20-F 1 zk2431095.htm 20-F CyberArk Software Ltd. - 1598110 - 2024
http://fasb.org/us-gaap/2023#UsefulLifeTermOfLeaseMemberP2YP3YSelf-hosted subscription also includes maintenance associated with self-hosted subscriptions. IL0Represents an amount lower than $1. For the years ended December 31, 2022 and 2023, the Company capitalized $4,929 and $1,686 including $758 and $303 of share-based compensation costs, relating to its internal use software and website development, respectively. 2024-11-15false0001598110FYhttp://fasb.org/us-gaap/2023#OtherAssetshttp://fasb.org/us-gaap/2023#OtherAssetshttp://fasb.org/us-gaap/2023#OtherLiabilitiesCurrenthttp://fasb.org/us-gaap/2023#OtherLiabilitiesCurrenthttp://fasb.org/us-gaap/2023#OtherLiabilitiesNoncurrenthttp://fasb.org/us-gaap/2023#OtherLiabilitiesNoncurrent 0001598110 2021-12-31 0001598110 2022-12-31 0001598110 2022-01-01 2022-12-31 0001598110 2023-01-01 2023-12-31 0001598110 2023-12-31 0001598110us-gaap:TechnologyBasedIntangibleAssetsMember 2022-12-31 0001598110us-gaap:TechnologyBasedIntangibleAssetsMember 2023-12-31 0001598110us-gaap:CustomerRelationshipsMember 2022-12-31 0001598110us-gaap:CustomerRelationshipsMember 2023-12-31 0001598110us-gaap:OtherIntangibleAssetsMember 2022-12-31 0001598110us-gaap:OtherIntangibleAssetsMember 2023-12-31 0001598110 2021-01-01 2021-12-31 0001598110us-gaap:DevelopedTechnologyRightsMember 2023-12-31 0001598110srt:MinimumMemberus-gaap:ComputerEquipmentMember 2023-12-31 0001598110srt:MaximumMemberus-gaap:ComputerEquipmentMember 2023-12-31 0001598110srt:MinimumMemberus-gaap:OfficeEquipmentMember 2023-12-31 0001598110srt:MaximumMemberus-gaap:OfficeEquipmentMember 2023-12-31 0001598110us-gaap:MaintenanceMember 2023-01-01 2023-12-31 0001598110us-gaap:MaintenanceMember 2022-01-01 2022-12-31 0001598110us-gaap:MaintenanceMember 2021-01-01 2021-12-31 0001598110cybr:ProfessionalServicesMember 2023-01-01 2023-12-31 0001598110cybr:ProfessionalServicesMember 2022-01-01 2022-12-31 0001598110cybr:ProfessionalServicesMember 2021-01-01 2021-12-31 0001598110cybr:SaasMember 2023-01-01 2023-12-31 0001598110cybr:SaasMember 2022-01-01 2022-12-31 0001598110cybr:SaasMember 2021-01-01 2021-12-31 0001598110cybr:SelfHostedSubscriptionMember 2023-01-01 2023-12-31 0001598110cybr:SelfHostedSubscriptionMember 2022-01-01 2022-12-31 0001598110cybr:SelfHostedSubscriptionMember 2021-01-01 2021-12-31 0001598110cybr:PerpetualLicenseMember 2023-01-01 2023-12-31 0001598110cybr:PerpetualLicenseMember 2022-01-01 2022-12-31 0001598110cybr:PerpetualLicenseMember 2021-01-01 2021-12-31 0001598110us-gaap:OtherLiabilitiesMemberus-gaap:ForeignExchangeForwardMember 2023-12-31 0001598110us-gaap:OtherAssetsMemberus-gaap:ForeignExchangeForwardMember 2022-12-31 0001598110us-gaap:OtherAssetsMemberus-gaap:ForeignExchangeForwardMember 2023-12-31 0001598110us-gaap:ForeignExchangeOptionMember 2023-12-31 0001598110us-gaap:ForeignExchangeOptionMember 2022-12-31 0001598110us-gaap:OtherLiabilitiesMemberus-gaap:ForeignExchangeOptionMember 2022-12-31 0001598110us-gaap:OtherLiabilitiesMemberus-gaap:ForeignExchangeOptionMember 2023-12-31 0001598110us-gaap:ForeignExchangeForwardMember 2021-01-01 2021-12-31 0001598110us-gaap:ForeignExchangeForwardMember 2022-01-01 2022-12-31 0001598110us-gaap:ForeignExchangeForwardMember 2023-01-01 2023-12-31 0001598110 2019-01-01 2019-12-31 0001598110us-gaap:ConvertibleNotesPayableMember 2019-12-31 