|
|
Amount |
|
|
% of
Revenues |
|
|
Amount |
|
|
% |
|
| |
|
($ in thousands) |
|
|
Operating expenses: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Research and development
|
|
$ |
142,121 |
|
|
|
28.2 |
% |
|
$ |
190,321 |
|
|
|
32.2 |
% |
|
$ |
48,200 |
|
|
|
33.9 |
% |
|
Sales and marketing
|
|
|
274,401 |
|
|
|
54.6 |
|
|
|
345,273 |
|
|
|
58.4 |
|
|
|
70,872 |
|
|
|
25.8 |
|
|
General and administrative
|
|
|
71,425 |
|
|
|
14.2 |
|
|
|
82,520 |
|
|
|
13.9 |
|
|
|
11,095 |
|
|
|
15.5 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total operating expenses
|
|
$ |
487,947 |
|
|
|
97.0 |
% |
|
$ |
618,114 |
|
|
|
104.5 |
% |
|
$ |
130,167 |
|
|
|
26.7 |
% |
Research
and Development. Research and development expenses increased by $48.2 million,
or 33.9%, from $142.1 million in 2021 to $190.3 million in 2022. This increase was primarily attributable to a $37.6 million
increase in personnel costs and related expenses, as we increased our research and development team headcount from 643 at the end of 2021
to 901 at the end of 2022 to support continued investment in our existing and future product and service offerings. The increase was also
attributable to a $9.8 million increase in expenses related to consultants and contractors and a $2.1 million increase in cloud infrastructure
expenses.
Sales
and Marketing. Sales and marketing expenses increased by $70.9 million,
or 25.8%, from $274.4 million in 2021 to $345.3 million in 2022. This increase was primarily attributable to a $52.0 million
increase in personnel costs and related expenses due to increased headcount in all regions to expand our sales and marketing organization.
The increase was also attributable to a $6.9 million increase in marketing programs expenses, a $5.7 million increase in travel expenses
due to the easing of COVID-19 travel restrictions, a $2.9 million increase in software and related expenses, a $1.8 million increase in
facilities and depreciation overhead costs and a $0.7 million increase in consulting expenses. Our sales and marketing headcount grew
from 941 at the end of 2021 to 1,157 at the end of 2022.
General
and Administrative. General and administrative expenses increased by $11.1 million,
or 15.5%, from $71.4 million in 2021 to $82.5 million in 2022. This increase was primarily attributable to an increase of $8.9 million
in personnel costs and related expenses due to increased headcount, a $1.3 million increase in services fees for external legal counsel,
accounting and patent administration and a $0.6 million increase in travel costs. Our general and administrative headcount grew from 175
at the end of 2021 to 217 at the end of 2022.
Financial
Income (Expense), Net. Financial income (expense), net changed from financial
expense of $13.0 million in 2021 to financial income of $15.4 million in 2022. This change resulted primarily from a decrease of $14.8
million in non-cash interest expense related to the amortization of debt discount and issuance costs due to adjustments from adoption
of ASU 2020-06, an increase of $11.6 million in interest income from investments in marketable securities and short-term and long-term
bank deposits due to a higher interest rate environment in 2022 compared to 2021 and a $2.1 million decrease in financial expenses from
foreign currency exchange differences.
Tax
benefit. Tax benefit decreased by $0.7 million, or 9.9%, from $7.4 million
in 2021 to $6.7 million in 2022. This decrease was mainly attributed to an increase in tax expenses related to share-based compensation,
partially offset by an increase in our loss before taxes on income.
|
B. |
Liquidity and Capital Resources |
We fund our operations with cash generated from operating activities.
We have also raised capital through issuing convertible senior notes, the sale of equity securities in public offerings and, to a lesser
extent, through exercised options. Our primary current uses of our cash are ongoing operating expenses and capital expenditures.
As of December 31, 2021 and 2022, our principal sources
of liquidity were cash, cash equivalents, bank deposits and marketable securities of $1.2 billion. We believe that our cash generated
from operating activities, along with existing cash, cash equivalents, marketable securities and bank deposits will be sufficient to fund
our working capital and capital expenditures for at least the next 12 months and for the foreseeable future. Our future capital requirements
will depend on many factors, including our revenue growth rate, the expansion of our sales and marketing activities, the timing and extent
of spending to support product development efforts and expansion into new geographic locations, the timing of introductions of new products
and enhancements to existing products and the continuing market acceptance of our offerings.
The following table presents the major components of net cash
flows for the periods presented:
| |
|
Year Ended December 31, |
|
| |
|
2021 |
|
|
2022 |
|
| |
|
($ in thousands) |
|
|
Net cash provided by operating activities
|
|
$ |
74,740 |
|
|
$ |
49,708 |
|
|
Net cash used in investing activities
|
|
|
(228,194 |
) |
|
|
(68,392 |
) |
|
Net cash provided by financing activities
|
|
|
10,949 |
|
|
|
12,225 |
|
A substantial source of our net cash provided by operating activities
is our deferred revenue, which is included on our consolidated balance sheet as a liability. Our deferred revenue consists of maintenance
and support and professional services that have been invoiced and collected but that have not yet been recognized as revenues and of self-hosted
subscriptions and SaaS contracts that have been invoiced but not yet recognized. We assess our liquidity, in part, through an analysis
of our short-term and long-term deferred revenue that has not yet been recognized as revenues together with our other sources of liquidity.
Revenues from SaaS contracts and maintenance and support contracts are recognized ratably on a straight-line basis over the term of the
related contract which is typically one year or three years, and revenues from professional services are recognized as services are performed.
Thus, upfront payments add to the liquidity of our operations since we frequently recognize self-hosted subscription, SaaS, maintenance
and support and professional services revenues and expenses in subsequent periods to when the payments may be received. The duration of
our contracts also impacts our deferred revenue. In 2022, we began to proactively shift our maintenance contracts related to perpetual
licenses to one year terms and late in the year we experienced a shortening of duration for some larger contracts for self-hosted subscription.
We expect this shorter duration to impact our net cash provided by operating activities in the short term.
Net Cash Provided by Operating
Activities
Our cash flows reflect our net loss coupled with changes in our
non-cash working capital.
During the year ended December 31, 2022, operating activities
provided $49.7 million in cash as a result of $130.4 million of net loss, adjusted by $120.8 million of non-cash charges related to share-based
compensation expense, $16.2 million related to depreciation and amortization expenses, $3.0 million in non-cash interest expense related
to the amortization of debt discount and issuance costs and a net change of $109.1 million in non-cash working capital, partially offset
by a $15.6 million increase in deferred tax assets and a $53.4 million net change from other long-term assets and liabilities.
The change of $109.1 million in non-cash working capital was
due to a $97.0 million increase in short-term deferred revenue, an increase of $0.7 million in employees and payroll accruals, an increase
of $4.1 million in trade payables, an $8.8 million net change from other current assets and a decrease of $6.1 million in other current
liabilities, partially offset by an increase of $7.6 million in trade receivables.
During the year ended December 31, 2021, operating activities
provided $74.7 million in cash as a result of $83.9 million of net loss, adjusted by $95.4 million of non-cash charges related to share-based
compensation expense, $14.2 million related to depreciation and amortization expenses, $17.8 million in non-cash interest expense related
to the amortization of debt discount and issuance costs and a net change of $72.1 million in non-cash working capital, partially offset
by a $12.0 million increase in deferred tax assets and a $28.9 million net change from other long-term assets and liabilities.
The change of $72.1 million in non-cash working capital was due
to a $69.2 million increase in short-term deferred revenue, an increase of $23.8 million in employees and payroll accruals and an increase
of $1.5 million in trade payables, partially offset by an increase of $20.1 million in trade receivables and a decrease of $2.3 million
in other current liabilities.
During the years ended December 31, 2021 and 2022, our days’
sales outstanding, (“DSO”), was 84 days and 75 days, respectively.
Net Cash Used in Investing
Activities
Investing activities have consisted of investment in, and proceeds
from, short-term and long-term deposits, investment in, and proceeds from sales and maturities of marketable securities, payments for
business acquisitions and purchases of property and equipment.
Net cash used in investing activities was $228.2 million and
$68.4 million for the years ended December 31, 2021 and 2022, respectively.
The decrease of $159.8 million in net cash used in investing
activities in 2022 was due to a net decrease of $204.7 million in investments in short and long-term deposits and marketable securities,
partially offset by an increase of $41.3 million in payments for business acquisitions, net of cash acquired, and an increase of $3.6
million in capital expenditures.
The decrease of $184.2 million in net cash used in investing
activities in 2021 was due to a net decrease of $117.3 million in investments in short and long-term deposits and marketable securities,
and a decrease of $68.6 million in payments for business acquisitions, net of cash acquired, partially offset by an increase of $1.7 million
in capital expenditures.
Net Cash Provided by Financing
Activities
Our financing activities have consisted of proceeds from shares
issued in connection with our ESPP, proceeds from the exercise of share options, payments of contingent consideration related to acquisitions
and payments of withholding tax related to employee share plans.
Net cash provided by financing activities was $10.9 million and
$12.2 million for the years ended December 31, 2021 and 2022, respectively.
The increase of $1.3 million in net cash provided by financing
activities in 2022 was due to an increase of $15.1 million in proceeds from shares issued in connection with employee stock purchase plan,
partially offset by a net decrease of $9.1 million in proceeds from exercise of stock options, and an increase of $4.7 million in payments
of contingent consideration related to acquisitions.
Our Material Contractual
Obligations
The following table summarizes our contractual obligations as
of December 31, 2022:
| |
|
Total |
|
|
Less
than 1 year
|
|
|
1 – 3 years |
|
|
3 –
5 years |
|
|
More than 5 years |
|
|
($ in thousands) |
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Operating lease obligations(1) |
|
$ |
39,299 |
|
|
$ |
7,691 |
|
|
$ |
14,047 |
|
|
$ |
10,891 |
|
|
$ |
6,670 |
|
|
Uncertain tax obligations(2) |
|
|
2,805 |
|
|
|
— |
|
|
|
— |
|
|
|
— |
|
|
|
— |
|
|
Severance pay(3) |
|
|
7,769 |
|
|
|
— |
|
|
|
— |
|
|
|
— |
|
|
|
— |
|
|
0.00% Convertible Senior Notes due 2024(4) |
|
|
575,000 |
|
|
|
— |
|
|
|
575,000 |
|
|
|
— |
|
|
|
— |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Total |
|
$ |
624,873 |
|
|
$ |
7,691 |
|
|
$ |
589,047 |
|
|
$ |
10,891 |
|
|
$ |
6,670 |
|
(1) Operating lease obligations consist of our contractual rental
expenses under operating leases of facilities and certain motor vehicles.
(2) Consists of accruals for certain income tax positions under
ASC 740 that are paid upon settlement, and for which we are unable to reasonably estimate the ultimate amount and timing of settlement.
See Note 13(k) to our consolidated financial statements included elsewhere in this annual report for further information regarding
our liability under ASC 740. Payment of these obligations would result from settlements with tax authorities. Due to the difficulty in
determining the timing of resolution of audits, these obligations are only presented in their total amount.
(3) Severance pay relates to accrued severance obligations mainly
to our Israeli employees as required under Israeli labor laws. These obligations are payable only upon the termination, retirement or
death of the respective employee and may be reduced if the employee’s termination is voluntary. These obligations are partially
funded through accounts maintained with financial institutions and recognized as an asset on our balance sheet. As of December 31, 2022,
$2.9 million is unfunded. See Note 2(l) to our consolidated financial statements included elsewhere in this annual report for further
information.
(4) For additional information, see Note 11 to our consolidated
financial statements included elsewhere in this annual report.
Additionally, we entered into non-cancelable material agreements
for the receipt of cloud infrastructure services and subscription-based cloud services, effective as of April 2021 through October 2025.
As of December 31, 2022, our outstanding contractual commitment is $22.4 million due in the next 12 months and $11.0
million due thereafter.
|
C. |
Research and Development, Patents and Licenses, etc. |
We conduct our research and development activities primarily
in Israel as well as other locations such as the United States and India. As of December 31, 2022, our research and development department
included 901 employees and contractors. In 2022, research and development costs accounted for 32.2% of our total revenues.
For a description of our research and development policies, see
“Item 4.B. Business Overview—Research and Development.”
For information regarding our patents, see “Item 4.B. Business
Overview—Intellectual Property.”
Other than as disclosed elsewhere in this annual report, we are
not aware of any trends, uncertainties, demands, commitments or events since December 31, 2022, that are reasonably likely to have a material
adverse effect on our net revenue, income, profitability, liquidity or capital resources, or that caused the disclosed financial information
to be not necessarily indicative of future operating results or financial condition.
E.
Critical Accounting Estimates
Our accounting policies and their effect on our financial condition
and results of operations are more fully described in our consolidated financial statements included elsewhere in this annual report.
We have prepared our financial statements in conformity with U.S. GAAP, which requires management to make estimates and assumptions that
in certain circumstances affect the reported amounts of assets and liabilities, revenues and expenses and disclosure of contingent assets
and liabilities. These estimates are prepared using our best judgment, after considering past and current events and economic conditions.
While management believes the factors evaluated provide a meaningful basis for establishing and applying sound accounting policies, management
cannot guarantee that the estimates will always be consistent with actual results. In addition, certain information relied upon by us
in preparing such estimates includes internally generated financial and operating information, external market information, when available,
and when necessary, information obtained from consultations with third parties. Actual results could differ from these estimates and could
have a material adverse effect on our reported results. See “Item 3.D. Risk Factors” for a discussion of the possible risks
which may affect these estimates.
We believe that the accounting policies discussed below are critical
to our financial results and to the understanding of our past and future performance. These accounting policies involve estimates that
have been made in accordance with generally accepted accounting principles that involve a significant level of estimation uncertainty
and have had or are reasonably likely to have a material impact on our financial condition or results of operations.
Revenue Recognition
We primarily generate revenues from providing the right to access
our SaaS solutions and licensing the rights to use our software products, as well as from maintenance and professional services. Subscription
revenues include SaaS and self-hosted subscription contracts. We sell our products through our direct sales force and indirectly through
channel partners.
We recognize revenues in accordance with ASC No. 606 “Revenue
from Contracts with Customers.” As such, we identify a contract with a customer, identify the performance obligations in the contract,
determine the transaction price, allocate the transaction price to each performance obligation in the contract and recognize revenues
when (or as) we satisfy a performance obligation.
We enter into contracts that can include combinations of products
and services, which are generally capable of being distinct and accounted for as separate performance obligations and may include an option
to provide professional services. Perpetual license and self-hosted subscription are distinct as the customer can derive the economic
benefit of the software without any professional services, updates or technical support.
The transaction price is determined based on the consideration
to which we will be entitled in exchange for transferring goods or services to the customer. We do not grant a right of return to our
customers.
We allocate the transaction price to each performance obligation
based on its relative standalone selling price. For maintenance, we determine the standalone selling prices based on the price at which
we separately sell a renewal contract. For professional services, we determine the standalone selling prices based on the prices at which
we separately sell those services. For SaaS, self-hosted subscriptions and perpetual licenses, we determine the standalone selling prices
by making estimations and taking into account available information such as historical selling prices, contract value, geographic location,
and our price list and discount policy.
Our revenues from perpetual licenses and the license portion
of self-hosted subscriptions, are recognized at the point of time when the license is made available for download by the customer. Maintenance
revenue related to our perpetual license contracts and the maintenance component of our self-hosted subscription offering as well as our
SaaS revenues are recognized ratably, on a straight-line basis over the term of the related contract, which is generally one to three
years. Professional services revenues are substantially recognized as the services are performed.
Transaction price allocated to remaining performance obligations
represents non-cancelable contracts that have not yet been recognized, which includes deferred revenues and amounts not yet received that
will be recognized as revenue in future periods.
Deferred Contract Costs
We pay sales commissions primarily to sales and certain management
personnel based on their attainment of certain predetermined sales goals. Sales commissions are considered incremental and recoverable
costs of obtaining a contract with a customer. Sales commissions paid for initial contracts, which are not commensurate with sales commissions
paid for renewal contracts, are capitalized and amortized over an expected period of benefit. We estimate the expected period of benefit
based on assumptions related to our technology, customer contracts and other factors. We have determined the expected period of benefit
to be approximately five years. Amortization expense of these costs are substantially included in sales and marketing expenses.
Share-Based Compensation
We account for share-based compensation in accordance with ASC
No. 718, “Compensation - Stock Compensation” (ASC No. 718). ASC No. 718 requires companies to estimate the fair value of equity-based
payment awards on the date of grant using an option-pricing model. The value of the award is recognized as an expense over the requisite
service periods, which is generally the vesting period of the respective award, on a straight-line basis when the only condition to vesting
is continued service. If vesting is subject to a performance condition, recognition is based on the implicit service period of the award.
Expense for awards with performance conditions is estimated and adjusted on a quarterly basis based upon the assessment of the probability
that the performance condition will be met.
We selected the Black-Scholes-Merton option-pricing model as
the most appropriate fair value method for our option awards and Employee Share Purchase Plan (ESPP). The fair value of restricted share
units (RSUs) and performance share units (PSUs) without market conditions, is based on the closing market value of the underlying shares
at the date of grant. For PSUs subject to market conditions, we use a Monte Carlo simulation model, which utilizes multiple inputs to
estimate payout level and the probability that market conditions will be achieved.
The option-pricing and Monte Carlo models require a number of
assumptions, of which the most significant are the expected share price volatility and the expected option term. We recognize forfeitures
of equity-based awards as they occur.
These estimates involve uncertainties and the application of
judgment. If circumstances are changed and different estimates are used, our expenses could materially differ in the future.
Business combination
We account for our business combinations
using the acquisition method of accounting, which requires, among other things, allocation of the fair value of purchase consideration
to the tangible and intangible assets acquired and liabilities assumed at their estimated fair values on the acquisition date. The excess
of the fair value of purchase consideration over the values of these identifiable assets and liabilities is recorded as goodwill. When
determining the fair value of assets acquired and liabilities assumed, we make estimates and assumptions, especially with respect to intangible
assets. Our estimates of fair value are based upon assumptions believed to be reasonable, but which are inherently uncertain and unpredictable,
and, as a result, actual results may differ from estimates. During the measurement period, not to exceed one year from the date of acquisition,
we may record adjustments to the assets acquired and liabilities assumed, with a corresponding offset to goodwill if new information is
obtained related to facts and circumstances that existed as of the acquisition date. Acquisition costs, such as legal and consulting fees,
are expensed as incurred.
Goodwill and Other Intangible
Assets
Goodwill and certain other purchased intangible assets have been
recorded in our financial statements as a result of acquisitions. In business combinations, in accordance with ASC Topic 805, “Business
Combination,” we allocate the fair value of purchase consideration to the tangible assets acquired, liabilities assumed, and intangible
assets acquired based on their estimated fair values. Such valuations require us to make significant estimates, assumptions, and judgments,
especially with respect to intangible assets. The estimated fair values and useful lives of identifiable intangible assets are based on
many factors, including estimates and assumptions of future operating performance and cash flows of the acquired business, market conditions,
technological developments and specific characteristics of the identified intangible assets. The allocation of the consideration transferred
in certain cases may be subject to revision based on the final determination of fair values during the measurement period, which may be
up to one year from the acquisition date.
Goodwill represents excess of the purchase price in a business
combination over the fair value of identifiable tangible and intangible assets acquired. Goodwill is not amortized, but rather is subject
to an impairment test.
ASC No. 350, “Intangible—Goodwill and Other”
requires goodwill to be tested for impairment at least annually and, in certain circumstances, between annual tests. The accounting guidance
gives the option to perform a qualitative assessment to determine whether further impairment testing is necessary. The qualitative assessment
includes judgement and considers events and circumstances that might indicate that a reporting unit’s fair value is less than its
carrying amount.
For the years ended December 31, 2020, 2021 and 2022, no impairment
losses were identified.
Convertible Senior Notes
For the years ended December 31, 2020 and 2021, we accounted
for our convertible senior notes in accordance with ASC No. 470-20, “Debt
with Conversion and Other Options.” We allocated the principal amount of the convertible senior notes between its liability and
equity component. The liability component at issuance is recognized at fair value, which is based on estimations. The calculation is based
on the fair value of a similar instrument of similar credit rating and maturity that does not have a conversion feature. The equity component
is based on the excess of the principal amount of the convertible senior notes over the fair value of the liability component and is recorded
in additional paid-in capital. We allocated the total issuance costs incurred to the liability and equity components of the convertible
senior notes based on the same proportions as the proceeds from the notes.
Issuance costs attributable to the liability are netted against
the principal balance and are amortized to interest expense using the effective interest method over the contractual term of the notes.
The effective interest rate of the liability component of the notes is 3.50%. The effective interest rate calculation was based on estimations
and assumptions related to economic and market factors.
Issuance costs attributable to the equity component are netted
with the equity component in additional paid-in capital.
On January 1, 2022, we adopted ASU 2020-06, “Debt - Debt
with Conversion and Other Options (subtopic 470-20) and Derivatives and Hedging - Contracts in Entity’s Own Equity (subtopic 815-40),"
using the modified retrospective method. As a result, the convertible notes' previously recognized equity component was combined with
the liability component, and the convertible notes will be accounted for as a single unit of account.
Legal Contingencies
From time to time we may be subject to legal proceedings and
claims arising in the ordinary course of our business. Such matters are subject to many uncertainties and outcomes are not predictable
with assurance. We accrue for contingencies when the loss is probable and we can reasonably estimate the amount of any such loss. In determining
the probability of a loss and consequently determining a reasonable estimate, we are required to use significant judgment. We are currently
not a party to any material litigation and are not aware of any pending or threatened material legal or administrative proceedings against
us. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management
resources and other factors.
Income Taxes
We calculate income tax provisions based on our results in each
jurisdiction in which we operate. The calculation is based on estimated tax consequences and on assumptions as to our entitlement to various
benefits under the applicable local tax laws.
Significant judgment is required in evaluating our uncertain
tax positions. We establish reserves for uncertain tax positions based on the evaluation of whether or not our uncertain tax position
is “more likely than not” to be sustained upon examination based on our technical merits. We record estimated interest and
penalties pertaining to our uncertain tax positions in the financial statements as income tax expense.
Deferred tax assets are recognized for unused tax losses, unused
tax credits, and deductible temporary differences to the extent that it is probable that future taxable profits will be available, against
which they can be used. Deferred taxes for each jurisdiction are presented as a net asset or liability, net of any valuation allowances.
We estimate the need for any valuation allowance by applying significant judgment and considering all available evidence including past
results and future projections. We reassess our estimates periodically and record a partial or full valuation allowance release if needed.
We cannot assure that future final tax outcomes will not be different
than our tax provisions and reserves for uncertain tax positions. To the extent that the final tax outcome of these matters is different
than the amounts recorded, such differences will impact the provision for income taxes in the period in which such determination is made.
Israeli Tax Considerations and Government
Programs
The following is a brief summary of the material Israeli tax
laws applicable to us, and certain Israeli Government programs that benefit us. To the extent that the discussion is based on new tax
legislation that has not yet been subject to substantive judicial or administrative interpretation, we cannot provide assurance that the
appropriate tax authorities or the courts will accept the views expressed in this discussion. The discussion below is subject to change,
including due to amendments under Israeli law or changes to the applicable judicial or administrative interpretations of Israeli law,
which could affect the tax consequences described below.
General Corporate Tax
Structure in Israel
Ordinary taxable income is subject to a corporate tax rate of
23% as of 2018. However, the effective tax rate payable by a company that derives income from an Approved Enterprise, a Benefited Enterprise,
a Preferred Enterprise or a Preferred Technology Enterprise (as discussed below) may be considerably lower. Capital gains derived by an
Israeli company are generally subject to tax at the prevailing ordinary corporate tax rate.
Tax Benefits for Research
and Development
Israeli tax law allows, under certain conditions, a tax deduction
for research and development expenditures, including capital expenditures, for the year in which they are incurred if:
|
o |
the expenditures are approved by the relevant Israeli government ministry, determined by the field of research; |
|
o |
the research and development is for the promotion or development of the company; and |
|
o |
the research and development is carried out by or on behalf of the company seeking the deduction. |
However, the amount of such deductible expenses shall be reduced
by the sum of any funds received through government grants for the finance of such scientific research and development projects. Expenditures
not so approved are deductible over a three-year period from the first year that the expenditures were made if the research or development
is for the promotion or development of the company.
Law for the Encouragement
of Industry (Taxes), 5729-1969
The Law for the Encouragement of Industry (Taxes), 5729-1969,
generally referred to as the Industry Encouragement Law, provides several tax benefits for “Industrial Companies.”
The Industry Encouragement Law defines an “Industrial Company”
as an Israeli resident company which was incorporated in Israel, of which 90% or more of its income in any tax year, other than income
from certain government loans, is derived from an “Industrial Enterprise” owned by it and located in Israel or in the “Area”,
in accordance with the definition in the section 3a of the Israeli Income Tax Ordinance (New Version) 1961 (the “Ordinance”).
An “Industrial Enterprise” is defined as an enterprise whose principal activity in a given tax year is industrial production.
The following tax benefits, among others, are available to Industrial
Companies:
|
o |
amortization of the cost of purchased know-how, patents and rights to use a patent and know-how which are used for the development
or promotion of the Industrial Enterprise, over an eight-year period commencing on the year in which such rights were first exercised;
|
|
o |
under limited conditions, an election to file consolidated tax returns together with Israeli Industrial Companies controlled by it;
and |
|
o |
expenses related to a public offering of shares in a stock exchange are deductible in equal amounts over three years commencing on
the year of offering. |
Eligibility for benefits under the Industry Encouragement Law
is not contingent upon the approval of any governmental authority. We believe that we generally qualify as an Industrial Company within
the meaning of the Industry Encouragement Law. The Israel Tax Authority may determine that we do not qualify as an Industrial Company,
which could entail our loss of the benefits that relate to this status. There can be no assurance that we will continue to qualify
as an Industrial Company or that the benefits described above will be available in the future.
Law for the Encouragement
of Capital Investments, 5719-1959
The Law for the Encouragement of Capital Investments, 5719-1959,
generally referred to as the Investment Law, provides certain incentives for capital investments in production facilities (or other eligible
assets) by “Industrial Enterprises” (as defined under the Investment Law).
The Investment Law was significantly amended effective April 1,
2005 (the “2005 Amendment”), further amended as of January 1, 2011 (the “2011 Amendment”), and further amended
as of January 1, 2017 (the “2017 Amendment”). Pursuant to the 2005 Amendment, tax benefits granted in accordance with the
provisions of the Investment Law prior to its revision by the 2005 Amendment remain in force but any benefits granted subsequently are
subject to the provisions of the 2005 Amendment. Similarly, the 2011 Amendment introduced new benefits to replace those granted in accordance
with the provisions of the Investment Law in effect prior to the 2011 Amendment. However, companies entitled to benefits under the Investment
Law as in effect prior to January 1, 2011 were entitled to choose to continue to enjoy such benefits, provided that certain conditions
are met, or elect instead, irrevocably, to forego such benefits and have the benefits of the 2011 Amendment apply. The 2017 Amendment
introduced new benefits for Technological Enterprises which meet certain conditions, alongside the existing tax benefits.
Tax Benefits Prior to
the 2005 Amendment
An investment program that is implemented in accordance with
the provisions of the Investment Law prior to the 2005 Amendment, referred to as an “Approved Enterprise”, is entitled to
certain benefits. A company that wished to receive benefits as an Approved Enterprise must have received approval from the Israeli Authority
for Investments and Development of the Industry and Economy (the “Investment Center”). Each certificate of approval for an
Approved Enterprise relates to a specific investment program, delineated both by the financial scope of the investment, including sources
of funds, and by the physical characteristics of the facility or other assets.
The tax benefits available under any certificate of approval
relate only to taxable income attributable to the specific program and are contingent upon meeting the criteria set out in such certificate.
Income derived from activity that is not integral to the activity of the Approved Enterprise will not enjoy tax benefits.
The tax benefits under the alternative benefits track include
an exemption from corporate tax on undistributed income which was generated from an Approved Enterprise for between two and ten years
from the first year of taxable income, depending on the geographic location of the Approved Enterprise facility within Israel, and the
taxation of income generated from an Approved Enterprise at a reduced corporate tax rate of between 10% to 25% for the remainder of the
benefits period, depending on the level of foreign investment in the company in each year, as detailed below.
In addition, a company that has an Approved Enterprise program
is eligible for further tax benefits if it qualifies as a Foreign Investors’ Company (FIC), which is a company with a level of foreign
investment, as defined in the Investment Law, of more than 25%.
If a company elects the alternative benefits track and subsequently
distributes a dividend out of income derived by its Approved Enterprise during the tax exemption period it will be subject to corporate
tax in respect of the amount of the distributed dividend (grossed-up to reflect the pre-tax income that it would have had to earn in order
to distribute the dividend) at the corporate tax rate which would have been otherwise applicable if such income had not been tax-exempted
under the alternative benefits track. This rate generally ranges from 10% to 25%, depending on the level of foreign investment in the
company in each year, as mentioned above. In addition, dividends paid out of income attributed to an Approved Enterprise (or out
of dividends received from a company whose income is attributed to an Approved Enterprise) are generally subject to withholding tax at
source at the rate of 15% or such lower rate as may be provided in an applicable tax treaty (subject to the receipt in advance of a valid
certificate from the Israel Tax Authority allowing for a reduced tax rate). The 15% tax rate is limited to dividends and distributions
out of income derived during the benefits period and actually paid at any time up to 12 years thereafter. After this period, the withholding
tax is applied at a rate of up to 30%, or at the lower rate under an applicable tax treaty (subject to the receipt in advance of a valid
certificate from the Israel Tax Authority allowing for a reduced tax rate). In the case of a FIC, the 12-year limitation on reduced withholding
tax on dividends does not apply.
The benefits available to an Approved Enterprise are subject
to the continued fulfillment of conditions stipulated in the Investment Law and its regulations and the criteria in the specific certificate
of approval, as described above. If a company does not meet these conditions, it would be required to refund the amount of tax benefits,
adjusted to the Israeli consumer price index, and interest, or other monetary penalties.
Tax Benefits Subsequent
to the 2005 Amendment
The 2005 Amendment applies to new investment programs commencing
after 2004, but does not apply to investment programs approved prior to April 1, 2005. The 2005 Amendment provides that terms and
benefits included in any certificate of approval that was granted before the 2005 Amendment became effective (April 1, 2005) will
remain subject to the provisions of the Investment Law as in effect on the date of such approval. Pursuant to the 2005 Amendment, the
Investment Center will continue to grant Approved Enterprise status to qualifying investments. The 2005 Amendment, however, limits the
scope of enterprises that may be approved by the Investment Center by setting criteria for the approval of a facility as an Approved Enterprise,
such as provisions generally requiring that at least 25% of the Approved Enterprise’s income be derived from exports.
Tax benefits are available under the 2005 Amendment to production
facilities (or other eligible facilities) which are generally required to derive more than 25% of their business income from export to
specific markets with a population of at least 14 million in 2012 (such export criteria will further be increased in the future by 1.4%
per annum).
A company qualifying for tax benefits under the 2005 Amendment
which pays a dividend out of income derived by its Benefited Enterprise during the tax exemption period will be subject to corporate tax
in respect of the amount of the dividend distributed (grossed-up to reflect the pre-tax income that it would have had to earn in order
to distribute the dividend) at the corporate tax rate which would have otherwise been applicable. Dividends paid out of income attributed
to a Benefited Enterprise (or out of dividends received from a company whose income is attributed to a Benefited Enterprise) are generally
subject to withholding tax at source at the rate of 15% or at a lower rate as may be provided in an applicable tax treaty (subject to
the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). The reduced rate of 15%
is limited to dividends and distributions out of income attributed to a Beneficiary Enterprise during the benefits period and actually
paid at any time up to 12 years thereafter except with respect to a FIC, in which case the 12-year limit does not apply.
The benefits available to a Benefited Enterprise are subject
to the continued fulfillment of conditions stipulated in the Investment Law and its regulations. If a company does not meet these conditions,
it would be required to refund the amount of tax benefits, adjusted to the Israeli consumer price index, and interest, or other monetary
penalties.
On November 15, 2021, the Investment Law was amended to provide,
on a temporary basis, a reduced corporate income tax upon the distribution or release, within a year from such amendment, of tax-exempt
profits derived by Approved or Benefited Enterprises. The reduced tax rate was determined based on a formula, providing for an up to 60%
reduction, as long as the corporate income tax rate was not less than 6%. In order to qualify for the reduction, the taxpayer would also
have to invest certain amounts in productive assets and research and development in Israel. The Company did not elect to apply for the
aforementioned temporary order.
In addition to the temporary amendment, the Investment Law
was also amended to reduce the ability of companies to retain the tax-exempt profits while distributing dividends from previously taxed
profits. Accordingly, effective August 15, 2021, dividend distributions are deemed made on a pro-rata basis from all types of earnings,
including exempt profits, thus triggering additional corporate income tax. As of August 15, 2021, the Company did not distribute any dividends
and does not intend to do so in the near future.
As of December 31, 2022, approximately $14.5 million was
derived from tax exempt profits earned under the "Approved Enterprises" and "Beneficiary Enterprise". If the retained tax-exempt income
is distributed, the income would be taxed at the applicable corporate tax rate as if it had not elected the alternative tax benefits under
the Investment Law and an income tax liability of up to $3.5 million would be incurred as of December 31, 2022.
Tax Benefits under the
2011 Amendment
The 2011 Amendment introduced new benefits for income generated
by a “Preferred Company” through its “Preferred Enterprise” (as such terms are defined in the Investment Law)
as of January 1, 2011. The definition of a Preferred Company includes a company incorporated in Israel that is not wholly owned by
a governmental entity, and that has, among other things, Preferred Enterprise status and is controlled and managed from Israel. Pursuant
to the 2011 Amendment, a Preferred Company is entitled to a reduced corporate tax rate of 15% with respect to its preferred income derived
by its Preferred Enterprise in 2011 and 2012, unless the Preferred Enterprise is located in a development zone A, in which case the rate
will be 10%. Such corporate tax rate was reduced from 15% and 10%, respectively, to 12.5% and 7%, respectively in 2013, and then increased
to 16% and 9%, respectively, in 2014 until 2016. Pursuant to the 2017 Amendment, in 2017 and thereafter, the corporate tax rate for Preferred
Enterprise which is located in development zone A was decreased to 7.5%, while the reduced corporate tax rate for other development zones
remains 16%. Income derived by a Preferred Company from a ‘Special Preferred Enterprise’ (as such term is defined in the Investment
Law) could be entitled, under certain conditions and limitations, to further reduced tax rates.
Dividends paid to Israeli shareholders out of preferred income
attributed to a Preferred Enterprise are generally subject to withholding tax at the rate of 20%, and in case of non-Israeli shareholders,
such lower rate as may be provided in an applicable tax treaty (each subject to the receipt in advance of a valid certificate from the
Israel Tax Authority allowing for a reduced tax rate). However, if such dividends are paid to an Israeli company, no tax is required to
be withheld (although, if such dividends are subsequently distributed to individuals or a non-Israeli company, withholding tax at a rate
of 20% or such lower rate as may be provided in an applicable tax treaty will apply). In 2017-2019, dividends paid out of preferred income
attributed to a Special Preferred Enterprise, directly to a foreign parent company, are subject to withholding tax at source at the rate
of 5% (temporary provisions).
The 2011 Amendment also provided transitional provisions to address
companies already enjoying existing tax benefits under the Investment Law. These transitional provisions provide, among other things,
that unless an irrevocable request is made to apply the provisions of the Investment Law as amended in 2011 with respect to income to
be derived as of January 1, 2011: (i) the terms and benefits included in any certificate of approval that was granted to an
Approved Enterprise which chose to receive grants before the 2011 Amendment became effective will remain subject to the provisions of
the Investment Law as in effect on the date of such approval, and subject to certain other conditions; (ii) the terms and benefits
included in any certificate of approval that was granted to an Approved Enterprise which had participated in an alternative benefits track
before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as in effect on the date of such
approval, provided that certain conditions are met; and (iii) a Benefited Enterprise can elect to continue to benefit from the benefits
provided to it before the 2011 Amendment became effective, provided that certain conditions are met.
From time to time, the Israeli Government has discussed reducing
the benefits available to companies under the Investment Law. The termination or substantial reduction of any of the benefits available
under the Investment Law could materially increase our tax liabilities.
We applied the new benefits under the 2011 Amendment instead
of the benefits provided to our Approved Enterprise and Benefited Enterprise as of 2013 tax year onwards through 2016 tax year.
Tax Benefits under the
2017 Amendment
The 2017 Amendment was enacted as part of the Economic Efficiency
Law that was published on December 29, 2016, and is effective as of January 1, 2017. The 2017 Amendment provides new tax benefits for
two types of “Technology Enterprises”, as described below, and is in addition to the other existing tax beneficial programs
under the Investment Law.