0001598110us-gaap:DeferredProjectCostsMember 2022-12-31 0001598110us-gaap:DeferredProjectCostsMember 2023-12-31 0001598110us-gaap:LeaseholdImprovementsMember 2023-12-31 0001598110cybr:NISDepositsMember 2022-12-31 0001598110cybr:NISDepositsMember 2023-12-31 0001598110cybr:EmployeesOverFiftyYearsMember 2023-01-01 2023-12-31 0001598110cybr:FirstThreePercentPayContributionMember 2023-01-01 2023-12-31 0001598110cybr:NextTwoPercentContributionMember 2023-01-01 2023-12-31 0001598110us-gaap:DerivativeMember 2021-01-01 2021-12-31 0001598110us-gaap:DerivativeMember 2022-01-01 2022-12-31 0001598110us-gaap:DerivativeMember 2023-01-01 2023-12-31 0001598110cybr:USDDepositsMember 2022-12-31 0001598110cybr:USDDepositsMember 2023-12-31 0001598110us-gaap:TechnologyBasedIntangibleAssetsMember 2023-01-01 2023-12-31 0001598110us-gaap:CustomerRelationshipsMember 2023-01-01 2023-12-31 0001598110us-gaap:OtherIntangibleAssetsMember 2023-01-01 2023-12-31 0001598110us-gaap:AccountingStandardsUpdate202006Member 2022-01-01 0001598110us-gaap:AccountingStandardsUpdate202006Member 2022-01-01 2022-12-31 0001598110us-gaap:AccountingStandardsUpdate202006Member 2023-01-01 2023-12-31 0001598110srt:MinimumMember 2023-01-01 2023-12-31 0001598110srt:MaximumMember 2023-01-01 2023-12-31 0001598110srt:MinimumMemberus-gaap:SoftwareDevelopmentMember 2023-01-01 2023-12-31 0001598110srt:MaximumMemberus-gaap:SoftwareDevelopmentMember 2023-01-01 2023-12-31 0001598110 2020-12-31 0001598110us-gaap:ForeignCountryMember 2023-12-31 0001598110us-gaap:DomesticCountryMember 2023-01-01 2023-12-31 0001598110us-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel1Member 2022-12-31 0001598110us-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel2Member 2022-12-31 0001598110us-gaap:MoneyMarketFundsMember 2022-12-31 0001598110us-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel1Member 2023-12-31 0001598110us-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel2Member 2023-12-31 0001598110us-gaap:MoneyMarketFundsMember 2023-12-31 0001598110us-gaap:FairValueInputsLevel1Membercybr:CorporateDebenturesAndCommercialPaperMember 2022-12-31 0001598110us-gaap:FairValueInputsLevel2Membercybr:CorporateDebenturesAndCommercialPaperMember 2022-12-31 0001598110cybr:CorporateDebenturesAndCommercialPaperMember 2022-12-31 0001598110us-gaap:FairValueInputsLevel1Membercybr:CorporateDebenturesAndCommercialPaperMember 2023-12-31 0001598110us-gaap:FairValueInputsLevel2Membercybr:CorporateDebenturesAndCommercialPaperMember 2023-12-31 0001598110cybr:CorporateDebenturesAndCommercialPaperMember 2023-12-31 0001598110us-gaap:FairValueInputsLevel1Memberus-gaap:USGovernmentDebtSecuritiesMember 2022-12-31 0001598110us-gaap:FairValueInputsLevel2Memberus-gaap:USGovernmentDebtSecuritiesMember 2022-12-31 0001598110us-gaap:USGovernmentDebtSecuritiesMember 2022-12-31 0001598110us-gaap:FairValueInputsLevel1Memberus-gaap:USGovernmentDebtSecuritiesMember 2023-12-31 0001598110us-gaap:FairValueInputsLevel2Memberus-gaap:USGovernmentDebtSecuritiesMember 2023-12-31 0001598110us-gaap:USGovernmentDebtSecuritiesMember 2023-12-31 0001598110us-gaap:FairValueInputsLevel1Member 2022-12-31 0001598110us-gaap:FairValueInputsLevel2Member 2022-12-31 0001598110us-gaap:FairValueInputsLevel1Member 2023-12-31 0001598110us-gaap:FairValueInputsLevel2Member 2023-12-31 0001598110us-gaap:SeniorNotesMember 2023-12-31 0001598110dei:BusinessContactMember 2023-01-01 2023-12-31 0001598110country:US 