The 2017 Amendment provides that a technology company satisfying
certain conditions will qualify as a “Preferred Technology Enterprise” (PTE) and will thereby enjoy a reduced corporate tax
rate of 12% on income that qualifies as PTE which is generally generated by “Benefited Intangible Assets,” as defined in the
Investment Law. The tax rate is further reduced to 7.5% for a PTE and/or for its segment located in development Zone A. In addition, a
PTE will enjoy a reduced corporate tax rate of 12% on capital gain derived from the sale of certain “Benefitted Intangible Assets”
(as defined in the Investment Law) to a related foreign company if the Benefitted Intangible Assets were acquired from a foreign company
on or after January 1, 2017 for at least NIS 200 million, and the sale receives prior approval from the National Authority for Technological
Innovation (NATI).
The 2017 Amendment further provides that a technology company
satisfying certain conditions will qualify as a “Special Preferred Technology Enterprise” and will thereby enjoy a reduced
corporate tax rate of 6% on “Preferred Technology Income” regardless of the company’s geographic location within Israel.
In addition, a Special Preferred Technology Enterprise will enjoy a reduced corporate tax rate of 6% on capital gain derived from the
sale of certain “Benefitted Intangible Assets” to a related foreign company if the Benefitted Intangible Assets were either
developed by an Israeli company or acquired from a foreign company on or after January 1, 2017, and the sale received prior approval from
NATI. A Special Preferred Technology Enterprise that acquires Benefitted Intangible Assets from a foreign company for more than NIS 500
million will be eligible for these benefits for at least ten years, subject to certain approvals as specified in the Investment Law.
Dividends distributed to Israeli shareholders by a PTE or a Special
Preferred Technology Enterprise, paid out of Preferred Technology Income, are generally subject to withholding tax at source at the rate
of 20%, and in case of non-Israeli shareholders, such lower rate as may be provided in an applicable tax treaty (each subject to the receipt
in advance of a valid certificate from the Israel Tax Authority allowing for such reduced tax rate). However, if such dividends are paid
to an Israeli company, no tax is required to be withheld. If such dividends are distributed to a foreign company that holds alone or together
with other foreign companies 90% or more in the Israeli company and other conditions are met, the withholding tax rate will be 4%.
We have obtained a comprehensive tax ruling confirming, among
others, that we generally qualify as a PTE since 2017 onwards and this status was affirmed by the Israeli Tax Authority in corporate
tax audit assessment agreements reached in 2021 and in 2022.
Recently Issued Accounting
Pronouncements
See Note 2(ac) and Note 2(ad) to our consolidated financial
statements included elsewhere in this annual report for information regarding recent accounting standards issued.
ITEM 6.
DIRECTORS, SENIOR MANAGEMENT AND EMPLOYEES
|
A. |
Directors and Senior Management |
The following table sets forth the name, age and position of
each member of our senior management as of March 2, 2023:
Name
|
Age
|
Position |
|
Senior Management |
|
|
|
Ehud (Udi) Mokady1
|
54 |
Chairman of the Board and Chief Executive Officer and Founder |
|
Matthew Cohen1
|
47 |
Chief Operating Officer |
|
Joshua Siegel |
59 |
Chief Financial Officer |
|
Chen Bitan |
53 |
General Manager Israel |
|
Peretz Regev |
44 |
Chief Product Officer |
|
Donna Rahav |
44 |
Chief Legal Officer |
| |
|
|
|
Directors |
|
|
|
Gadi Tirosh(1)(3)(4)(5) |
56 |
Lead Independent Director |
|
Ron Gutler(1)(2)(4)(5) |
65 |
Director |
|
Kim Perdikou(1)(2)(3)(4)(5) |
65 |
Director |
|
David Schaeffer(5) |
66 |
Director |
|
Amnon Shoshani(3)(5) |
59 |
Director |
|
François Auque(2)(5) |
66 |
Director |
|
Avril England(4)(5) |
54 |
Director |
| (1) |
Member of our compensation committee. |
| (2) |
Member of our audit committee. |
| (3) |
Member of our nominating, environmental, sustainability and governance committee. |
| (4) |
Member of our strategy committee. |
| (5) |
Independent director under the rules of Nasdaq. |
1 Starting
April 3, 2023, Udi Mokady is expected to assume the role of Executive Chairman of the Board and Matthew Cohen will begin to serve as Chief
Executive Officer and join the Board.
Senior Management
Ehud
(Udi) Mokady is one of our founders and has served as our Chief Executive
Officer since 2005 and as chairman of the board since June 2016. He has also served as a member of our board since November 2004. Mr.
Mokady previously served as our President from 2005 to 2016 and as our Chief Operating Officer from 1999 to 2005. He has served as a member
of the Board of Advisors of Brandeis International Business School since September 2019. Mr. Mokady served as a member of the board of
directors of Demisto, Inc. commencing in January 2018 until its acquisition by Palo Alto Networks, Inc. in March 2019. From 1997 to 1999,
Mr. Mokady served as general counsel at Tadiran Spectralink Ltd., a producer of secure wireless communication systems. From 1986 to 1989,
Mr. Mokady served in a military intelligence unit in the Israel Defense Forces. Mr. Mokady was honored by a panel of independent judges
with the New England EY Entrepreneur Of The Year™ 2014 Award in the Technology Security category. Mr. Mokady holds a Bachelor of
Laws (LL.B.) from Hebrew University in Jerusalem, Israel and a Master of Science Management (MSM) from Boston University in Massachusetts.
Matthew
Cohen has served as our Chief Operating Officer since December 2020 after
he served as our Chief Revenue Officer since December 2019. Prior to joining CyberArk, Mr. Cohen held several leadership positions in
PTC Inc. (Nasdaq: PTC). His most recent position was Executive Vice President of Field Operations, from February 2018 to November 2019,
where he led the go-to-market strategy and all Sales, Commercial Marketing, Customer Success, Services, and Partner functions. Prior to
that he was Executive Vice President, Customer Success and Partners from July 2016 to February 2018, Executive Vice President, Global
Services from April 2014 through July 2016, and Divisional Vice President, Global Services from October 2013 to March 2014. Before that,
Mr. Cohen held various positions in the company’s Global Services group. Mr. Cohen holds a Bachelor of Arts in Psychology from Harvard
University.
Joshua
Siegel has served as our Chief Financial Officer since May 2011. Prior to
joining CyberArk, Mr. Siegel served as Chief Financial Officer for Voltaire Ltd., a provider of InfiniBand and Ethernet connectivity
solutions, from December 2005 to February 2011, and as Director of Finance and then Vice President of Finance from April 2002 to December
2005. Voltaire completed an initial public offering and listing on Nasdaq in 2007 and was acquired by Mellanox Technologies, Ltd. in 2011.
From 2000 to 2002, he was Vice President of Finance at KereniX Networks Ltd., a terabit routing and transport system company. From 1995
to 2000, Mr. Siegel served in various positions at Lucent Technologies Networks Ltd. (formerly Lannet Ltd.). From 1990 to 1995, he
served in various positions at SLM Corporation (Sallie Mae—Student Loan Marketing Association). Mr. Siegel holds a Bachelor of Arts
in economics and an MBA with a concentration in finance from the University of Michigan in Ann Arbor.
Chen
Bitan has served as the General Manager of our Israeli headquarters since
January 2020. He previously served as Chief Product Officer from January 2020 to September 2022, as our General Manager of EMEA, Asia
Pacific and Japan from 2005 to 2019 and as Head of Research & Development from 1999 to 2019. From March 1998 to April 1999, Mr. Bitan
worked as Project Manager for Amdocs Software Ltd., leading the development of billing and customer care systems for telecommunications
providers. From 1995 to 1998, he worked for Magic Software Enterprises Ltd. as Research and Development Group Manager leading the development
of their 4GL products for the Asia Pacific market. From 1988 to 1995, Mr. Bitan served in a software engineering unit in the Israel
Defense Forces (IDF) in various research and development roles, finally leading the programming education department as Department Manager
at the Computer Studies Academy (Mamram). Mr. Bitan holds a Bachelor of Science in computer science and political science from Bar-Ilan
University in Ramat-Gan, Israel.
Peretz Regev has served
as our Chief Product Officer since September 2022. Prior to joining CyberArk, Mr. Regev served as Vice President of Global Data Science
and Engineering at PayPal Holdings Inc. (Nasdaq: PYPL) from January 2015 to September 2022 and served as the General Manager of PayPal
Israel from May 2017 to September 2022. Mr. Regev also held several leadership positions at Hewlett-Packard Company (now HP Inc.)
(NYSE: HPQ), from January 2005 to December 2014, guiding the SaaS products and Big Data Analytics teams. Before that, Mr. Regev served
in various positions at Mercury Interactive, an Israeli software company that was acquired by Hewlett Packard. Mr. Regev holds a
BSc in Computer Sciences from Reichman University in Israel and an MBA from the College of Management Academic Studies in Israel.
Donna
Rahav has
served as our Chief Legal Officer since December 2021. She previously served as our General Counsel and Compliance Officer since March
2014 and as Corporate Secretary from April 2014 until December 2019. Prior to joining CyberArk, Ms. Rahav served as Deputy General Counsel
at Allot Communications Ltd. (Nasdaq and TASE: ALLT) from 2011 to 2014 and as legal counsel at Alvarion Ltd. (Nasdaq and TASE: ALVR) 2009
to 2011 and MediaMind Technologies, Inc. (formerly Eyeblaster, Inc.; Nasdaq: MDMD) from 2008 to 2009. Prior to that, from 2005 to 2006
she was an associate at an Israeli law firm specializing in technology transactions. Ms. Rahav holds a Bachelor of Laws (LL.B.) from Tel
Aviv University in Israel, and a Master of Laws (LL.M.) from Tel Aviv University in collaboration with University of California, Berkeley,
an executive program focused on corporate and commercial law.
Directors
Gadi
Tirosh has served as a member of our board of directors since June 2011,
as chairman of the board between July 2013 and June 2016 and as lead independent director since June 2016. Since 2020, Mr. Tirosh has
served as Venture Partner at DisruptiveAI, an Israeli venture capital firm that focuses on innovative artificial intelligence companies.
From 2018 to 2020, Mr. Tirosh served as Venture Partner at Jerusalem Venture Partners, an Israeli venture capital firm that focuses,
among other things, on cybersecurity companies and operates the JVP Cyber Labs incubator. From 2005 to 2018, he served as Managing Partner
at Jerusalem Venture Partners. From 1999 to 2005, he served as Corporate Vice President of Product Marketing and as a member of the executive
committee for NDS Group Ltd. (Nasdaq: NNDS) later acquired by Cisco Systems, Inc. a provider of end-to-end software solutions to the pay-television
industry, including content protection and video security. Mr. Tirosh holds a Bachelor of Science in computer science and mathematics
and an Executive MBA from the Hebrew University in Jerusalem, Israel.
Ron
Gutler has served as a member of our board of directors since July 2014
and served as an external director under the Companies Law between July 2014 and May 2016. Mr. Gutler is currently a director of
Wix.com Ltd. (Nasdaq: WIX), Fiverr International Ltd. (NYSE: FVRR) and WalkMe Ltd. (Nasdaq: WKME). Between November 2009 and December
2020. Mr. Gutler served as a director of Psagot Investment House and between November 2007 and December 2020, he served as a director
of Psagot Securities. Between June 2018 and November 2019, Mr. Gutler served as the Chairman of the Board of Psagot Market Making. Between
2014 and 2019 Mr. Gutler served as a director of Hapoalim Securities USA (HSU). Between August 2012 and January 2018, Mr. Gutler
served as chairman of the board of the College of Management Academic Studies in Israel. Between May 2002 and February 2013, Mr. Gutler
served as the Chairman of NICE Systems Ltd., a public company specializing in voice recording, data security, and surveillance. Between
2000 and 2011, Mr. Gutler served as the Chairman of G.J.E. 121 Promoting Investments Ltd., a real estate company. Between 2000 and
2002, Mr. Gutler managed the Blue Border Horizon Fund, a global macro fund. Mr. Gutler is a former Managing Director and a Partner
of Bankers Trust Company, which is currently part of Deutsche Bank. He also established and headed the Israeli office of Bankers Trust
Company. Mr. Gutler holds a Bachelor of Arts in economics and international relations and an MBA, both from the Hebrew University
in Jerusalem, Israel.
Kim
Perdikou has served as a member of our board of directors since July 2014
and served as an external director under the Companies Law between July 2014 and May 2016. Ms. Perdikou
has served on the board of Nasuni since December 2022. Ms. Perdikou has served on the Supervisory Board of Alter Domus, since January
2021. Ms. Perdikou has served as Chairman of The Atsign, since December 2019. Ms. Perdikou has served on the board of Trunomi,
Ltd. since June 2018. From 2014 to May 2022 Ms. Perdikou has served as Chairman of REBBL Inc. From 2010 to August 2013, Ms. Perdikou served
as the Executive Vice President for the Office of the Chief Executive Officer at Juniper Networks, Inc. Before that she served as the
Executive Vice President and General Manager of Infrastructure Products Group and as Chief Information Officer at Juniper Networks, Inc.
From 2006 to 2010 and from August 2000 to January 2006, respectively, Ms. Perdikou served in leadership positions at Women.com, Readers
Digest, Knight Ridder, and Dun & Bradstreet. Ms. Perdikou holds a Bachelor of Science degree in computing science with operational
research from Paisley University (now the West of Scotland University) in Paisley, Scotland, a Post-Graduate degree in education from
Jordanhill College in Glasgow, Scotland and a Master of Science in information systems from Pace University in New York, United States.
David
Schaeffer has served as a member of our board of directors since May 2014.
Mr. Schaeffer has served as the Chairman, Chief Executive Officer and President of Cogent Communications, Inc. (Nasdaq: CCOI), an internet
service provider based in the United States that is listed on Nasdaq, since he founded the company in August 1999. Mr. Schaeffer was the
founder of Pathnet, Inc., a broadband telecommunications provider, where he served as Chief Executive Officer from 1995 until 1997 and
as Chairman from 1997 until 1999. Mr. Schaeffer holds a Bachelor of Science in physics from the University of Maryland, the United States.
Amnon
Shoshani has served as a member of our board of directors since November
2009. Since February 1995, Mr. Shoshani has served as the Founder and Managing Partner of Cabaret Holdings Ltd. and, since March 1999,
he has also served as Managing Partner of Cabaret Security Ltd., CyberArk’s founding investor and Cabaret and ArbaOne Inc. ventures
activities where he had a lead role in managing the group’s portfolio companies. Since 2018, Mr. Shoshani has served as the President
and Chairman of the Board of Smartech, a portfolio company of Cabaret and ArbaOne, that provides game changing technologies to the industrial
world. Between 2005 and 2018, he served as CEO and Chairman of the Board of Smartech. From 1994 to April 2005, Mr. Shoshani owned a Tel
Aviv boutique law firm engaged in entrepreneurship, traditional industries and high tech, which he founded. Mr. Shoshani holds a Bachelor
of Law (LL.B.) from Tel Aviv University in Israel.
François
Auque has served as a member of our board of directors since February 2019.
Mr. Auque serves as the chairman of the Audit and Risk Committee of Rexel SA from May 2019, after being an observer on the board from
October 2018. Mr. Auque serves as the chairman of the board of VividQ, a computer generated holography British startup, since 2022. Mr.
Auque serves as a director of AEROSPACELAB, a New Space Belgian startup, since 2022. Mr. Auque also serves, since 2022, as a member of
the IQM Quantum Council, an advisory Council to IQM, a Finish-German Quantum Computing startup. Mr. Auque is a partner at InfraVia Capital
Partners, a Private Equity firm based in Paris, since 2019. Mr. Auque served as the General Partner and Chairman of the Investment Committee
of Airbus Ventures, the venture capital arm of Airbus between 2016 and 2018. From 2000 to 2016, Mr. Auque headed the Airbus space division
as a member of Airbus Group’s Executive Committee. Between 1991 and 2000, Mr. Auque served as Chief Financial Officer of Aerospatiale
(then Aerospatiale-Matra), one of the three founding firms of the European Aeronautic Defense and Space Company (EADS), Europe’s
largest aerospace company (currently Airbus). Mr. Auque holds a Master’s in Finance from Ecole des Hautes Etudes Commercials in
Paris, France, a Bachelor of Arts in Public Administration from the Paris Institute of Political Studies in Paris, France, and is a graduate
in economics from Ecole Nationale d’Administration in Paris, France.
Avril
England has served as a member of our board of directors since March 2021.
Since September 2013, Ms. England has served as part of the product leadership of Veeva Systems Inc. (NYSE: VEEV), as the General Manager
of Veeva Vault, a fast-growing cloud software platform and suite of applications. Ms. England holds a Bachelor of Commerce degree from
Queen’s University in Ontario, Canada, and has received numerous professional and academic awards.
Compensation of Directors and Senior Management
The aggregate compensation expensed, including share-based compensation
and other compensation expensed by us and our subsidiaries, with respect to the year ended December 31, 2022, to our directors and
senior management that served at any time during the year ended December 31, 2022 was $30.9 million. This amount includes approximately
$0.7 million set aside or accrued to provide pension, severance, retirement, or similar benefits.
The table below sets forth the compensation earned by our five
most highly compensated office holders (as defined in the Companies Law and described under “Board Practices— Disclosure of
Compensation of Senior Management” below) during or with respect to the year ended December 31, 2022. We refer to the five
individuals for whom disclosure is provided herein as our “Covered Executives.” For purposes of the table and the summary
below, “compensation” includes base salary, bonuses, equity-based compensation, retirement or termination payments, and any
benefits or perquisites such as car, phone and social benefits, as well as any undertaking to provide such compensation in the future.
Summary Compensation Table
| |
|
Information Regarding the Covered Executive(1) |
|
|
Name and Principal Position(2) |
|
Base
Salary |
|
|
Benefits and
Perquisites
(3) |
|
|
Variable
Compensation
(4) |
|
|
Equity-Based
Compensation
(5) |
|
| |
|
|
|
|
|
|
|
Ehud (Udi) Mokady, Chairman of the Board & CEO
|
|
$ |
430,000 |
|
|
$ |
248,387 |
|
|
$ |
665,675 |
|
|
$ |
10,562,017 |
|
|
Matthew Cohen, Chief Operating Officer
|
|
|
425,000 |
|
|
|
89,591 |
|
|
|
657,934 |
|
|
|
4,854,573 |
|
|
Joshua Siegel, Chief Financial Officer
|
|
|
419,545 |
|
|
|
111,749 |
|
|
|
464,424 |
|
|
|
4,628,900 |
|
|
Chen Bitan, General Manager Israel2
|
|
|
366,697 |
|
|
|
143,251 |
|
|
|
330,701 |
|
|
|
2,787,013 |
|
|
Clarence Hinton, Chief Strategy Officer
|
|
|
339,700 |
|
|
|
61,275 |
|
|
|
279,259 |
|
|
|
2,334,741 |
|
| (1) |
In accordance with Israeli law, all amounts reported in the table are in terms of cost to our Company, as recorded in our financial
statements for the year ended December 31, 2022. |
| (2) |
All current officers listed in the table are full-time employees. Cash compensation amounts denominated in currencies other than
the U.S. dollar were converted into U.S. dollars at the average conversion rate for the year ended December 31, 2022. |
| (3) |
Amounts reported in this column include benefits and perquisites, including those mandated by applicable law. Such benefits and perquisites
may include, to the extent applicable to each executive, payments, contributions and/or allocations for savings funds, pension, severance,
vacation, car or car allowance, medical insurances and benefits, risk insurances (such as life, disability and accident insurances), convalescence
pay, payments for Medicare and social security, tax gross-up payments and other benefits and perquisites consistent with our guidelines,
regardless of whether such amounts have actually been paid to the executive. |
| (4) |
Amounts reported in this column refer to Variable Compensation such as incentives and earned or paid bonuses as recorded in our financial
statements for the year ended December 31, 2022. |
| (5) |
Amounts reported in this column represent the expense recorded in our financial statements for the year ended December 31, 2022
with respect to equity-based compensation, reflecting also equity awards made in previous years which have vested during the current year.
Assumptions and key variables used in the calculation of such amounts are described in Note 12 to our audited consolidated financial statements,
which are included in this annual report. |
2
Chen Bitan also served as Chief Product Officer from January 2022 to August 2022.
CEO Equity Plan
In June 2020, the Company’s shareholders approved a three-year
CEO Equity Plan, which included an equity grant to the CEO in respect of 2020 and authorized the compensation committee and Board to approve
CEO equity grants for 2021 and 2022 under the terms of such plan.
Accordingly, the CEO was awarded the following equity grants:
| |
|
RSUs |
Business PSUs |
Relative TSR PSUs |
|
2020 |
Percentage |
50% |
30% |
20% |
|
Amount |
27,700 |
16,600 |
11,100 |
|
2021 |
Percentage |
~40% |
~40% |
20% |
|
Amount |
25,300 |
25,290 |
12,650 |
|
2022 |
Percentage |
40% |
40% |
20% |
|
Amount |
24,600 |
24,600 |
12,300 |
In February 2021, 2022 and 2023, the compensation committee certified
the Company’s performance of the business PSUs performance criteria and the applicable amount of PSUs earned, demonstrating our
track record of paying for performance and linking the CEO’s achievement rate of the performance criteria with the earning of the
underlying PSUs as follows:
|
Year of Grant |
Number of Business PSUs Granted
(on Target) |
Performance Targets |
Performance Criteria Achievement Rate (Weighted Average) |
Number of PSUs Earned |
Earning Rate |
|
2020 |
16,600 |
• Annual revenue
• Non-GAAP profitability
• License-derived revenue
|
80% |
9,830 |
60% |
|
2021 |
25,290 |
• Annual recurring revenue
• Percentage of new license
subscription bookings
out
of total new license
bookings,
on an annualized
basis |
111% |
46,370 |
183% |
|
2022 |
24,600 |
• Annual
recurring revenue
• Total
new license
bookings, on an
annualized basis |
99% |
25,110 |
102% |
Business PSUs are earned based
on a one-year performance period, and are subject to further time-based vesting. Relative total shareholder return PSUs (“rTSR
PSUs”) are earned based on our total shareholder return relative to the S&P Software & Services Select Industry index over
a three-year period.
|
Year of Grant |
Number of rTSR PSUs Granted
(on Target) |
Percentile Rate |
Number of PSUs Earned |
Earning Rate |
|
2020 |
11,100 |
49.7% |
11,040 |
99.4% |
2021 and 2022 rTSR PSUs have not been earned to date, as their
performance periods have not yet been completed.
Employment Agreements with Executive Officers
We have entered into written employment agreements with all our
executive officers. Most of these agreements contain provisions regarding non-competition and all these agreements contain provisions
regarding confidentiality of information and ownership of inventions. The non-competition provision applies for a period that is generally
12 months following termination of employment, subject to applicable law. The enforceability of covenants not to compete in Israel and
the United States is subject to limitations. In addition, we are required to provide two to six months’ notice prior to terminating
the employment of our executive officers, other than in the case of a termination for cause.
Directors’ Service Contracts
Other than with respect to Ehud (Udi) Mokady, our Chairman of
the Board and Chief Executive Officer, there are no arrangements or understandings between us, on the one hand, and any of our directors,
on the other hand, providing for benefits upon termination of their service as directors of our Company, except that directors are permitted
to exercise vested options for one year following the termination of their service. In July 2019, our shareholders approved certain changes
to the compensation framework for each of our non-executive directors, specifically by implementing a fixed annual fee and predetermined
dollar values of initial and recurring annual equity grants of RSUs.
Equity Incentive Plans
2014 Share Incentive Plan
The 2014 Share Incentive Plan (the “2014 SIP”), was
adopted by our board of directors and became effective on June 10, 2014. The 2014 SIP was approved by our shareholders on July 10,
2014. The 2014 SIP provides for the grant of options, restricted shares, restricted share units and other share-based awards to our employees,
directors, officers, consultants, advisors and any other person providing services to us or our affiliates, under varying tax regimes.
The maximum aggregate number of shares that may be issued pursuant to awards under this 2014 SIP is the sum of (a) 422,000 shares
plus (b) an increase of 1,220,054 shares as of January 1, 2015 plus (c) on January 1 of each calendar year commencing in 2016,
a number of shares equal to the lesser of: (i) an amount determined by our board of directors, if so determined prior to the January 1
of the calendar year in which the increase will occur, (ii) 4% of the total number of shares outstanding on December 31 of the
immediately preceding calendar year, and (iii) 4,000,000 shares. Additionally, any share underlying an award that is cancelled or
terminated or forfeited for any reason without having been exercised will automatically be available for grant under the 2014 SIP. As
of December 31, 2022, 2,925,695 ordinary shares underlying share-based awards were outstanding under the 2014 SIP and 1,159,520 ordinary
shares were reserved for future grant under the 2014 SIP. On January 1, 2023, the aggregate number of ordinary shares reserved for issuance
under the 2014 SIP was increased by 1,100,000 shares. Either our board, or a committee established by our board, administers the 2014
SIP, and the board may, at any time, suspend, terminate, modify, or amend the 2014 SIP retroactively or prospectively.
The board or the committee may grant awards intended to qualify
as an incentive stock option, non-qualified stock option, Israeli Income Tax Ordinance Section 102 award, Section 3(9) award, or other
designations under other regimes. Other than with respect to incentive stock options, governed by the specific exercise price provisions
of the 2014 SIP, the exercise price of any award will be determined by the committee or the board (as applicable). Unless otherwise stated
in the applicable award agreement, option awards under the 2014 SIP expire ten years after their grant date. Upon termination of the employment
or service of a grantee, any unvested awards will be forfeited on the termination date. Upon termination by reason of death, disability
or retirement, all of the grantee’s vested awards may be exercised at any time within one year after such death or disability or
within three months following retirement. Upon termination for “cause” (as defined in the 2014 SIP), all awards granted to
such grantee (whether vested or not) will be forfeited on the termination date. Upon termination for any other reason all vested and exercisable
awards at the time of termination may, unless earlier terminated in accordance with their terms, be exercised within up to three months
after the termination date (or such different period as the committee will prescribe).
The committee and the board may grant restricted shares under
the 2014 SIP. If a grantee’s employment or service to the Company or any affiliate thereof terminates for any reason prior to the
vesting of such grantee’s restricted shares, any unvested shares will be forfeited by such grantee. The committee and the board
may also grant restricted share units, performance share units, and other awards under the 2014 SIP, including shares, cash, cash and
shares, other share units and share appreciation rights.
In order to comply with the provisions of Section 102, all awards
to Israeli grantees must be held in trust for the benefit of the relevant grantee for the requisite period prescribed by the Ordinance.
Upon a “Change in Control” event (as defined in the
2014 SIP), any award then outstanding will be assumed or substituted by us or the successor corporation or by any affiliate thereof, as
determined by the committee. Regardless of whether or not awards are assumed or substituted, the committee may: (1) provide for grantees
to have the right to exercise their awards or otherwise for the accelerated vesting of the unvested underlying shares, under such terms
as the committee will determine, including the cancellation of all unexercised awards (whether vested or unvested) upon or immediately
prior to the closing of the Change in Control; and/or (2) provide for the cancellation of each outstanding and unexercised award
at or immediately prior to the closing of the Change in Control, and payment to the grantees of an amount in cash or in shares of the
acquirer or of a corporation or other business entity which is a party to the Change in Control, or in other property, as determined by
the committee to be fair in the circumstances, and subject to such terms and conditions as determined by the committee.
Awards under the 2014 SIP are not transferable other than by
will or by the laws of descent and distribution or to a grantee’s designated beneficiary, unless, in the case of awards other than
incentive stock options, otherwise determined by our committee or under the 2014 SIP. Awards may be granted from time to time pursuant
to the 2014 SIP, within a period of ten years from the effective date of the 2014 SIP, which period may be extended by our board.
2011 Share Incentive Plan
The 2011 Share Incentive Plan (the “2011 SIP”), was
adopted by our board of directors and became effective on July 14, 2011. The 2011 SIP was approved by our shareholders on December 20,
2011. Any share underlying an award that is cancelled or terminated or forfeited for any reason without having been exercised will automatically
be available for grant under the 2014 SIP. As of December 31, 2022, 11,053 options to purchase ordinary shares remained outstanding
under the 2011 SIP. No new awards may be granted under the 2011 SIP.
The 2011 SIP is administered by our board or a committee established
by our board. Option awards to purchase our ordinary shares that were granted under the 2011 SIP are designated in the applicable award
agreement as an incentive stock option, non-qualified stock option, Section 102 award (with such designation to include the relevant
tax track), Section 3(i) award, or other designations under other regimes. All awards granted under the 2011 SIP have vested. Upon
termination by reason of death, disability or retirement, all of the grantee’s vested options may be exercised at any time within
one year after such death or disability or within three months following retirement. Upon termination for cause (as defined in the 2011
SIP), all options granted to such grantee are forfeited on the termination date. Upon termination for any other reason all vested and
exercisable options at the time of termination may, unless earlier terminated in accordance with their terms, be exercised within up to
90 days after the termination date.
In the event of certain merger or sale events (as specified in
the 2011 SIP), any award then outstanding will be assumed or an equivalent award will be substituted by such successor corporation under
substantially the same terms as such award. If such awards are not assumed or substituted by an equivalent award, then the committee may
(i) provide for grantees to have the right to exercise their awards under such terms and conditions as the committee will determine;
and/or (ii) provide for the cancellation of each outstanding award at the closing of such transaction, and payment to the grantees
of an amount in cash as determined by the committee to be fair in the circumstances, and subject to such terms and conditions as determined
by the committee.
Awards under the 2011 SIP are not transferable other than by
will or by the laws of descent and distribution, unless otherwise determined by the board or under the 2011 SIP, and generally expire
ten years following the grant date. The 2011 SIP will terminate on the tenth anniversary of the effective date, other than with respect
to those awards outstanding under the 2011 SIP at the time of termination.
2020 Employee Share Purchase
Plan
On January 1, 2021, our ESPP, became effective. The ESPP enables
our eligible employees and eligible employees of our designated subsidiaries to elect to have payroll deductions made during the offering
period in an amount not exceeding 15% of the gross base compensation which the employees receive. The aggregate number of ordinary shares
reserved for issuance under the ESPP, as of January 1, 2022, was 125,000 shares (the “ESPP Share Pool”). On January 1 of each
year between 2022 and 2026 the ESPP Share Pool will be increased by a number of ordinary shares equal to the lowest of (i) 1,000,000 shares,
(ii) 1% of our outstanding shares on December 31 of the immediately preceding calendar year, and (iii) a lesser number of shares determined
by our board of directors. As of December 31, 2022, 6,898 ordinary shares were reserved for issuance under the ESPP. On January 1,
2023, the aggregate number of ordinary shares reserved for issuance under the ESPP was increased by 200,000 shares.
The ESPP is administered by our board of directors or by a committee
designated by the board of directors. Subject to those rights which are reserved to the board of directors or which require shareholder
approval under Israeli law, our board of directors has designated the compensation committee to administer the ESPP. Eligible employees
become participants in the ESPP by enrolling and authorizing payroll deductions by the deadline established by the plan administrator
prior to the relevant enrollment date. We expect that on the first trading day of each purchase period, each participant will automatically
be granted an option to purchase our ordinary shares on the exercise date of such purchase period. The applicable purchase price will
be no less than 85% of the lesser of the fair market value of our ordinary shares on the first day or the last day of the purchase period.
The maximum number of ordinary shares that may be purchased under the ESPP in any offer period, per participant, is 10,000. Participant
payroll deductions will be used to purchase shares on the last day of each purchase period. The plan administrator may amend, suspend
or terminate the ESPP at any time. However, shareholder approval must be obtained for any amendment to the ESPP that increases the aggregate
number of shares, changes the type of shares that may be sold pursuant to rights under the ESPP or changes the corporations or classes
of corporations whose employees are eligible to participate in the ESPP.
Board of Directors
Under the Companies Law, our business and affairs are managed
under the direction of our board of directors. Our board of directors may exercise all powers and may take all actions that are not specifically
granted to our shareholders or to management. Our executive officers are responsible for our day-to-day management and have individual
responsibilities established by our board of directors. Our Chief Executive Officer is appointed by, and serves at the discretion of,
our board of directors, subject to the employment agreement that we have entered into with him. All other executive officers are also
appointed by our board of directors, and are subject to the terms of any applicable employment agreements that we may enter into with
them.
We comply with the Nasdaq rule that requires a majority of
our directors to be independent as defined under Nasdaq corporate governance rules. Our board of directors has determined that all of
our directors, other than our Chief Executive Officer, are independent under such rules. Under our articles of association, our directors
serve for a period of three years pursuant to the staggered board provisions of our articles of association. Under our articles of association,
our board of directors must consist of at least four and not more than nine directors. Our board of directors currently consists of eight
directors. Our Chairman of the Board is Ehud (Udi) Mokady, who also serves as our Chief Executive Officer. Under the Companies Law, a
chairman of the board of directors of a public company may also serve as the chief executive officer of such company if his appointment
is ratified and approved by the company’s shareholders, and which term will be valid for a period not exceeding three years from
the date of such shareholder approval. In June of 2022, our shareholders ratified and approved Mr. Mokady’s appointment as both
Chairman of the Board and Chief Executive Officer, for a two-year period. Effective April 3, 2023, Mr. Mokady will assume the role of
Executive Chairman of the Board. At that time, Matthew Cohen, our Chief Operating Officer, will be appointed as Chief Executive Officer
and join the Board, as a Class III director.
Pursuant to our articles of association, our directors are divided
into three classes with staggered three-year terms. Each class of directors consists, as nearly as possible, of one-third of the total
number of directors constituting the entire board of directors. At each annual general meeting of our shareholders, the election or re-election
of directors following the expiration of the term of office of the directors of that class of directors is for a term of office that expires
on the third annual general meeting following such election or re-election, such that at each annual general meeting, the term of office
of only one class of directors will expire. Each director will hold office until the annual general meeting of our shareholders in which
his or her term expires, unless he or she is removed by a vote of 65% of the total voting power of our shareholders at a general meeting
of our shareholders or upon the occurrence of certain events, in accordance with the Companies Law and our articles of association.
As of the date hereof, our directors are divided among the three
classes as follows:
(i) the Class I directors are Ehud (Udi) Mokady, David Schaeffer
and François Auque, and their term expires at the annual general meeting of shareholders to be held in 2024 at the time their successors
are elected and qualified;
(ii) the Class II directors are Gadi Tirosh, Amnon Shoshani and
Avril England, and their term expires at the annual general meeting of shareholders to be held in 2025 at the time their successors are
elected and qualified; and
(iii) the Class III directors are Ron Gutler and Kim Perdikou,
and their term expires at the annual general meeting of shareholders to be held in 2023 at the time their successors are elected and qualified.
In addition, our articles of association allow our board of directors
to appoint directors, create new directorships or fill vacancies on our board of directors up to the maximum number of directors permitted
under our articles of association. In case of an appointment by our board of directors to fill a vacancy on our board of directors due
to a director no longer serving, the term of office shall be equal to the remaining period of the term of office of the director(s) whose
office(s) have been vacated, and in case of a new appointment where the number of directors serving is less than the maximum number stated
in our articles of association, our board of directors shall determine at the time of appointment the class to which the new director
shall be assigned.
Under the Companies Law and our articles of association, nominations
for directors may be made by any shareholder(s) holding together at least 1% of our outstanding voting power. However, any such shareholder
may make such a nomination only if a written notice of such shareholder’s intent to make such nomination has been timely and duly
given to our Secretary (or, if we have no Secretary, our Chief Executive Officer), as set forth in our articles of association. Any such
notice must include certain information regarding the proposing shareholder and the proposed director nominee, the consent of the proposed
director nominee(s) to serve as our director(s) if elected and a declaration signed by the proposed director nominee(s) as required by
the Companies Law and that all of the information that is required to be provided to us in connection with such election under the Companies
Law and under our articles of association has been provided.
Under the Companies Law, our board of directors must determine
the minimum number of directors who are required to have accounting and financial expertise. A director with accounting and financial
expertise is a director who, due to education, experience and skills, possesses an expertise in, and an understanding of, financial and
accounting matters and financial statements, such that he or she is able to understand the financial statements of the company and initiate
a discussion about the presentation of financial data.
In determining the number of directors required to have such
expertise, a board of directors must consider, among other things, the type and size of the company and the scope and complexity of its
operations. Our board of directors has determined that the minimum number of directors of our Company who are required to have accounting
and financial expertise is one.
External Directors
Under the Companies Law, companies incorporated under the laws
of the State of Israel that are public companies, including companies with shares listed on Nasdaq, are required to appoint at least two
external directors.
Pursuant to regulations enacted under the Companies Law, the
board of directors of a public company whose shares are listed on certain non-Israeli stock exchanges, including Nasdaq, that do not have
a controlling shareholder (as such term is defined in the Companies Law), may, subject to certain conditions, elect to “opt-out”
of the requirements of the Companies Law regarding the election of external directors and to the composition of the audit committee and
compensation committee, provided that the company complies with the requirements as to director independence and audit committee and compensation
committee composition applicable to companies that are incorporated in the jurisdiction in which its stock exchange is located. In May
2016, our board of directors elected to opt-out of the Companies Law requirements to appoint external directors and related Companies
Law rules concerning the composition of the audit committee and compensation committee.
The foregoing exemptions will continue to be available to us
so long as: (i) we do not have a “controlling shareholder” (as such term is defined under the Companies Law), (ii) our shares
are traded on a U.S. stock exchange, including Nasdaq, and (iii) we comply with Nasdaq listing rules applicable to domestic U.S. companies.