2021-01-01 2021-12-31 0001598110country:US 2022-01-01 2022-12-31 0001598110country:US 2023-01-01 2023-12-31 0001598110country:IL 2021-01-01 2021-12-31 0001598110country:IL 2022-01-01 2022-12-31 0001598110country:IL 2023-01-01 2023-12-31 0001598110country:GB 2021-01-01 2021-12-31 0001598110country:GB 2022-01-01 2022-12-31 0001598110country:GB 2023-01-01 2023-12-31 0001598110us-gaap:EMEAMember 2021-01-01 2021-12-31 0001598110us-gaap:EMEAMember 2022-01-01 2022-12-31 0001598110us-gaap:EMEAMember 2023-01-01 2023-12-31 0001598110cybr:OtherCountryMember 2021-01-01 2021-12-31 0001598110cybr:OtherCountryMember 2022-01-01 2022-12-31 0001598110cybr:OtherCountryMember 2023-01-01 2023-12-31 0001598110country:US 2022-12-31 0001598110country:US 2023-12-31 0001598110country:IL 2022-12-31 0001598110country:IL 2023-12-31 0001598110country:GB 2022-12-31 0001598110country:GB 2023-12-31 0001598110us-gaap:EMEAMember 2022-12-31 0001598110us-gaap:EMEAMember 2023-12-31 0001598110cybr:OtherCountryMember 2022-12-31 0001598110cybr:OtherCountryMember 2023-12-31 0001598110cybr:SingleCustomerMemberus-gaap:SalesRevenueNetMemberus-gaap:CustomerConcentrationRiskMember 2023-01-01 2023-12-31 0001598110cybr:SingleCustomerMemberus-gaap:SalesRevenueNetMemberus-gaap:CustomerConcentrationRiskMember 2022-01-01 2022-12-31 0001598110cybr:SingleCustomerMemberus-gaap:SalesRevenueNetMemberus-gaap:CustomerConcentrationRiskMember 2021-01-01 2021-12-31 0001598110us-gaap:CostOfSalesMember 2021-01-01 2021-12-31 0001598110us-gaap:CostOfSalesMember 2022-01-01 2022-12-31 0001598110us-gaap:CostOfSalesMember 2023-01-01 2023-12-31 0001598110us-gaap:ResearchAndDevelopmentExpenseMember 2021-01-01 2021-12-31 0001598110us-gaap:ResearchAndDevelopmentExpenseMember 2022-01-01 2022-12-31 0001598110us-gaap:ResearchAndDevelopmentExpenseMember 2023-01-01 2023-12-31 0001598110us-gaap:SellingAndMarketingExpenseMember 2021-01-01 2021-12-31 0001598110us-gaap:SellingAndMarketingExpenseMember 2022-01-01 2022-12-31 0001598110us-gaap:SellingAndMarketingExpenseMember 2023-01-01 2023-12-31 0001598110us-gaap:GeneralAndAdministrativeExpenseMember 2021-01-01 2021-12-31 0001598110us-gaap:GeneralAndAdministrativeExpenseMember 2022-01-01 2022-12-31 0001598110us-gaap:GeneralAndAdministrativeExpenseMember 2023-01-01 2023-12-31 0001598110srt:MinimumMemberus-gaap:EmployeeStockOptionMember 2022-01-01 2022-12-31 0001598110srt:MinimumMemberus-gaap:EmployeeStockOptionMember 2023-01-01 2023-12-31 0001598110us-gaap:EmployeeStockOptionMember 2021-01-01 2021-12-31 0001598110us-gaap:EmployeeStockOptionMember 2022-01-01 2022-12-31 0001598110us-gaap:EmployeeStockOptionMember 2023-01-01 2023-12-31 0001598110srt:MinimumMemberus-gaap:EmployeeStockOptionMember 2021-01-01 2021-12-31 0001598110srt:MaximumMemberus-gaap:EmployeeStockOptionMember 2021-01-01 2021-12-31 0001598110srt:MaximumMemberus-gaap:EmployeeStockOptionMember 2022-01-01 2022-12-31 0001598110srt:MaximumMemberus-gaap:EmployeeStockOptionMember 2023-01-01 2023-12-31 0001598110us-gaap:EmployeeStockMember 2021-01-01 2021-12-31 0001598110srt:MinimumMemberus-gaap:EmployeeStockMember 2022-01-01 2022-12-31 0001598110us-gaap:EmployeeStockMember 2022-01-01 2022-12-31 0001598110us-gaap:EmployeeStockMember 2023-01-01 2023-12-31 0001598110srt:MinimumMemberus-gaap:EmployeeStockMember 2023-01-01 2023-12-31 0001598110srt:MaximumMemberus-gaap:EmployeeStockMember 2023-01-01 2023-12-31 0001598110us-gaap:EmployeeStockMember 