If in the future we were to have a controlling shareholder, we would again be required to comply with the requirements relating to external
directors and composition of the audit committee and compensation committee.
Under the Securities Law 1968-5728 (the “Securities Law”),
and the Companies Law, the term “controlling shareholder” means a shareholder with the ability to direct the activities of
the company, other than by virtue of being an office holder. A shareholder is presumed to be a controlling shareholder if the shareholder
holds 50% or more of the voting rights in a company or has the right to appoint the majority of the directors of the company or its general
manager. For the purpose of approving transactions with controlling shareholders, the term “controlling shareholder” also
includes any shareholder that holds 25% or more of the voting rights of the company if no other shareholder holds more than 50% of the
voting rights in the company.
Lead Independent Director
Mr. Mokady has been our CEO since 2005, and following approval
by our shareholders at the June 2016 and July 2019 annual shareholder meetings, has held that post in addition to serving as our Chairman.
As approved by our shareholders at the July 2019 annual shareholder meeting, for so long as the positions of the Chief Executive Officer
and Chairman of the Board are combined, the non-executive board members will select a Lead Independent Director from among the independent
directors of the Board, who has served a minimum of one year as a director. If at any meeting of the Board the Lead Independent Director
is not present, for the purpose and duration of such meeting, the Chairman of the Audit Committee, Chairman of the Compensation Committee,
or an independent member of the Board appointed by a majority of the independent members of the Board present will act as the Lead Independent
Director, in the order listed above. Mr. Tirosh has been our Lead Independent Director since June 2016.
The authorities and responsibilities of the Lead Independent
Director prior to the planned separation of the roles of CEO and Chairman of the Board in April 2023 include, but are not limited to,
the following:
|
o |
providing leadership to the Board if circumstances arise in which the role of the Chairman of the Board may be, or may be perceived
to be, in conflict, and responding to any reported conflicts of interest, or potential conflicts of interest, arising for any director;
|
|
o |
developing and managing the execution of a plan for the orderly separation of the Chairman of the Board and CEO roles; |
|
o |
presiding as chairman of meetings of the Board at which the Chairman of the Board is not present, including executive sessions of
the independent members of the Board; |
|
o |
serving as liaison between the Chairman of the Board and the independent members of the Board; |
|
o |
approving meeting agendas for the Board; |
|
o |
approving information sent to the Board; |
|
o |
approving meeting schedules to assure that there is sufficient time for discussion of all agenda items; |
|
o |
having the authority to call meetings of the independent members of the Board; |
|
o |
being available for consultation and direct communication with shareholders, as appropriate; |
|
o |
recommending that the Board retain consultants or advisers that report directly to the Board; |
|
o |
conferring with the Chairman of the Board on important Board matters and ensuring the Board focuses on key issues and tasks facing
the Company; and |
|
o |
performing such other duties as the Board may from time to time delegate to assist the Board in the fulfillment of its duties.
|
We intend to maintain the role of a Lead Independent
Director following our execution of the planned leadership changes in April 2023, and will disclose revised roles and responsibilities
reflecting such changes as part of our 2023 Proxy Statement.
Audit Committee
Under the Companies Law, the board of directors of a public company
must appoint an audit committee. Our audit committee consists of three independent directors, Ron Gutler (Chairperson), Kim Perdikou,
and François Auque.
Audit Committee Composition
Under Nasdaq corporate governance rules, we are required to maintain
an audit committee consisting of at least three independent directors, each of whom is financially literate and one of whom has accounting
or related financial management expertise.
All members of our audit committee meet the requirements for
financial literacy under the applicable rules and regulations of the SEC and Nasdaq corporate governance rules. Our board of directors
has determined that each of Ron Gutler, Kim Perdikou and François Auque is an audit committee financial expert as defined by SEC
rules and each has the requisite financial experience as defined by Nasdaq corporate governance rules.
Each of the members of the audit committee is “independent”
as such term is defined in Rule 10A-3(b)(1) under the Exchange Act, which is different from the general test for independence of board
members and members of other committees.
Audit Committee Role
Our board of directors has an audit committee charter that sets
forth the responsibilities of the audit committee consistent with the rules of the SEC and the listing requirements of Nasdaq, as well
as the requirements for such committee under the Companies Law. The responsibilities of the audit committee under the audit committee
charter include, among others, the following:
|
o |
overseeing of our accounting and financial reporting process and the audits of our financial statements, the effectiveness of our
internal control over financial reporting and making such reports as may be required of an audit committee under the rules and regulations
promulgated under the Exchange Act; |
|
o |
retaining and terminating our independent registered public accounting firm subject to the approval of our board of directors and,
in the case of retention, of our shareholders and recommending the terms of audit and non-audit services provided by the independent registered
public accounting firm for pre-approval by our board of directors and related fees and terms; |
|
o |
establishing systems of internal control over financial reporting, including communication and implementation thereof and the assessment
of the internal controls in accordance with the Sarbanes-Oxley Act, and any attestation by the independent registered public accounting
firm; |
|
o |
determining whether there are deficiencies in the business
management practices of our Company, including in consultation with our Head of Internal Audit or the independent registered public accounting
firm, and making recommendations to the board of directors to improve such practices; |
|
o |
determining whether to approve certain related party transactions (see “Item 6.C. Board Practices —Approval of Related
Party Transactions under Israeli Law”); |
|
o |
recommending to the board of directors the retention and termination of our Head of Internal Audit, and determining the Head of Internal
Audit’s remuneration, in accordance with the Companies Law; |
|
o |
approving the working plan proposed by the Head of Internal Audit and reviewing and discussing the work of the internal auditor on
a quarterly basis; |
|
o |
reviewing our cybersecurity risks and controls with senior management, keeping our board informed of key issues related to cybersecurity;
|
|
o |
establishing procedures for the handling of employees’ complaints as to the deficiencies in the management of our business
and the protection to be provided to such employees; and
|
|
o |
performing such other duties consistent with the audit committee charter, our governing documents, stock exchange rules and applicable
law that may be requested by the board of directors from time to time, including discussing with management policies and practices that
govern the process by which the Company undertakes risk assessment and management in sensitive areas. |
Compensation Committee
Under the Companies Law, the board of directors of any public
company must appoint a compensation committee. Our compensation committee consists of three independent directors, Kim Perdikou (Chairperson),
Gadi Tirosh and Ron Gutler.
Compensation Committee
Composition
Under Nasdaq corporate governance rules, we are required to maintain
a compensation committee consisting of at least two independent directors. Each of the members of the compensation committee is “independent”
as such term is defined in Rule 10C-1(b)(1) under the Exchange Act, which is different from the general test for independence of board
members and members of other committees.
Compensation Policy pursuant
to the Israeli Companies Law
The duties of the compensation committee include the recommendation
to the company’s board of directors of a policy regarding the terms of engagement of office holders, as such term is defined under
the Companies Law, to which we refer as a compensation policy. That compensation policy must be adopted by the company’s board of
directors, after considering the recommendations of the compensation committee, and must be brought for approval by the company’s
shareholders at least once every three years, which approval requires a Special Approval for Compensation (as defined below under “—Approval
of Related Party Transactions under Israeli Law—Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions”).
Under special circumstances, the board of
directors may approve the compensation policy despite the objection of the shareholders on the condition that the compensation committee
and then the board of directors decide, on the basis of detailed grounds and after discussing again the compensation policy, that approval
of the compensation policy, despite the objection of the meeting of shareholders, is for the benefit of the company.
The compensation policy must serve as the basis for decisions
concerning the financial terms of employment or engagement of office holders, including exculpation, insurance, indemnification or any
monetary payment, obligation of payment or other benefit in respect of employment or engagement. The compensation policy must be determined
and later re-evaluated according to certain factors, including the advancement of the company’s objectives, business plan and its
long-term strategy and creation of appropriate incentives for office holders, while considering, among other things, the company’s
risk management policy, the size and the nature of its operations and with respect to variable compensation, the contribution of the office
holder towards the achievement of the company’s long-term goals and the maximization of its profits, all with a long-term objective
and according to the position of the office holder. The compensation policy must include certain principles, such as: a link between variable
compensation and long-term performance, which variable compensation shall, other than with respect to office holders who report to the
CEO, be primarily based on measurable criteria; the relationship between variable and fixed compensation; and the minimum holding or vesting
period for variable, equity-based compensation. The compensation committee is responsible for (a) recommending the compensation policy
to a company’s board of directors for its approval (and subsequent approval by our shareholders) and (b) duties related to
the compensation policy and to the compensation of company’s office holders (as described below). Accordingly, following the recommendation
and approval of our compensation committee and Board, our shareholders approved our compensation policy at the June 2022 annual general
meeting.
Compensation Committee
Role
Our board of directors has adopted a compensation committee charter
that sets forth the responsibilities of the compensation committee. The responsibilities of the committee set forth in its charter and
the Companies Law include, among others, the following:
|
o |
recommending to the board of directors for its approval a compensation policy and subsequently reviewing it from time to time, assessing
its implementation and recommending periodic updates, whether a new compensation policy should be adopted or an existing compensation
policy should continue in effect; |
|
o |
reviewing, evaluating and making recommendations regarding the terms of office, compensation and benefits for our office holders,
including the non-employee directors, taking into account our compensation policy; |
|
o |
exempting certain compensation arrangements from the requirement to obtain shareholder approval under the Companies Law (including
with respect to the Chief Executive Officer); and |
|
o |
reviewing and granting equity-based awards pursuant to our equity incentive plans to the extent such authority is delegated to the
compensation committee by our board of directors and the reserving of additional shares for issuance thereunder. |
Under our compensation policy, which was approved by our shareholders
in June 2022, the compensation committee is responsible for the general administration of the policy.
Nominating,
Environmental, Sustainability and Governance
Committee
Our nominating, environmental, sustainability and governance
committee consists of three independent directors, Gadi Tirosh (Chairperson), Kim Perdikou and Amnon Shoshani.
Nominating Environmental,
Sustainability and Governance Committee Role
Our board of directors has a nominating , environmental, sustainability
and governance committee charter that sets forth the responsibilities of the nominating, environmental, sustainability and governance
committee, which include:
|
o |
overseeing and assisting our board of directors in reviewing and recommending nominees for election as directors and as members of
the committees of the board of directors; |
|
o |
establishing procedures for, and administering the performance of the members of our board and its committees; |
|
o |
evaluating and making recommendations to our board of directors regarding the termination of membership of directors; |
|
o |
reviewing, evaluating and making recommendations regarding management succession and development; |
|
o |
reviewing and making recommendations to our board of directors regarding board member qualifications, composition and structure and
the nature and duties of the committees and qualifications of committee members; |
|
o |
establishing and maintaining effective corporate governance principles and practices, including, but not limited to, developing and
recommending to our board of directors a set of corporate governance guidelines applicable to our Company; and |
|
o |
provide oversight of the Company’s efforts with regard to ESG matters, disclosure and strategy, as well as coordinate, as necessary,
with other committees of the board of directors and the Company’s ESG committee and steering committee, which are comprised of key
Company employees and management. |
Disclosure of Compensation of Executive Officers
For so long as we qualify as a foreign private issuer, we are
not required to comply with the proxy rules applicable to U.S. domestic companies, including the requirement applicable to certain domestic
issuers that do not qualify as emerging growth companies to disclose on an individual, rather than an aggregate basis, the compensation
of our named executive officers as defined in Item 402 of Regulation S-K. Nevertheless, the Companies Law requires that we disclose the
annual compensation of our five most highly compensated office holders (as defined under the Companies Law) on an individual basis. Under
the Companies Law regulations, this disclosure is required to be included in the annual proxy statement for our annual meeting of shareholders
each year, which we will furnish to the SEC under cover of a Report of Foreign Private Issuer on Form 6-K. Because of that disclosure
requirement under Israeli law, we are also including such information in this annual report, pursuant to the disclosure requirements of
Form 20-F.
For additional information, see “Item 6.B. Compensation—
Compensation of Directors and Senior Management.”
Compensation of Directors
Under the Companies Law, compensation of directors requires the
approval described below under “Approval of Related Party Transactions under Israeli Law - Disclosure of Personal Interests of an
Office Holder and Approval of Certain Transactions.”
The directors are also entitled to be paid reasonable travel,
hotel and other expenses expended by them in attending board meetings and performing their functions as directors of the Company, all
of which is to be determined by the board of directors.
For additional information, see “Item 6.B. Compensation—Compensation
of Directors and Senior Management.”
Internal Auditor
Under the Companies Law, the board of directors of an Israeli
public company must appoint an internal auditor recommended by the audit committee. An internal auditor may not be:
|
o |
a person (or a relative of a person) who holds more than 5% of the company’s outstanding shares or voting rights; |
|
o |
a person (or a relative of a person) who has the power to appoint a director or the general manager of the company; |
|
o |
an office holder (including a director) of the company (or a relative thereof); or |
|
o |
a member of the company’s independent accounting firm, or anyone on his or her behalf. |
The role of the internal auditor is to examine, among other
things, our compliance with applicable law and orderly business procedures. The audit committee is required to oversee the activities
and to assess the performance of the internal auditor as well as to review the internal auditor’s work plan. Dror Bar Moshe served
as our internal auditor, as Head of Internal Audit for the year ended December 31, 2022.
Approval of Related Party Transactions under
Israeli Law
Fiduciary Duties of Directors
and Office Holders
The Companies Law codifies the fiduciary duties that office holders
owe to a company. The term “office holder” is defined under the Companies Law as a general manager, chief business manager,
deputy general manager, vice general manager, any other person assuming the responsibilities of any of these positions (regardless of
that person’s title), a director and any other manager directly subordinate to the general manager.
An office holder’s fiduciary duties consist of a duty of
care and a duty of loyalty. The duty of care requires an office holder to act with the level of care with which a reasonable office holder
in the same position would have acted under the same circumstances. The duty of loyalty requires that an office holder act in good faith
and in the best interests of the company.
The duty of care includes a duty to use reasonable means to obtain:
|
o |
information on the advisability of a given action brought for his or her approval or performed by virtue of his or her position;
and |
|
o |
all other important information pertaining to any such action. |
The duty of loyalty includes a duty to:
|
o |
refrain from any conflict of interest between the performance of his or her duties to the company and his or her duties or personal
affairs; |
|
o |
refrain from any action which competes with the company’s business; |
|
o |
refrain from exploiting any business opportunity of the company in order to receive a personal gain for himself or herself or others;
and |
|
o |
disclose to the company any information or documents relating to the company’s affairs which the office holder received as
a result of his or her position as an office holder. |
We may approve an act specified above that would otherwise constitute
a breach of the duty of loyalty of an office holder, provided, that the office holder acted in good faith, the act or its approval does
not harm the company, and the office holder discloses his or her personal interest, including any related material information or document,
a sufficient time before the approval of such act. Any such approval is subject to the terms of the Companies Law, setting forth, among
other things, the organs of the company entitled to provide such approval, and the methods of obtaining such approval.
Disclosure of Personal
Interests of an Office Holder and Approval of Certain Transactions
The Companies Law requires that an office holder promptly disclose
to the board of directors any personal interest that he or she may be aware of and all related material information or documents concerning
any existing or proposed transaction with the company. An interested office holder’s disclosure must be made promptly and in any
event no later than the first meeting of the board of directors in which the transaction is considered.
Under the Companies Law, a “personal interest” includes
an interest of any person in an act or transaction of a company, including a personal interest of such person’s relative or of a
corporate body in which such person or a relative of such person is a 5% or greater shareholder, director or general manager, or in which
he or she has the right to appoint at least one director or the general manager, but excluding a personal interest stemming from one’s
ownership of shares in the company. A personal interest furthermore includes the personal interest of a person for whom the office holder
holds a voting proxy or the personal interest of the office holder with respect to his or her vote on behalf of a person for whom he or
she holds a proxy even if such shareholder has no personal interest in the matter. An office holder is not, however, obliged to disclose
a personal interest if it derives solely from the personal interest of his or her relative in a transaction that is not considered an
extraordinary transaction. Under the Companies Law, an extraordinary transaction is defined as any of the following:
|
o |
a transaction other than in the ordinary course of business; |
|
o |
a transaction that is not on market terms; or |
|
o |
a transaction that may have a material impact on a company’s profitability, assets or liabilities. |
If it is determined that an office holder has a personal interest
in a transaction, approval by the board of directors (and, in certain circumstances, of its applicable committee) is required for the
transaction, unless the company’s articles of association provide for a different method of approval. Further, so long as an office
holder has disclosed his or her personal interest in a transaction and acted in good faith and the transaction or action does not harm
the company’s best interests, the board of directors may approve an action by the office holder that would otherwise be deemed a
breach of duty of loyalty.
The compensation of, or an undertaking to indemnify or insure,
an office holder requires approval first by the company’s compensation committee, then by the company’s board of directors,
and, if such compensation arrangement or an undertaking to indemnify or insure is that of a director, the approval of the shareholders
by an ordinary majority. If such compensation arrangement or an undertaking to indemnify or insure is inconsistent with the company’s
stated compensation policy then such arrangement is subject to the approval of a majority vote of the shares present and voting at a shareholders
meeting, provided that either, which we refer to as the Special Approval for Compensation:
(a) such majority includes at least a
majority of the shares held by all shareholders who do not have a personal interest in such compensation arrangement and are not controlling
shareholders, excluding abstentions; or
(b) the total number of shares of shareholders
who do not have a personal interest in the compensation arrangement and who vote against the arrangement does not exceed 2% of the company’s
aggregate voting rights.
Generally, a person who has a personal interest in a matter which
is considered at a meeting of the board of directors or the audit committee may not be present at such a meeting or vote on that matter
unless the chairman of the relevant committee or board of directors (as applicable) determines that he or she should be present in order
to present the transaction that is subject to approval, in which case such person may do so but may not vote on the matter. If a majority
of the members of the audit committee or the board of directors (as applicable) has a personal interest in the approval of a transaction,
then all directors may participate in discussions of the audit committee or the board of directors (as applicable) on such transaction
and the voting on approval thereof. However, in the event that a majority of the members of the board has a personal interest in a transaction,
shareholder approval is also required for such transaction.
Disclosure of Personal
Interests of Controlling Shareholders and Approval of Certain Transactions
We currently do not have a controlling shareholder. If in the
future we would have a controlling shareholder, disclosure requirements regarding personal interests will apply and shareholder approval
(meeting a special majority requirement) will be required with respect to transactions specified in the Companies Law involving the controlling
shareholder, parties having certain relationships with the controlling shareholder and certain other specific transactions. In such cases,
the votes of a controlling shareholder and certain parties associated with it would be excluded for purposes of special majority voting
requirements. Additionally, the Companies Law provides a different, broader definition of a controlling shareholder with respect to the
provisions pertaining to the approval of related party transactions.
Shareholder Duties
Pursuant to the Companies Law, a shareholder has a duty to act
in good faith and in a customary manner toward the company and other shareholders and to refrain from abusing his or her power in the
company, including, among other things, in voting at a general meeting and at shareholder class meetings with respect to the following
matters:
|
o |
an amendment to the company’s articles of association; |
|
o |
an increase of the company’s authorized share capital; |
|
o |
the approval of related party transactions and acts of office holders that require shareholder approval. |
In addition, a shareholder also has a general duty to refrain
from discriminating against other shareholders.
Certain shareholders also have a duty of fairness toward the
company. These shareholders include any controlling shareholder, any shareholder who knows that he or she has the power to determine the
outcome of a shareholder vote and any shareholder who has the power to appoint or to prevent the appointment of an office holder of the
company or other power towards the company. The Companies Law does not define the substance of the duty of fairness, except to state that
the remedies generally available upon a breach of contract will also apply in the event of a breach of the duty to act with fairness.
Exculpation, Insurance and Indemnification
of Directors and Officers
Under the Companies Law, a company may not exculpate an office
holder from liability for a breach of the duty of loyalty. An Israeli company may exculpate an office holder in advance from liability
to the company, in whole or in part, for damages caused to the company as a result of a breach of duty of care but only if a provision
authorizing such exculpation is included in its articles of association. Our articles of association include such a provision. The company
may not exculpate in advance a director from liability arising out of a prohibited dividend or distribution to shareholders.
Under the Companies Law and the Securities Law, a company may
indemnify an office holder in respect of the following liabilities, payments and expenses incurred for acts performed by him or her as
an office holder, either pursuant to an undertaking made in advance of an event or following an event, provided its articles of association
include a provision authorizing such indemnification:
|
o |
a monetary liability incurred by or imposed on him or her in favor of another person pursuant to a judgment, including a settlement
or arbitrator’s award approved by a court. However, if an undertaking to indemnify an office holder with respect to such liability
is provided in advance, then such undertaking must be limited to certain events which, in the opinion of the board of directors, can be
foreseen based on the company’s activities when the undertaking to indemnify is given, and to an amount or according to criteria
determined by the board of directors as reasonable under the circumstances, and such undertaking shall detail the foreseen events and
described above amount or criteria; |
|
o |
reasonable litigation expenses, including reasonable attorneys’ fees, incurred by the office holder (1) as a result of
an investigation or proceeding instituted against him or her by an authority authorized to conduct such investigation or proceeding, provided
that (i) no indictment was filed against such office holder as a result of such investigation or proceeding; and (ii) no financial
liability was imposed upon him or her as a substitute for the criminal proceeding as a result of such investigation or proceeding or,
if such financial liability was imposed, it was imposed with respect to an offense that does not require proof of criminal intent; or
(2) in connection with a monetary sanction or liability imposed on him or her in favor of an injured party in certain Administrative
proceedings; |
|
o |
expenses incurred by an office holder in connection with Administrative proceedings instituted against such office holder, or certain
compensation payments made to an injured party imposed on an office holder by Administrative proceedings, including reasonable litigation
expenses and reasonable attorneys’ fees; and |
|
o |
reasonable litigation expenses, including attorneys’ fees, incurred by the office holder or imposed by a court in proceedings
instituted against him or her by the company, on its behalf, or by a third party, or in connection with criminal proceedings in which
the office holder was acquitted, or as a result of a conviction for an offense that does not require proof of criminal intent. |
Under the Companies Law and the Securities Law, a company may
insure an office holder against the following liabilities incurred for acts performed by him or her as an office holder if and to the
extent provided in the company’s articles of association:
|
o |
a breach of duty of care to the company or to a third party, to the extent such a breach arises out of the negligent conduct of the
office holder; |
|
o |
a breach of the duty of loyalty to the company, provided that the office holder acted in good faith and had a reasonable basis to
believe that the act would not harm the company; |
|
o |
a monetary liability imposed on the office holder in favor of a third party; |
|
o |
a monetary liability imposed on the office holder in favor of an injured party in certain Administrative proceedings; and |
|
o |
expenses incurred by an office holder in connection with certain Administrative proceedings, including reasonable litigation expenses
and reasonable attorneys’ fees. |
Under the Companies Law, a company may not indemnify, exculpate
or insure an office holder against any of the following:
|
o |
a breach of the duty of loyalty, except for indemnification and insurance for a breach of the duty of loyalty to the company to the
extent that the office holder acted in good faith and had a reasonable basis to believe that the act would not prejudice the company;
|
|
o |
a breach of duty of care committed intentionally or recklessly, excluding a breach arising out of the negligent conduct of the office
holder; |
|
o |
an act or omission committed with intent to derive illegal personal benefit; or |
|
o |
a civil or criminal fine, monetary sanction or forfeit levied against the office holder. |
Under the Companies Law, exculpation, indemnification and insurance
of office holders in a public company must be approved by the compensation committee and the board of directors and, with respect to certain
office holders or under certain circumstances, also by the shareholders. See “Item 6.C. Board Practices—Approval of Related
Party Transactions under Israeli Law.”
We have entered into indemnification agreements with our office
holders to exculpate, indemnify and insure our office holders to the fullest extent permitted or to be permitted by our articles of association
and applicable law (including without limitation), the Companies Law, the Securities Law and the Israeli Restrictive Trade Practices Law,
5758-1988. We have obtained director and officer liability insurance for the benefit of our office holders and intend to continue to maintain
such insurance as deemed adequate and to the extent permitted by the Companies Law.
As of December 31, 2022, we had 2,768 employees and subcontractors
with 869 located in Israel, 939 in the United States, 153 in the United Kingdom and 807 across 43 other countries. The following table
shows the breakdown of our global workforce of employees and subcontractors by category of activity as of the dates indicated:
| |
|
As of December 31, |
|
|
Department |
|
2020 |
|
|
2021 |
|
|
2022 |
|
|
Sales and marketing
|
|
|
772 |
|
|
|
941 |
|
|
|
1,157 |
|
|
Research and development
|
|
|
464 |
|
|
|
643 |
|
|
|
901 |
|
|
Services and support
|
|
|
309 |
|
|
|
381 |
|
|
|
493 |
|
|
General and administrative
|
|
|
144 |
|
|
|
175 |
|
|
|
217 |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
Total
|
|
|
1,689 |
|
|
|
2,140 |
|
|
|
2,768 |
|
All our employment agreements are governed by local labor laws.
None of our employees work under any collective bargaining agreements, except for our employees in Italy who work under the national collective
bargaining agreement for trade and commerce sector (CCNL Commercio), which affects matters such
as length of working, annual holidays entitlement, sick leave, travel expenses and pension rights, and our employees in France who work
under the collective bargaining agreement for offices of technical studies, offices of consulting engineers and consulting firms (SYNTEC
CBA), and our employees in Spain who work under the collective bargaining agreement for the sale of Metal of the Region of Madrid
or the collective bargaining agreement for the sale of Metal of the province of Barcelona, depending on their location.
With respect to our Israeli employees, Israeli labor laws govern
the length of the workday, minimum wages for employees, procedures for hiring and dismissing employees, determination of severance pay,
annual leave, sick days, advance notice of termination of employment, equal opportunity and anti-discrimination laws and other conditions
of employment. Subject to certain exceptions, Israeli law generally requires severance pay upon the retirement, death or dismissal of
an employee, and requires us and our employees to make payments to the National Insurance Institute, which is similar to the U.S. Social
Security Administration. Our Israeli employees have pension plans that comply with the applicable Israeli legal requirements and we make
monthly contributions to severance pay funds for all Israeli employees, which cover potential severance pay obligations.
Extension orders issued by the Israeli Ministry of Economy and
Industry (formerly the Israeli Ministry of Industry, Trade and Labor) apply to our employees in Israel and affect matters such as, living
adjustments to salaries, length of working hours and week, recuperation pay, travel expenses, and pension rights. We have never experienced
labor-related work stoppages or strikes and believe that our relations with our employees are satisfactory.
Environmental, Social & Governance
We view ESG principles as being part of our broader strategy
and values and believe that transparently disclosing our initiatives related to our ESG program will allow our stakeholders to be informed
about our progress.
Our approach to ESG is guided by an internal ESG Committee, which
is led by the Senior Vice President, Investor Relations and ESG and comprises members of key business areas including Legal and Compliance,
Human Resources, Investor Relations, Information Technology and Product Management. The ESG Committee reports to an Executive Steering
Committee that includes the CEO. Ultimately, the ESG Committee is overseen by the Board’s Nominating, Environmental, Sustainability
and Governance Committee and the full Board. We believe this structure increases the Board’s effectiveness as it oversees our progress,
including the establishment of key metrics and targets. Our ESG highlights, as of the fiscal year ended December 31, 2022, include the
following:
Governance,
Ethics and Compliance. We are committed to promoting integrity, honesty and professionalism
and to maintaining the highest standards of ethical conduct in all of our activities. In the
fourth quarter of 2022, we rolled out a new Code of Conduct to align more closely with our values and address the compliance risks most
relevant to our business. All CyberArk employees and executive officers are required to certify their compliance with the Code and other
company policies on an annual basis. Our Governance, Ethics and Compliance strategy is overseen by our Chief Legal Officer and supported
by our VP of Compliance & Ethics, who joined CyberArk in early 2022. We periodically review our compliance program in an effort to
ensure that risk mitigation efforts meet relevant regulatory requirements. Our progress is regularly reviewed with our Chief Financial
Officer and our CEO. The Audit Committee of the Board of Directors has primary oversight of our Ethics and Compliance program. See “Item
16B. Code of Ethics” for additional details.
Environment
and Climate. We recognize the importance of environmental stewardship. During 2022, we took steps to better understand our carbon
footprint. As we analyze the results, we are looking at possible opportunities to further understand how we can reduce our impact on the
environment.
Human Capital Management
Our People strategy (also Human Capital Management) is built
on four pillars: Attract, Belong, Communicate and Develop – the ABCDs. The ABCD strategy is one focused on the wellbeing,
retention, and career development of our people, since our culture continues to be a key ingredient in our success.
We
believe that the holistic experience across the ABCD pillars, combined with the right tone at the top, makes the most impact on our employees
and our culture. We are committed to hiring talented, smart, bold but humble employees who love a challenge. Our Chief Human Resource
Officer, who reports directly to our Chief Executive Officer, oversees our broad and comprehensive initiatives to promote a strong culture,
including employee recognition programs, matching charitable donations, a wide range of community volunteering opportunities, team building
events, regular executive round table discussions and employee engagement surveys.
Our
Culture
Our culture is an important contributing factor to our success
and a key differentiator in our strategy. We value diversity and inclusion which allows for the exchange of ideas, creates a strong community
and helps our employees to feel valued and respected.
Attract:
Recruitment & Wellbeing
As a growing business, we focus on attracting employees that
align to our core values. In 2022, we expanded our recruitment program and increased our focus on hiring and training recent university
graduates including rolling out a “U-Code” program in Israel. We offer a pay-for-performance total rewards approach. Our methodology
includes competitive base salaries, variable pay programs to drive target achievements, long-term incentives such as equity grants and
customized benefits packages across all our regions. We regularly review our total compensation offerings to address constantly changing
trends and developments in the complex global and local markets in which we operate. We have a hybrid
work model to promote our employees’ ability to meet their individual work-environment needs.
We
provide our employees and their families with robust healthcare benefits and a variety of health and wellness programs. From our benefits
and workspaces to our employee engagement and focus on values, we are creating an environment that fosters communication, collaboration
and community. We invest in our employees through various training and wellness programs focused on physical, emotional and financial
wellbeing, including lectures, meditation sessions, physical fitness classes
and challenges, monthly newsletters and team-building activities.
Belong:
Diversity, Equity & Inclusion
Diversity, Equity and Inclusion are critical to the successful
execution of our strategy. Cultivating a diverse, equitable and inclusive culture drives innovation, strengthens decision-making processes,
and creates a strong community that enables employees to be themselves. Given its importance to our overall strategic execution, our diversity,
equity and inclusion program is overseen by the compensation committee and the Board.
We also took important strides in cultivating a more diverse,
equitable and inclusive culture by launching two new Employee Resource Groups (ERGs) – one for women and the other for the LGBTQIA2S+
and ally community.
Communicate:
Employee Engagement, Recognition & Satisfaction
Two-way communication helps drive alignment and higher levels
of employee engagement and satisfaction. We regularly engage with our employees through programs such as our quarterly all-hands meetings
as well as roundtable sessions to increase transparency of strategy and progress through the lens of senior leaders. Providing bi-annual
feedback dialogues between each employee and their manager is another avenue for career planning and assessment to outline achievements,
challenges and growth opportunities.
Using a third party, we regularly conduct comprehensive employee
engagement surveys throughout all regions and departments. In our latest survey we had a participation rate of 81%, up from 74% in 2021,
and our engagement score was well above the industry benchmark, indicating that 84% of our employees were pleased with their overall experience
and would recommend CyberArk to a peer. We utilize this feedback to enhance and improve overall employee experience, our culture and our
strategy. Based on the survey, we executed programs including a series of small roundtable discussions to increase communication, a leadership
conference to increase customer centricity and more flexible work arrangements and training that promote better work-life balance.
Develop:
Learning and Career Development
We encourage all our employees to shape their own learning journey
and take advantage of the learning and development opportunities we provide. Learning and development helps everyone become more impactful
in both their current role as well as in future roles. In addition, we deliver learning solutions using various methodologies including
classroom-based sessions, virtual webinars, coaching and experiential learning to meet the needs of our employees. Some of these learning
efforts include an effective onboarding process for new employees and management training for managers, as well as learning opportunities
aligned with our strategic direction. Likewise, we provide all employees with access to multiple platforms for various self-paced, on-demand
learning opportunities.
Our Chief Executive Officer and our Chief Human Resource Officer
regularly report to the Board and the compensation committee on issues related to human capital management.
E. Share
Ownership
For information regarding the share ownership of our directors
and senior management, please refer to “Item 6.B. Compensation” and “Item 7.A. Major Shareholders.”
| ITEM
7. |
MAJOR SHAREHOLDERS AND RELATED PARTY TRANSACTIONS |
A. Major
Shareholders
The following table sets forth information with respect to the
beneficial ownership of our shares as of January 31, 2023 by:
|
• |
each person or entity known by us to own beneficially 5% or more of our outstanding shares; |
|
• |
each of our directors and senior management individually; and |
|
• |
all of our senior management and directors as a group. |
The beneficial ownership of ordinary shares is determined in
accordance with the rules of the SEC and generally includes any ordinary shares over which a person exercises sole or shared voting or
investment power, or the right to receive the economic benefit of ownership. For purposes of the table below, we deem shares subject to
equity-based awards that are currently exercisable or exercisable within 60 days of January 31, 2023, to be outstanding and to be beneficially
owned by the person holding the equity-based awards for the purposes of computing the percentage ownership of that person but we do not
treat them as outstanding for the purpose of computing the percentage ownership of any other person. The percentage of shares beneficially
owned is based on 41,070,787 ordinary shares outstanding as of January 31, 2023.
As of January 31, 2023, we had 6 holders of record of our ordinary
shares in the United States, including Cede & Co., the nominee of The Depository Trust Company. These shareholders held in the
aggregate 41,067,024 of our outstanding ordinary shares, or 99.9% of our outstanding ordinary shares as of January 31, 2023. The number
of record holders in the United States is not representative of the number of beneficial holders nor is it representative of where such
beneficial holders are resident since many of these ordinary shares were held by brokers or other nominees.
All of our shareholders, including the shareholders listed below,
have the same voting rights attached to their ordinary shares. See “Item 10.B. Memorandum and Articles of Association.” None
of our principal shareholders or our directors and senior management have different or special voting rights with respect to their ordinary
shares. Unless otherwise noted below, each shareholder’s address is CyberArk Software Ltd. 9 Hapsagot St., Park Ofer B, POB 3143,
Petach-Tikva, 4951040, Israel.
A description of any material relationship that our principal
shareholders have had with us or any of our predecessors or affiliates since January 31, 2022 is included under “Item 7.B. Related
Party Transactions.”
| |
|
Shares Beneficially Owned |
|
|
|
Name of Beneficial Owner |
|
Number |
|
% |
|
Principal Shareholders |
|
|
|
|
|
Wasatch Advisors, Inc. (1) |
|
2,368,496 |
|
5.7% |
| |
|
|
|
|
|
Senior
Management and Directors
|
|
|
|
|
|
Ehud (Udi) Mokady (2) |
|
* |
|
* |
|
Matthew Cohen |
|
* |
|
* |
|
Joshua Siegel |
|
* |
|
* |
|
Chen Bitan |
|
* |
|
* |
|
Peretz Regev |
|
* |
|
* |
|
Donna Rahav |
|
* |
|
* |
|
Gadi Tirosh |
|
* |
|
* |
|
Ron Gutler |
|
* |
|
* |
|
Kim Perdikou |
|
* |
|
* |
|
David Schaeffer |
|
* |
|
* |
|
Amnon Shoshani |
|
* |
|
* |
|
François Auque |
|
* |
|
* |
|
Avril England |
|
* |
|
* |
|
All senior management and directors as a group (13 persons) |
|
499,126 |
|
1.2% |
*Less than 1%
|
(1) |
Based on a Schedule 13G/A filed on February 9, 2023, by Wasatch Advisors, Inc. (“Wastach”), shares beneficially owned
consist of 2,368,496 ordinary shares over which Wastach has sole voting and dispositive power. The address of Wasatch is 505 Wakara Way,
Salt Lake City, UT 84108. |
|
(2) |
Mr. Mokady’s shares include 12,600 shares held in trust for family members over which Mr. Mokady is the beneficial
owner. |
Significant Changes
No significant changes have occurred since December 31,
2022, except as otherwise disclosed in this annual report.
B. Related
Party Transactions
Our policy is to enter into transactions with related parties
on terms that, on the whole, are no more favorable, or no less favorable, than those available from unaffiliated third parties. Based
on our experience in the business sectors in which we operate and the terms of our transactions with unaffiliated third parties, we believe
that all of the transactions described below met this policy standard at the time they occurred.
The following is a description of material transactions, or series
of related material transactions, since January 1, 2022, to which we were or will be a party and in which the other parties included or
will include our directors, executive officers, holders of more than 10% of our voting securities or any member of the immediate family
of any of the foregoing persons.
Registration Rights
Our investor rights agreement entitles our shareholders to
certain registration rights. None of our shareholders are currently entitled to registration rights.
Agreements with Directors and Officers
Employment
and Related Agreements. We have entered into written employment agreements
with each of our officers. These agreements provide for notice periods of varying duration for termination of the agreement by us or by
the relevant executive officer, during which time the officer will continue to receive base salary and benefits. These agreements also
contain customary provisions regarding confidentiality of information and ownership of inventions.