2023-12-31 0001598110srt:MaximumMemberus-gaap:EmployeeStockMember 2022-01-01 2022-12-31 0001598110us-gaap:PhantomShareUnitsPSUsMember 2023-12-31 0001598110cybr:Aapi1IncMember 2022-03-01 2022-03-31 0001598110cybr:C3MLlcMember 2022-07-01 2022-07-31 0001598110us-gaap:CommonStockMember 2020-12-31 0001598110us-gaap:AdditionalPaidInCapitalMember 2020-12-31 0001598110us-gaap:RetainedEarningsMember 2020-12-31 0001598110us-gaap:RetainedEarningsMember 2021-01-01 2021-12-31 0001598110us-gaap:AccumulatedOtherComprehensiveIncomeMember 2021-01-01 2021-12-31 0001598110us-gaap:AdditionalPaidInCapitalMember 2021-01-01 2021-12-31 0001598110us-gaap:CommonStockMember 2021-01-01 2021-12-31 0001598110us-gaap:RetainedEarningsMember 2022-01-01 2022-12-31 0001598110us-gaap:AccumulatedOtherComprehensiveIncomeMember 2022-01-01 2022-12-31 0001598110us-gaap:AdditionalPaidInCapitalMember 2022-01-01 2022-12-31 0001598110us-gaap:CommonStockMember 2022-01-01 2022-12-31 0001598110us-gaap:RetainedEarningsMember 2022-12-31 0001598110us-gaap:AdditionalPaidInCapitalMember 2022-12-31 0001598110us-gaap:CommonStockMember 2022-12-31 0001598110us-gaap:RetainedEarningsMember 2021-12-31 0001598110us-gaap:AccumulatedOtherComprehensiveIncomeMember 2021-12-31 0001598110us-gaap:AdditionalPaidInCapitalMember 2021-12-31 0001598110us-gaap:CommonStockMember 2021-12-31 0001598110us-gaap:AccumulatedOtherComprehensiveIncomeMember 2020-12-31 0001598110us-gaap:AccumulatedOtherComprehensiveIncomeMember 2022-12-31 0001598110us-gaap:RetainedEarningsMember 2023-12-31 0001598110us-gaap:AccumulatedOtherComprehensiveIncomeMember 2023-12-31 0001598110us-gaap:AdditionalPaidInCapitalMember 2023-12-31 0001598110us-gaap:CommonStockMember 2023-12-31 0001598110us-gaap:RetainedEarningsMember 2023-01-01 2023-12-31 0001598110us-gaap:AccumulatedOtherComprehensiveIncomeMember 2023-01-01 2023-12-31 0001598110us-gaap:AdditionalPaidInCapitalMember 2023-01-01 2023-12-31 0001598110us-gaap:CommonStockMember 2023-01-01 2023-12-31 0001598110cybr:CorporateDebenturesMember 2022-12-31 0001598110cybr:GovernmentDebenturesMember 2022-12-31 0001598110cybr:CorporateDebenturesMember 2023-12-31 0001598110cybr:GovernmentDebenturesMember 2023-12-31 0001598110cybr:C3MLlcMember 2023-12-31 0001598110cybr:Aapi1IncMember 2023-12-31 0001598110us-gaap:ComputerEquipmentMember 2022-12-31 0001598110us-gaap:ComputerEquipmentMember 2023-12-31 0001598110us-gaap:LeaseholdImprovementsMember 2022-12-31 0001598110cybr:OfficeFurnitureAndEquipmentMember 2022-12-31 0001598110cybr:OfficeFurnitureAndEquipmentMember 2023-12-31 0001598110cybr:InternalUseSoftwareAndWebsiteDevelopmentMember 2022-01-01 2022-12-31 0001598110cybr:InternalUseSoftwareAndWebsiteDevelopmentMember 2023-01-01 2023-12-31 0001598110cybr:InternalUseSoftwareAndWebsiteDevelopmentMember 2021-01-01 2021-12-31 0001598110us-gaap:ConvertibleNotesPayableMember 2022-12-31 0001598110us-gaap:ConvertibleNotesPayableMember 2023-12-31 0001598110us-gaap:ConvertibleNotesPayableMember 2019-11-30 0001598110us-gaap:ConvertibleNotesPayableMember 2019-11-01 2019-11-30 0001598110 2019-11-30 0001598110cybr:AccruedExpensesAndOtherCurrentLiabilitiesMember 2022-12-31 0001598110cybr:AccruedExpensesAndOtherCurrentLiabilitiesMember 2023-12-31 0001598110cybr:LiabilitiesMember 2023-12-31 0001598110srt:MaximumMember 2023-12-31 iso4217:ILS iso4217:ILSxbrli:shares xbrli:shares iso4217:USD iso4217:USDxbrli:shares xbrli:pure

 
UNITED STATES
 SECURITIES AND EXCHANGE COMMISSION

WASHINGTON, D.C. 20549
 

FORM 20-F
 

 

REGISTRATION STATEMENT PURSUANT TO SECTION 12(b) OR (g) OF THE SECURITIES EXCHANGE ACT OF 1934
 
OR
 
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
For the fiscal year ended December 31, 2023
 
OR
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
OR
SHELL COMPANY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
Commission file number 001-36625
 

 
 
image00002.jpg
 
CYBERARK SOFTWARE LTD.
(Exact name of Registrant as specified in its charter)
 

 
ISRAEL
(Jurisdiction of incorporation or organization)
 
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
 Petach-Tikva 4951040, Israel
(Address of principal executive offices)
 
Donna Rahav
Chief Legal Officer
Telephone: +972 (3) 918-0000
 CyberArk Software Ltd.
 9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
 Petach-Tikva 4951040, Israel
(Name, telephone, e-mail and/or facsimile number and address of company contact person)
 
Securities registered or to be registered pursuant to Section 12(b) of the Act:
 
Title of each class
Trading Symbol(s)
Name of each exchange on which registered
Ordinary shares, par value NIS 0.01 per share
CYBR
The Nasdaq Stock Market LLC
 
Securities registered or to be registered pursuant to Section 12(g) of the Act: None.
 
Securities for which there is a reporting obligation pursuant to Section 15(d) of the Act: None.

 
Indicate the number of outstanding shares of each of the issuer’s classes of capital or common stock as of the close of the period covered by the annual report: As of December 31, 2023, the registrant had outstanding 42,255,336 ordinary shares, par value NIS 0.01 per share.
 
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.
 
Yes     No ☐
 
If this report is an annual or transition report, indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934.
 
Yes ☐     No
 
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.
 
Yes     No ☐
 
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).
 
Yes     No ☐
 
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
 
Large accelerated filer ☒
Accelerated filer ☐
Non-accelerated filer ☐
   
Emerging growth company ☐
 
If an emerging growth company that prepares its financial statements in accordance with U.S. GAAP, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
 
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.
 
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements.
 
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to § 240.10D-1(b). ☐
 
Indicate by check mark which basis of accounting the registrant has used to prepare the financial statements included in this filing:
 
U.S. GAAP
International Financial Reporting Standards as issued by the International Accounting Standards Board ☐
Other ☐
 
If “Other” has been checked in response to the previous question, indicate by check mark which financial statement item the registrant has elected to follow.
 
☐ Item 17     ☐ Item 18
 
If this is an annual report, indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).
 
Yes ☐     No
 


CYBERARK SOFTWARE LTD.
 
FORM 20-F
ANNUAL REPORT FOR THE FISCAL YEAR ENDED DECEMBER 31, 2023
 
TABLE OF CONTENTS

1

 
1
 
   
PART I
     
3


 
3


 
3
     
30
     
44


 
44
     
64


 
85
     
87
     
87
     
87


 
95
     
96
     
PART II
 
   
97
     
97


 
97
     
97
     
98


 
98
     
99


 
99


 
99
     
99
     
99
99


 
99

PART III
     
101


 
101


 
101



INTRODUCTION
 
In this annual report, the terms “CyberArk,” “we,” “us,” “our” and “the Company” refer to CyberArk Software Ltd. and its subsidiaries. 
 
This annual report includes statistical, market and industry data and forecasts that we obtained from publicly available information and independent industry publications and reports that we believe to be reliable sources. These publicly available industry publications and reports generally state that they obtain their information from sources that they believe to be reliable, but they do not guarantee the accuracy or completeness of the information. Although we believe that these sources are reliable, we have not independently verified the information contained in such publications. Certain estimates and forecasts involve uncertainties and risks and are subject to change based on various factors, including those discussed under the headings “Special Note Regarding Forward-Looking Statements” and “Item 3.D. Risk Factors” in this annual report. Additionally, website and document references throughout this annual report are provided for convenience only, and the content on the referenced websites or documents is not incorporated by reference into this annual report unless expressly stated.
 