Equity
Awards. Since our inception we have granted options to purchase, and restricted
share units underlying, our ordinary shares to our officers and certain of our directors. Such award agreements contain acceleration provisions
upon certain merger, acquisition, or change of control transactions. We describe our equity incentive plans under “Item 6.B. Compensation—Equity
Incentive Plans” and the equity-based compensation received by certain of our senior managers in “Item 6.B. Compensation—Compensation
of Directors and Senior Management.” If the relationship between us and a senior manager, or a director, is terminated, except for
cause (as defined in the various option plan agreements), all options that are vested will remain exercisable for ninety days after such
termination in the case of our executive officers, or one year in the case of our directors.
Exculpation,
Indemnification and Insurance. Our articles of association permit us to
exculpate, indemnify and insure certain of our office holders to the fullest extent permitted by Israeli law. We have entered into agreements
with certain of our office holders, including our directors, exculpating them from a breach of their duty of care to us to the fullest
extent permitted by law and undertaking to indemnify them to the fullest extent permitted by law, subject to certain exceptions. See “Item
6.C. Board Practices—Exculpation, Insurance and Indemnification of Directors and Officers.”
C. Interests
of Experts and Counsel
Not applicable.
ITEM 8.
FINANCIAL INFORMATION
A. Consolidated
Statements and Other Financial Information
Consolidated Financial Statements
We have appended as part of this annual report our consolidated
financial statements starting at page F-1.
Legal Proceedings
From time to time we may be subject to legal proceedings and
claims arising in the ordinary course of business. We are currently not a party to any material litigation, and we are not aware of any
pending or threatened material legal or administrative proceedings against us. Regardless of the outcome, litigation can have an adverse
impact on us because of defense and settlement costs, diversion of management resources and other factors.
Dividend Policy
We have never declared or paid any cash dividends on our ordinary
shares. We do not anticipate paying any cash dividends in the foreseeable future. We currently intend to retain future earnings, if any,
to finance operations and expand our business. Our board of directors has sole discretion whether to pay dividends. If our board of directors
decides to pay dividends, the form, frequency and amount will depend upon our future operations and earnings, capital requirements and
surplus, general financial condition, contractual restrictions and other factors that our directors may deem relevant. The distribution
of dividends may also be limited by Israeli law, which permits the distribution of dividends only out of retained earnings or otherwise
upon the permission of an Israeli court.
B. Significant
Changes
No significant changes have occurred since December 31,
2022, except as otherwise disclosed in this annual report.
ITEM 9.
THE OFFER AND LISTING
A. Offer
and Listing Details
Our ordinary shares are quoted on Nasdaq under the symbol “CYBR.”
B. Plan of Distribution
Not applicable.
C. Markets
See “—Offer and Listing Details” above.
D. Selling
Shareholders
Not applicable.
E. Dilution
Not applicable.
F. Expenses
of the Issue
Not applicable.
ITEM 10. ADDITIONAL
INFORMATION
A. Share
Capital
Not applicable.
B. Memorandum
and Articles of Association
A copy of our amended and restated articles of association is
incorporated by reference as Exhibit 1.1 to this annual report on Form 20-F. The information called for by this Item is set forth in Exhibit
2.3 to this annual report on Form 20-F and is incorporated by reference into this annual report on Form 20-F.
C. Material
Contracts
For a description of the registration rights that we granted
under our Fourth Amended Investor Rights Agreement, please refer to “Item 7.B. Related Party Transactions—Registration Rights.”
For a description of our leases, see “Item 4.B.—Business
Overview—Properties.”
For a description of our issuance of convertible notes, see Note
11 to our consolidated financial statements included within this annual report.
D. Exchange
Controls
In 1998, Israeli currency control regulations were liberalized
significantly, so that Israeli residents generally may freely deal in foreign currency and foreign assets, and non-residents may freely
deal in Israeli currency and Israeli assets. There are currently no Israeli currency control restrictions on remittances of dividends
on the ordinary shares or the proceeds from the sale of the shares provided that all taxes were paid or withheld; however, legislation
remains in effect pursuant to which currency controls can be imposed by administrative action at any time.
Non-residents of Israel may freely hold and trade our securities.
Neither our articles of association nor the laws of the State of Israel restrict in any way the ownership or voting of ordinary shares
by non-residents, except that such restrictions may exist with respect to citizens of countries which are in a state of war with Israel.
Israeli residents are allowed to purchase our ordinary shares.
E. Taxation
Certain Israeli Tax Consequences
The following description is not intended to constitute a complete
analysis of all tax consequences relating to the acquisition, ownership and disposition of our ordinary shares. You should consult your
tax advisor concerning the specific and individual tax consequences of your particular situation, as well as any tax consequences that
may arise under the laws of any state, local, foreign or other taxing jurisdiction. This summary does not discuss all of the aspects of
Israeli tax law that may be relevant to a particular investor in light of his or her personal investment circumstances or to some types
of investors subject to special treatment under Israeli law. Examples of such investors include residents of Israel or traders in securities
who are subject to special tax regimes not covered in this discussion. Some parts of this discussion are based on tax legislation which
has not been subject to judicial or administrative interpretation. The discussion should not be construed as legal or professional tax
advice and does not cover all possible tax considerations.
Capital Gains
Capital gain tax is generally imposed on
the disposal of capital assets by an Israeli resident, and on the disposal of such assets by a non-Israel resident if those assets are
either (i) located in Israel, (ii) are shares or a right to a share in an Israeli resident corporation, or (iii) represent, directly or
indirectly, rights to assets located in Israel, unless a tax treaty in force between Israel and the seller’s country of residence
provides otherwise. The Ordinance distinguishes between “Real Capital Gain” and the “Inflationary Surplus.” Real
Capital Gain is the excess of the total capital gain over Inflationary Surplus computed generally on the basis of the increase in the
Israeli Consumer Price Index (CPI) between the date of purchase and the date of disposal.
The Real Capital Gain accrued by individuals
on the sale of our ordinary shares (that were purchased after January 1, 2012, whether listed on a stock exchange or not) will be taxed
at the rate of 25%. However, if such shareholder is a “Controlling Shareholder” (i.e., a person who holds, directly or indirectly,
alone or together with such person’s relative or another person who collaborates with such person on a permanent basis, 10% or more
of one of the Israeli resident company’s means of control) at the time of sale or at any time during the preceding 12 month period
and/or claims a deduction for interest and linkage differences expenses in connection with the purchase and holding of such shares, such
gain will be taxed at the rate of 30%. “Means of control” generally include the right to vote, receive profits, nominate a
director or an executive officer, receive assets upon liquidation, or order someone who holds any of the aforesaid rights how to act,
regardless of the source of such right.
The Real Capital Gain derived by corporations
will generally be subject to the ordinary corporate tax (23% in 2018 and thereafter).
An individual shareholder dealing in securities, or to whom such
income is otherwise taxable as ordinary business income are taxed in Israel at their marginal tax rates applicable to business income
(up to 47% in 2022). Certain Israeli institutions who are exempt from tax under section 9(2) or section 129(C)(a)(1) of the Ordinance
(such as exempt trust fund, pension fund) may be exempt from capital gains tax from the sale of our ordinary shares.
Capital Gains Taxes Applicable
to Non-Israeli Resident Shareholders
A non-Israeli resident who derives capital gains from the sale
of shares in an Israeli resident company that were purchased after the company was listed for trading on a stock exchange outside of Israel
should generally be exempt from Israeli capital gains tax so long as the capital gains derived from the sale of the shares was not attributed
to a permanent establishment that the non-resident maintains in Israel and that such shareholders are not subject to the Israeli Income
Tax Law (Inflationary Adjustments) 5745-1985. However, non-Israeli corporations will not be entitled to the foregoing exemption if Israeli
residents: (i) have a controlling interest of more than 25% in such non-Israeli corporation or (ii) are the beneficiaries of,
or are entitled to, 25% or more of the revenues or profits of such non-Israeli corporation, whether directly or indirectly. Such exemption
is not applicable to a person whose gains from selling or otherwise disposing of the shares are deemed to be a business income.
Additionally, a sale of shares by a non-Israeli resident (either
an individual or a corporation) may be exempt from Israeli capital gains tax under the eligibility to enjoy the provisions of an applicable
tax treaty benefits which should generally supersede Israeli domestic legislation. For example, under the Convention between the United
States and the Government of the State of Israel with respect to income taxes (the “United States-Israel Tax Treaty”),
the disposition of shares by a shareholder who (i) is a U.S. resident (for purposes of the treaty), (ii) holds the shares
as a capital asset, and (iii) is entitled to claim the benefits afforded to such person by the treaty, is generally exempt from Israeli
capital gains tax. Such exemption will not apply if: (i) the capital gain arising from the disposition can be attributed to royalties;
(ii) the shareholder holds, directly or indirectly, shares representing 10% or more of the voting capital during any part of the
12-month period preceding such sale, exchange or disposition, subject to certain conditions; (iii) such U.S. resident is an
individual and was present in Israel for a period or periods aggregating to 183 days or more during the relevant taxable year; (iv)
the capital gain arising from such sale, exchange or disposition is attributed to real estate located in Israel; or (v) the shareholder
is a U.S. resident (for purposes of the U.S.-Israel Treaty) and deemed a dealer or otherwise is deemed to have business income from such
sale, exchange or disposition of the shares attributed to a permanent establishment in Israel. In such case, the sale, exchange or disposition
of our ordinary shares would be subject to Israeli tax, to the extent applicable; however, under the United States-Israel Tax Treaty,
a U.S. resident would be permitted to claim a credit for such taxes against the U.S. federal income tax imposed with respect to such
sale, exchange or disposition, subject to the limitations under U.S. law applicable to foreign tax credits. The United States-Israel
Tax Treaty does not relate to tax credits against U.S. state or local taxes.
In some instances where our shareholders may be liable for Israeli
tax on the sale of their ordinary shares, the payment of the consideration may be subject to the withholding of Israeli tax at source.
Shareholders may be required to demonstrate that they are exempt from tax on their capital gains in order to avoid withholding at source
at the time of sale. Specifically, in transactions involving a sale of all of the shares of an Israeli resident company, in the form of
a merger or otherwise, the Israel Tax Authority may require from shareholders who are not liable for Israeli tax to sign declarations
in forms specified by this authority or to apply for and obtain a specific withholding tax certificate of exemption from the Israel Tax
Authority to confirm their particular status as non-Israeli resident, and, in the absence of such declarations or exemptions, may require
the purchaser of the shares to withhold taxes at source.
Taxation of Non-Israeli
Shareholders on Receipt of Dividends
Non-Israeli residents (either an individual or a corporation)
are generally subject to Israeli income tax on the receipt of dividends paid on our ordinary shares at the rate of 25%, unless an applicable
relief is provided in a treaty between Israel and the shareholder’s country of residence. With respect to a person who is a “Controlling
Shareholder” at the time of receiving the dividend or on any time during the preceding 12 months, the applicable tax rate is 30%.
Such dividends paid to non-Israeli residents are generally subject to Israeli withholding tax at a rate of 25% so long as the shares are
registered with a Nominee Company (whether the recipient is a Controlling Shareholder or not), unless a reduced tax rate is provided under
an applicable tax treaty, provided that a certificate from the Israel Tax Authority allowing for a reduced withholding tax rate is obtained
in advance. However, subject to the receipt in advance of a valid certificate from the Israel
Tax Authority allowing for a reduced tax rate, a distribution of dividends to non-Israeli residents
is subject to withholding tax at source at a rate of 15% if the dividend is distributed from income attributed to an Approved Enterprise
or generally 20% if the dividend is distributed from income attributed to a Preferred Enterprise (including Preferred Technological Enterprise
based on which the Company is taxed as from 2017 onwards), unless a reduced tax rate is provided under an applicable tax treaty (subject
to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). Under the United States-Israel
Tax Treaty, the maximum rate of tax withheld at source in Israel on dividends paid to a holder of our ordinary shares who is a U.S. resident
(for purposes of the United States-Israel Tax Treaty) is 25%. However, the maximum rate of withholding tax on dividends, not generated
from an Approved Enterprise or Benefited Enterprise, that are paid to a United States corporation holding 10% or more of the outstanding
voting capital throughout the tax year in which the dividend is distributed as well as during the previous tax year, is 12.5%, provided
that no more than 25% of the gross income for such preceding year consists of certain types of dividends and interest. Notwithstanding
the foregoing, a distribution of dividends to non-Israeli residents is subject to withholding tax at source at a rate of 15% if the dividend
is distributed from income attributed to an Approved Enterprise or for such U.S. corporation shareholder, provided that the condition
related to our gross income for the previous year (as set forth in the previous sentence) is met. The aforementioned rates under the United
States-Israel Tax Treaty will not apply if the dividend income was attributed to a permanent establishment that the U.S. resident maintains
in Israel. U.S. residents who are subject to Israeli withholding tax on a dividend may be entitled to a credit or deduction for United
States federal income tax purposes in the amount of the taxes withheld, subject to detailed rules contained in U.S. tax legislation. We
cannot assure you that in the event we declare a dividend we will designate the income out of which the dividend is paid in a manner that
will reduce shareholders’ tax liability.
If the dividend is attributable partly to
income derived from an Approved Enterprise, Benefited Enterprise or Preferred Enterprise, and partly to other sources of income, the withholding
rate will be a blended rate reflecting the relative portions of the two types of income. U.S. residents who are subject to Israeli
withholding tax on a dividend may be entitled to a credit or deduction for United States federal income tax purposes in the amount
of the taxes withheld, subject to detailed rules contained in U.S. tax legislation. As indicated above, application for this reduced
tax rate requires appropriate documentation presented to and specific instruction received from the Israel Tax Authority.
A non-Israeli resident who receives dividends from which tax
was duly withheld is generally exempt from the obligation to file tax returns in Israel with respect to such income, provided that (i)
such income was not generated from business conducted in Israel by the taxpayer; (ii) the taxpayer has no other taxable sources of income
in Israel with respect to which a tax return is required to be filed, and (iii) the taxpayer is not liable to Excess Tax (as further explained
below).
Payers of dividends on our ordinary shares, including the Israeli
stockbroker effectuating the transaction, or the financial institution through which the securities are held, are generally required,
subject to any of the foregoing exemptions, reduced tax rates and the demonstration of foreign residence of the shareholder, to withhold
tax upon the distribution of dividend at the rate of 25%, so long as the shares are registered with a nominee company.
Excess Tax
Individuals who are subject to tax in Israel (whether any such
individual is an Israeli resident or non-Israeli resident) are also subject to an additional tax at a rate of 3% on annual income exceeding
a certain threshold (NIS 663,240 for 2022) which amount is linked to the annual change in the Israeli consumer price index, including,
but not limited to, dividends, interest and capital gain.
Estate and Gift Tax
Israeli law presently does not impose estate or gift taxes.
Certain United States Federal Income Tax Consequences
The following is a description of certain United States federal
income tax consequences relating to the acquisition, ownership and disposition of our ordinary shares by a U.S. Holder (as defined below).
This description addresses only the United States federal income tax consequences to U.S. Holders that hold such ordinary shares as capital
assets within the meaning of Section 1221 of the Internal Revenue Code of 1986, as amended (the “Code”). This description
does not address tax considerations applicable to U.S. Holders that may be subject to special tax rules, including, without limitation:
|
• |
banks, financial institutions or insurance companies; |
|
• |
real estate investment trusts, regulated investment companies or grantor trusts; |
|
• |
brokers, dealers or traders in securities, commodities or currencies; |
|
• |
tax-exempt entities, accounts or organizations, including an “individual retirement account” or “Roth IRA”
as defined in Section 408 or 408A of the Code, respectively; |
|
• |
certain former citizens or long-term residents of the United States; |
|
• |
persons that receive our ordinary shares as compensation for the performance of services; |
|
• |
persons that hold our ordinary shares as part of a “hedging,” “integrated” or “conversion” transaction
or as a position in a “straddle” for United States federal income tax purposes; |
|
• |
persons subject to special tax accounting rules as a result of any item of gross income with respect to the ordinary shares being
taken into account in an applicable financial statement; |
|
• |
partnerships (including entities or arrangements classified as partnerships for United States federal income tax purposes) or other
pass-through entities or arrangements, or indirect holders that hold our ordinary shares through such an entity or arrangement;
|
|
• |
holders whose “functional currency” is not the U.S. dollar; or |
|
• |
holders that own directly, indirectly or through attribution 10.0% or more of the voting power or value of our shares. |
Moreover, this description does not address the United States
federal estate, gift or alternative minimum tax consequences, or any state, local or non-U.S. tax consequences, of the acquisition, ownership
and disposition of our ordinary shares.
This description is based on the Code, existing, proposed and
temporary United States Treasury Regulations and judicial and administrative interpretations thereof, in each case as in effect and available
on the date hereof. All of the foregoing is subject to change, which change could apply retroactively and could affect the tax consequences
described below. There can be no assurances that the U.S. Internal Revenue Service (IRS), will not take a different position concerning
the tax consequences of the ownership and disposition of our ordinary shares or that such a position would not be sustained. Holders should
consult their tax advisors concerning the U.S. federal, state, local and foreign tax consequences of acquiring, owning and disposing of
our ordinary shares in their particular circumstances.
For purposes of this description, a “U.S. Holder”
is a beneficial owner of our ordinary shares that, for United States federal income tax purposes, is:
|
• |
a citizen or individual resident of the United States; |
|
• |
a corporation (or other entity treated as a corporation for United States federal income tax purposes) created or organized in or
under the laws of the United States or any state thereof, including the District of Columbia; |
|
• |
an estate the income of which is subject to United States federal income taxation regardless of its source; or |
|
• |
a trust if such trust has validly elected to be treated as a United States person for United States federal income tax purposes or
if (1) a court within the United States is able to exercise primary supervision over its administration and (2) one or more
United States persons have the authority to control all of the substantial decisions of such trust. |
If a partnership (or any other entity or arrangement treated
as a partnership for United States federal income tax purposes) holds our ordinary shares, the tax treatment of a partner in such partnership
will generally depend on the status of the partner and the activities of the partnership. Such a partner or partnership should consult
its tax advisor as to the particular United States federal income tax consequences of acquiring, owning and disposing of our ordinary
shares in its particular circumstance.
You should consult your tax advisor with respect
to the United States federal, state, local and foreign tax consequences of acquiring, owning and disposing of our ordinary shares.