Throughout this annual report, we refer to various trademarks, service marks and trade names that we use in our business. The “CyberArk” design logo is the property of CyberArk Software Ltd. CyberArk® is our registered trademark in the United States and numerous other countries. We have several other trademarks, service marks and pending applications relating to our solutions or marketing slogans. In particular, although we have omitted the “®” and “™” trademark designations in this annual report from each reference to our Privileged Access Security (PAS) solutions, including Privileged Access Manager, Vendor Privileged Access Manager, Privileged Session Manager (PSM), Enterprise Password Vault (EPV), PrivateArk, Privilege Cloud, CyberArk DNA (Discovery and Audit), Privileged Threat Analytics (PTA), Endpoint Privilege Manager (EPM), Sensitive Information Management (SIM), Cloud Entitlements Manager (CEM) and Dynamic Privileged Access (DPA), Secret Management Solutions, including Conjur Enterprise, Conjur Open Source, Conjur Cloud, Credential Providers, Secrets Hub, Secretless and Secretless Broker; Access Management Solutions, including CyberArk Identity, Workforce Identity, Customer Identity, Identity Flows and Secure Web Sessions, and C3 Alliance, all rights to such names and trademarks are nevertheless reserved. Other trademarks and service marks appearing in this annual report are the property of their respective holders. 
 
SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS
 
In addition to historical facts, this annual report contains forward-looking statements within the meaning of Section 27A of the U.S. Securities Act of 1933, as amended, (the “Securities Act”), Section 21E of the U.S. Securities Exchange Act of 1934, as amended, (the “Exchange Act”), and the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to risks and uncertainties and include information about possible or assumed future results of our business, financial condition, results of operations, liquidity, plans and objectives. In some cases, you can identify forward-looking statements by terminology such as “believe,” “may,” “estimate,” “continue,” “anticipate,” “intend,” “should,” “plan,” “expect,” “predict,” “potential,” or the negative of these terms or other similar expressions. The forward-looking statements are based on our beliefs, assumptions and expectations of future performance. There are important factors that could cause our actual results, levels of activity, performance or achievements to differ materially from the results, levels of activity, performance or achievements expressed or implied by the forward-looking statements, including, but not limited to:


changes to the drivers of our growth and our ability to adapt our solutions to the information security market changes and demands;
 

our ability to acquire new customers and maintain and expand our revenues from existing customers;
 

intense competition within the information security market;
 

real or perceived security vulnerabilities gaps, or cybersecurity breaches of our, or our customers’ or partners’ systems, solutions or services ;
 

risks related to our compliance with privacy, data protection and artificial intelligence (AI) laws and regulations;
 

fluctuation in our quarterly results of operations and our ability to successfully operate our business as a subscription company;
 

our reliance on third-party cloud providers for our operations and software-as-a-service (“SaaS”) solutions;
 

our ability to hire, train, retain and motivate qualified personnel;
 

our ability to effectively execute our sales and marketing strategies;
 
1



our ability to find, complete, fully integrate or achieve the expected benefits of additional strategic acquisitions;
 

our ability to main successful relationships with channel partners, or if our channel partners fail to perform;
 

risks related to sales made to government entities;
 

prolonged economic uncertainties or downturns;
 

our history of incurring net losses, our ability to generate sufficient revenue to achieve and sustain profitability and our ability to generate cash flow from operating activities;
 

regulatory and geopolitical risks associated with our global sales and operations;
 

risks related to intellectual property claims;
 

fluctuations in currency exchange rates;
 

the ability of our products to help customers achieve and maintain compliance with government regulations or industry standards;
 

our ability to protect our proprietary technology and intellectual property rights;
 

risks related to using third-party software, such as open-source software;
 

risks related to stock price volatility or activist shareholders;


any failure to retain our “foreign private issuer” status or the risk that we may be classified, for U.S. federal income tax purposes, as a “passive foreign investment company”;


risks related to our Convertible Notes, including the potential dilution to existing shareholders and our ability to raise the funds necessary to repurchase our Convertible Notes;


changes in tax laws;


our expectation to not pay dividends on our ordinary shares for the foreseeable future; and


risks related to our incorporation and location in Israel, including the ongoing war between Israel and Hamas and conflict in the region.
 
In addition, you should consider the risks provided under “Item 3.D. Risk Factors” in this annual report.
 
You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that future results, levels of activity, performance and events and circumstances reflected in the forward-looking statements will be achieved or will occur. Additionally, we may provide information, forward-looking or otherwise, herein or in other locations, such as our corporate website that is not necessarily “material” under the U.S. federal securities laws for Securities Exchange Commission (“SEC”) reporting purposes, but that responds to a range of matters, such as certain environmental, social and governance (“ESG”) standards and frameworks (including standards for the measurement of underlying data), and the interests of various stakeholders. Much of this information is subject to assumptions, estimates or third-party information that is still evolving and subject to change. For example, our disclosures based on any standards may change due to revisions in framework requirements, availability or quality of information, changes in our business or applicable government policies, or other factors, some of which may be beyond our control. Except as required by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this annual report, to conform these statements to actual results or to changes in our expectations.

2

 
PART I
 
ITEM 1.
IDENTITY OF DIRECTORS, SENIOR MANAGEMENT AND ADVISERS
 
Not applicable.
 
ITEM 2.
OFFER STATISTICS AND EXPECTED TIMETABLE 
 
Not applicable. 
 
ITEM 3.
KEY INFORMATION 
 
A.          [Reserved]
 
B.          Capitalization and Indebtedness
 
Not applicable.
 
C.          Reasons for the Offer and Use of Proceeds
 
Not applicable.
 
D.          Risk Factors
 
Risks Related to Our Business and Our Industry
 
The information security market is rapidly evolving within the increasingly challenging cyber threat landscape. If our solutions fail to adapt to market changes and demands, sales may not continue to grow or may decline.

We offer identity security solutions, centered on privileged access, that safeguard privileged accounts’ credentials and secrets, secure access across both human and non-human identities, and manage entitlements and secure access to cloud environments. If customers do not recognize the benefit of our solutions as a critical layer of an effective security strategy, our revenues may decline, which could cause our share price to decrease in value. Security solutions such as ours, which aim to disrupt cyberattacks by insiders and external perpetrators that have penetrated an organization’s IT environment, represent a security layer designed to respond to advanced threats and meet certain compliance standards and audit requirements. However, advanced cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive data and technology assets. For example, the ability of generative AI systems to autonomously create content, mimic legitimate data, and adapt to changing environments raises the risks for their potential exploitation by malicious actors and enables the creation of tailored and convincing targeted phishing attacks or other deceptive methods that may compromise the security of an organization’s IT infrastructure. We expect that our customers, and thereby our solutions, will face new and increasingly sophisticated methods of attack, particularly given the increasing complexity of IT environments and increased attacks from foreign nation-state actors. We face significant challenges in ensuring that our solutions effectively identify and respond to sophisticated attacks while avoiding disruption to our customers’ businesses. As a result, we must continually modify, improve, and invest in our products and services in response to market and technology trends and evolution, including obtaining interoperability with existing or newly introduced technologies and systems to better meet market needs and continue to provide valuable solutions that can be deployed in a variety of IT environments, including cloud and hybrid, as well as adapting our go-to-market strategy by moving from a product-centric framework to a solution-based framework (see “—If we do not effectively execute our sales and marketing strategies, and expand, train and retain our sales, marketing and customer success personnel, our business may suffer.”).

We cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to develop or acquire product enhancements or new products or services to meet such needs or opportunities in a timely manner or at all. Additionally, we cannot guarantee that we will be able to comply with new regulatory requirements (see “—The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our business.”). Furthermore, new technologies and solutions that may make our solutions obsolete may be introduced into the market, lowering the demand for our products and reducing our sales. Even if we are able to anticipate, develop and commercially introduce new features and products and ongoing enhancements to our existing products, there can be no assurance that such enhancements or new solutions will achieve widespread market acceptance or that we will be able to meet our customers’ expectations. Implementing machine learning and AI technology-based features in our products to stay abreast of the latest technology advancements may encounter challenges, as some customers may resist these changes, leading to limited acceptance. To fully capitalize on the advantages of these technologies, adjustments to our products and corresponding terms of use may be necessary, potentially resulting in customer dissatisfaction. Delays in developing, completing, or delivering new or enhanced solutions could cause our offerings to be less competitive, impair customer acceptance of our solutions and result in delayed or reduced revenue and share price decline.

3


If we are unable to acquire new customers or sell additional products and services to our existing customers, or if our existing customers do not renew their subscriptions with us, our business, results of operations and financial condition could be negatively impacted, and we may not meet our investors’ expectations.