Distributions
Subject to the discussion below under “Passive Foreign
Investment Company Considerations,” the gross amount of any distribution made to you with respect to our ordinary shares before
reduction for any Israeli taxes withheld therefrom, other than certain distributions, if any, of our ordinary shares distributed pro rata
to all our shareholders, generally will be includible in your income as dividend income on the date on which the dividends are actually
or constructively received, to the extent such distribution is paid out of our current or accumulated earnings and profits as determined
under United States federal income tax principles. To the extent that the amount of any distribution by us exceeds our current and accumulated
earnings and profits as determined under United States federal income tax principles, it will be treated first as a tax‑free return
of your adjusted tax basis in our ordinary shares and thereafter as capital gain. However, we do not expect to maintain calculations of
our earnings and profits under United States federal income tax principles. Therefore, you should expect that the entire amount of any
distribution generally will be reported as dividend income to you. Subject to applicable limitations, dividends paid to certain non-corporate
U.S. Holders may qualify for the preferential rates of taxation with respect to dividends on ordinary shares if certain requirements,
including stock holding period requirements, are satisfied by the recipient and we are eligible for the benefits of the United States-Israel
Tax Treaty. However, such dividends will not be eligible for the dividends received deduction generally allowed to corporate U.S. Holders.
Subject to certain conditions and limitations, Israeli tax withheld
on dividends may be, at your election, either deducted from your taxable income or credited against your United States federal income
tax liability. Dividends paid to you with respect to our ordinary shares will generally be treated as foreign source income, which may
be relevant in calculating your foreign tax credit limitation. However, for periods in which we are a “United Stated-owned foreign
corporation,” a portion of dividends (generally attributable to earnings and profits from sources within the United States) paid
by us may be treated as U.S. source solely for purposes of the foreign tax credit. A United States-owned foreign corporation is any foreign
corporation if 50% or more of the total value or total voting power of its stock is owned, directly, indirectly or by attribution, by
United States persons. We believe that we may be treated as a United States-owned foreign corporation. As a result, if 10% or more of
our earnings and profits are attributable to sources within the United States, a portion of the dividends paid on our ordinary shares
allocable to United States source earnings and profits may be treated as United States source, and, as such a U.S. Holder may not offset
any Israeli withholding taxes withheld as a credit against United States federal income tax imposed on that portion of dividends. A U.S.
Holder entitled to benefits under the United States-Israel Tax Treaty may, however, elect to treat any dividends as foreign source income
for foreign tax credit purposes if the dividend income is separated from other income items for purposes of calculating the U.S. Holder’s
foreign tax credit. The rules governing the treatment of foreign taxes imposed on a U.S. Holder and foreign tax credits are very complex,
and U.S. Holders should consult their tax advisors about the impact of, and any exception available to, the special sourcing rule described
in this paragraph, and the desirability of making, and the method of making, such an election.
Sale, Exchange or Other
Taxable Disposition of Ordinary Shares
Subject to the discussion below under “Passive Foreign
Investment Company Considerations,” you generally will recognize gain or loss on the sale, exchange or other taxable disposition
of our ordinary shares equal to the difference between the amount realized on such sale, exchange or other taxable disposition and your
adjusted tax basis in our ordinary shares, and such gain or loss will be capital gain or loss. The adjusted tax basis in an ordinary share
generally will be equal to the cost of such ordinary share. If you are a non-corporate U.S. Holder, capital gain from the sale, exchange
or other taxable disposition of ordinary shares is generally eligible for a preferential rate of taxation applicable to capital gains,
if your holding period for such ordinary shares exceeds one year (i.e., such gain is long-term capital gain). The deductibility of capital
losses for United States federal income tax purposes is subject to limitations under the Code. Any such gain or loss that a U.S. Holder
recognizes generally will be treated as U.S. source income or loss for foreign tax credit limitation purposes.
Passive Foreign Investment
Company Considerations
If we were to be classified as a “passive foreign investment
company” (PFIC), in any taxable year, a U.S. Holder would be subject to special rules generally intended to reduce or eliminate
any benefits from the deferral of U.S. federal income tax that a U.S. Holder could derive from investing in a non-U.S. company that does
not distribute all of its earnings on a current basis.
A non-U.S. corporation will be classified as a PFIC for federal
income tax purposes in any taxable year in which, after applying certain look-through rules with respect to the income and assets of subsidiaries,
either:
|
• |
at least 75% of its gross income is “passive income”; or |
|
• |
at least 50% of the average quarterly value of its total gross assets (which may be measured in part by the market value of our ordinary
shares, which is subject to change) is attributable to assets that produce “passive income” or are held for the production
of passive income. |
Passive income for this purpose generally includes dividends,
interest, royalties, rents, gains from commodities and securities transactions and the excess of gains over losses from the disposition
of assets which produce passive income. There are several exceptions, however. For example, certain royalties that are considered active
under the relevant Treasury regulations are not treated as passive income. If a non-U.S. corporation owns directly or indirectly at least
25% by value of the stock of another corporation, the non-U.S. corporation is treated for purposes of the PFIC tests as owning its proportionate
share of the assets of the other corporation and as receiving directly its proportionate share of the other corporation’s income.
If we are classified as a PFIC in any year with respect to which a U.S. Holder owns our ordinary shares, we will continue to be treated
as a PFIC with respect to such U.S. Holder in all succeeding years during which the U.S. Holder owns our ordinary shares, regardless of
whether we continue to meet the tests described above.
Based on our market capitalization and the nature of our income,
assets and business, we believe that we should not be classified as a PFIC for the taxable year that ended December 31, 2022. However,
PFIC status is determined annually and requires a factual determination that depends on, among other things, the composition of our income,
assets and activities in each taxable year, and can only be made annually after the close of each taxable year. Furthermore, because the
value of our gross assets is likely to be determined in part by reference to our market capitalization, a decline in the value of our
ordinary shares may result in our becoming a PFIC. Accordingly, there can be no assurance that we will not be considered a PFIC for any
taxable year.
Under certain attribution rules, if we are considered a PFIC,
U.S. Holders may be deemed to own their proportionate share of equity in any PFIC owned by us (if any), such entities referred to as “lower-tier
PFICs,” and will be subject to U.S. federal income tax in the manner discussed below on (1) a distribution to us on the shares
of a “lower-tier PFIC” and (2) a disposition by us of shares of a “lower-tier PFIC,” both as if the holder
directly held the shares of such “lower-tier PFIC.”
If we are considered a PFIC for any taxable year during which
a U.S. Holder holds (or, as discussed in the previous paragraph, is deemed to hold) its ordinary shares, such holder will be subject
to adverse U.S. federal income tax rules. In general, if a U.S. Holder disposes of shares of a PFIC (including an indirect disposition
or a constructive disposition of shares of a “lower-tier PFIC”), gain recognized or deemed recognized by such holder would
be allocated ratably over such holder’s holding period for the shares. The amounts allocated to the taxable year of disposition
and to years before the entity became a PFIC, if any, would be treated as ordinary income.
The amount allocated to each other taxable year would be subject
to tax at the highest rate in effect for such taxable year for individuals or corporations, as appropriate, and an interest charge would
be imposed on the tax attributable to such allocated amounts. Further, any distribution in respect of shares of a PFIC (or a distribution
by a lower-tier PFIC to its shareholders that is deemed to be received by a U.S. Holder) in excess of 125% of the average of the
annual distributions on such shares received or deemed to be received during the preceding three years or the U.S. Holder’s
holding period, whichever is shorter, would be subject to taxation in the manner described above. In addition, dividend distributions
made to you will not qualify for the preferential rates of taxation applicable to long-term capital gains discussed above under “Distributions.”
Where a company that is a PFIC meets certain reporting requirements,
a U.S. Holder can avoid certain adverse PFIC consequences described above by making a “qualified electing fund” (QEF), election
to be taxed currently on its proportionate share of the PFIC’s ordinary income and net capital gains. However, we do not intend
to prepare or provide the information that would enable U.S. Holders to make a qualified electing fund election.
If we are a PFIC and our ordinary shares are “regularly
traded” on a “qualified exchange,” a U.S. Holder may make a mark-to-market election with respect to our ordinary shares
(but generally, not the shares of any lower-tier PFICs), which may help mitigate the adverse tax consequences resulting from our PFIC
status (but generally, not that of any lower-tier PFICs). Shares will be treated as “regularly traded” in any calendar year
in which more than a de minimis quantity of the ordinary shares are traded on a qualified exchange on at least 15 days during each calendar
quarter (subject to the rule that trades that have as one of their principal purposes the meeting of the trading requirement are disregarded).
Nasdaq is a qualified exchange for this purpose and, consequently, if our ordinary shares are regularly traded, the mark-to-market election
will be available to a U.S. Holder; however, there can be no assurance that trading volumes will be sufficient to permit a mark-to-market
election. In addition, because a mark-to-market election with respect to us generally does not apply to any equity interests in “lower-tier
PFICs” that we own, a U.S. Holder generally will continue to be subject to the PFIC rules with respect to its indirect interest
in any investments held by us that are treated as equity interests in a PFIC for U.S. federal income tax purposes.
If a U.S. Holder makes the mark-to-market election, for each
year in which we are a PFIC, the holder will generally include as ordinary income the excess, if any, of the fair market value of ordinary
shares at the end of the taxable year over their adjusted tax basis, and will be permitted an ordinary loss in respect of the excess,
if any, of the adjusted tax basis of our ordinary shares over their fair market value at the end of the taxable year (but only to the
extent of the net amount of previously included income as a result of the mark-to-market election). A U.S. Holder that makes a valid mark-to-market
election will not include mark-to-market gain or loss in income for any taxable year that we are not classified as a PFIC (although cessation
of our status as a PFIC will not terminate the mark-to-market election). Thus, if we are classified as a PFIC in a taxable year after
a year in which we are not classified as a PFIC, the U.S. Holder’s original election (unless revoked or terminated) continues to
apply and the U.S. Holder must include any mark-to-market gain or loss in such year. If a U.S. Holder makes the election, the holder’s
tax basis in our ordinary shares will be adjusted to reflect any such income or loss amounts. Any gain recognized on a sale or other disposition
of our ordinary shares will be treated as ordinary income. Any losses recognized on a sale or other disposition of our ordinary shares
will be treated as ordinary loss to the extent of any net mark-to-market gains for prior years. U.S. Holders should consult their tax
advisors regarding the availability and consequences of making a mark-to-market election in their particular circumstances. In particular,
U.S. Holders should consider carefully the impact of a mark-to-market election with respect to our ordinary shares if we have “lower-tier
PFICs” for which such election is not available. Once made, the mark-to-market election cannot be revoked without the consent of
the IRS unless our ordinary shares cease to be “regularly traded.”
If a U.S. Holder owns ordinary shares during any year in which
we are a PFIC, the U.S. Holder generally will be required to file an IRS Form 8621 (Information Return by a Shareholder of a Passive Foreign
Investment Company or Qualified Electing Fund) with respect to the Company (regardless of whether a QEF or mark-to-market election is
made), generally with the U.S. Holder’s U.S. federal income tax return for that year. If our Company were a PFIC for a given taxable
year, then you should consult your tax advisor concerning your annual filing requirements.
U.S. Holders should consult their tax advisors regarding whether
we are a PFIC and the potential application of the PFIC rules.
Medicare Tax
Certain U.S. Holders that are individuals, estates or trusts
are subject to a 3.8% tax on all or a portion of their “net investment income,” which may include all or a portion of their
dividend income and net gains from the disposition of ordinary shares. Each U.S. Holder that is an individual, estate or trust is urged
to consult its tax advisors regarding the applicability of the Medicare tax to its income and gains in respect of its investment in our
ordinary shares.
Backup Withholding Tax
and Information Reporting Requirements
United States backup withholding tax and information reporting
requirements may apply to certain payments to certain holders of stock. Information reporting generally will apply to payments of dividends
on, and to proceeds from the sale or redemption of, our ordinary shares made within the United States, or by a United States payor or
United States middleman, to a holder of our ordinary shares, other than an exempt recipient (including a payee that is not a United States
person that provides an appropriate certification and certain other persons). A payor will be required to withhold backup withholding
tax from any payments of dividends on, or the proceeds from the sale or redemption of, ordinary shares within the United States, or by
a United States payor or United States middleman, to a holder, other than an exempt recipient, if such holder fails to furnish its correct
taxpayer identification number or otherwise fails to comply with, or establish an exemption from, such backup withholding tax requirements.
Backup withholding is not an additional tax. Any amounts withheld under the backup withholding rules may be allowed as a credit against
the beneficial owner’s United States federal income tax liability, if any, and any excess amounts withheld under the backup withholding
rules may be refunded, provided that the required information is timely furnished to the IRS.
Foreign Asset Reporting
Certain U.S. Holders who are individuals or certain other non-corporate
entities may be required to report information relating to an interest in our ordinary shares, subject to certain exceptions (including
an exception for shares held in accounts maintained by U.S. financial institutions) by filing IRS Form 8938 (Statement of Specified Foreign
Financial Assets) with their federal income tax return. U.S. Holders are urged to consult their tax advisors regarding their information
reporting obligations, if any, with respect to their ownership and disposition of our ordinary shares.
The above description is not intended to constitute
a complete analysis of all tax consequences relating to acquisition, ownership and disposition of our ordinary shares. You should consult
your tax advisor concerning the tax consequences of your particular situation.
F. Dividends
and Paying Agents
Not applicable.
G. Statement
by Experts
Not applicable.
H. Documents
on Display
We are subject to the informational requirements of the Exchange
Act that are applicable to foreign private issuers, and under those requirements file reports with the SEC. Those other reports or other
information may be inspected without charge at the locations described above. As a foreign private issuer, we are exempt from the rules
under the Exchange Act related to the furnishing and content of proxy statements, and our officers, directors and principal shareholders
will be exempt from reporting under short-swing profit recovery provisions contained in Section 16 of the Exchange Act. In addition,
we are not required under the Exchange Act to file annual, quarterly and current reports and financial statements with the SEC as frequently
or as promptly as United States companies whose securities are registered under the Exchange Act. However, we will file with the
SEC, within 120 days after the end of each subsequent fiscal year, or such applicable time as required by the SEC, an annual report on
Form 20-F containing financial statements audited by an independent registered public accounting firm, and will submit to the SEC
reports on Form 6-K containing unaudited quarterly financial information.
Our filings with the SEC are also available to the public through
the SEC’s website at http://www.sec.gov. This site contains reports, proxy and information statements and other information regarding
issuers that file electronically with the SEC. The information on that website is not part of this annual report and is not incorporated
by reference herein.
I. Subsidiary
Information
Not applicable.
J. Annual
Report to Security Holders
Not applicable.
ITEM 11.
QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK
We are exposed to a variety of risks, including foreign currency
exchange fluctuations, changes in interest rates and inflation. We regularly assess currency, interest rate and inflation risks to minimize
any adverse effects on our business as a result of those factors.
Foreign Currency Risk
Our results of operations and cash flows are affected by fluctuations
due to changes in foreign currency exchange rates. In 2022, the majority of our revenues were denominated in U.S. dollars and the
remainder in other currencies, primarily Euros and British pounds sterling. In 2022, the majority of our cost of revenues and operating
expenses were denominated in U.S. dollars and NIS and the remainder in other currencies, primarily euros and British pounds sterling.
Our foreign currency-denominated expenses consist primarily of personnel, travel, marketing programs and other overhead costs. Since the
portion of our expenses generated in NIS and British pounds sterling is greater than our revenues in NIS and British pounds sterling,
respectively, any appreciation of the NIS or the British pounds sterling relative to the U.S. dollar could adversely impact
our operating loss. In addition, since the portion of our revenues generated in Euros is greater than our expenses incurred in euros,
any depreciation of the Euro relative to the U.S. dollar would adversely impact our operating loss.
The following table presents information about the changes in
the exchange rates of the NIS against the U.S. dollar:
|
Period |
|
Change in Average Exchange
Rate of the NIS
Against the
U.S. dollar (%) |
| |
|
|
|
2022
|
|
4.0 |
| |
|
|
|
2021
|
|
(6.2) |
| |
|
|
|
2020
|
|
(3.6) |
The figures above represent the change in the average exchange
rate in the given period compared to the average exchange rate in the immediately preceding period. Negative figures represent depreciation
of the U.S. dollar compared to the NIS. A 10% strengthening or weakening in the value of the NIS against the U.S. dollar would
have increased or decreased, respectively, our operating loss by approximately $16.0 million in 2022. We estimate that a 10% strengthening
or weakening in the value of the Euro against the U.S. dollar would have decreased or increased, respectively, our operating loss by approximately
$2.3 million in 2022. We estimate that a 10% strengthening or weakening in the value of the British pounds sterling against the U.S. dollar
would have increased or decreased, respectively, our operating loss by approximately $1.0 million in 2022. These estimates of the impact
of fluctuations in currency exchange rates on our historic results of operations may be different from the impact of fluctuations in exchange
rates on our future results of operations since the mix of currencies comprising our revenues and expenses may change.
For purposes of our consolidated financial statements, monetary
assets and liabilities in local currency are translated at the rate of exchange to the U.S. dollar on the balance sheet date and
local currency revenues and expenses are translated at the exchange rate at the date of the transaction or the average exchange rate during
the reporting period.
In addition, we have a significant NIS linked liability related
to our operational leases in Israel.
To protect against the increase in value of forecasted foreign
currency cash flow resulting from expenses paid in NIS during the year, we have instituted a foreign currency cash flow hedging program.
We hedge portions of the anticipated payroll of our Israeli employees in NIS for a period of one to 12 months with forward contracts and
other derivative instruments. In addition, from time to time we enter into foreign exchange forward transactions to economically hedge
certain net asset balances in Euros, British pounds sterling and Canadian dollars. We do not use derivative financial instruments for
speculative or trading purposes.
Interest Rate Risk
The primary objectives of our investment activities are to preserve
principal, support liquidity requirements, and maximize income without significantly increasing risk. Our investments are subject to market
risk due to changes in interest rates, which may affect our interest income and fair market value of our investments.
To minimize this risk, we maintain our portfolio of cash, cash
equivalents and short and long-term investments in a variety of securities, including money market funds, U.S. government and agency securities,
and corporate debt securities. We do not believe that a 10% increase or decrease in interest rates would have a material impact on our
operating results or cash flows.
Other Market Risks
We do not believe that we have any material exposure to inflationary
risks.
In November 2019, we issued $575.0 million aggregate principal
amount of 0.00% Convertible Senior Notes due 2024. We carry these instruments at face value less unamortized discount and unamortized
issuance costs on our consolidated balance sheets. As these instruments have no interest rate, we have no financial or economic interest
exposure associated with changes in interest rates. However, the fair value of these instruments fluctuates when interest rates change,
and additionally when the market price of our common stock fluctuates. The change in fair value does not impact our financial position,
cash flows or result of operation due to the fixed nature of the debt obligation.
ITEM 12.
DESCRIPTION OF
SECURITIES OTHER THAN EQUITY SECURITIES
Not applicable.