Our success and continued growth depend, in part, on our ability to acquire a sufficient number of new customers while maintaining and expanding our revenues from existing customers, by selling incremental or new solutions to existing customers, as well as ensuring that our customers renew their subscriptions when their existing contract terms expire.

Our ability to expand our customer base may be affected by a number of factors, for example, competition in the industry (which may also lead us to providing more favorable commercial terms to new or existing customers), an unfavorable macroeconomic environment that extends sales cycles and can make acquiring new customers more difficult, or changes in compliance standards or audit requirements that reduce the demand for our solutions. Additional factors that could negatively impact customer acquisition and expansion include the size or prioritization of our prospective and existing customers’ IT budgets, the proven or perceived utility and efficacy of our existing and new offerings, changes in our pricing or licensing models that may impact the size of new business transactions, and any downgrade of our recognized industry leadership position by industry analysts (see “— We face intense competition from a wide variety of information security vendors operating in different market segments and across diverse IT environments. This may challenge our ability to maintain or improve our competitive position or to meet planned growth rates.”). Furthermore, the introduction of new product offerings and solutions (including in additional segments of cybersecurity) as well as customer transition to SaaS in order to receive certain functionalities, may result in longer sales cycles or lost opportunities if our new or existing customers, prospects, and partners are less receptive to such advancements, or require a longer period to assess and select the solutions appropriate to them. The introduction of more SaaS offerings may similarly lead to extended presale periods due to, among other factors, comprehensive product and security reviews and requirements by customers, extensive contract negotiations, and more stringent compliance and operational obligations (such as those related to data protection or use).

As a recurring revenue company, we are dependent on renewals to meet our performance targets and measures and investors’ expectations, including revenue, operating income, net income and annual recurring revenue (ARR), as well as certain non-GAAP performance measures (see “— If our quarterly results of operations fluctuate due to condensed intra-quarter sales execution, seasonality or other factors, or if we fail to successfully operate as a subscription company, our revenues, ARR, operating results and share price may be adversely affected and we may fail to meet publicly announced financial guidance or other expectations about our business.”) Our customers have no obligation to renew their subscriptions, and they may decide not to renew their subscriptions with a similar contract period, at the same prices and terms, or with the same or a greater number of users. Additionally, our ability to retain our existing customers is also dependent on our customers’ satisfaction with our products and overall user experience in various areas, such as product support, and ease of deployment and implementation. For instance, as part of the natural lifecycle of our solutions, we may determine that certain products will be reaching their end of development or end of life and will no longer be supported or receive updates and security patches. Failure to effectively introduce new solutions, offer easy transition for our customers to such new solutions, or manage our product lifecycles appropriately could lead to customer dissatisfaction and lower renewal rates.

If we are unsuccessful in our efforts to obtain new customers, secure renewals or expand our existing customer penetration, or miss our publicly announced financial guidance or fail to meet our investors’ expectations as a result of the foregoing, our business, results of operations and financial condition could be negatively impacted and the market price of our ordinary shares could be negatively impacted.

We face intense competition from a wide variety of information security vendors operating in different market segments and across diverse IT environments. This may challenge our ability to maintain or improve our competitive position or to meet planned growth rates.

       The information security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats.

We compete with multiple established and emerging companies that offer a broad array of cybersecurity products and employ different approaches, delivery models, and solutions. Specifically, our Identity Security Platform and other solutions compete across a variety of markets for solutions ,or product functionalities offered within certain market segments, including, but not limited to:
 

PAM, including Endpoint Privilege Management, such as Delinea and BeyondTrust;

IAM, such as Okta and Microsoft; and

Secrets Management, such as Hashi Corporation.

       The maturity and growth of the information security market could also make it appealing for new players, such as large or emerging cybersecurity vendors or those in related markets (Endpoint, Cloud Security, DevOps or Infrastructure as a Service (IaaS)), to enter markets where we specialize. Given the importance of identity in the attack chain, which is increasing demand for identity security solutions such as ours, larger vendors, including the cloud hyperscalers and large cybersecurity platform vendors may meaningfully enter the identity security market. These organizations have extensive resources and competition could impact our business.

4


       Additionally, consolidation among cybersecurity vendors may create an opportunity for our competitors and other cybersecurity vendors to provide a greater breadth of offerings, including more integrations and bundled products. If customers trend towards consolidating with a vendor or vendors providing multiple cybersecurity capabilities and we fail to successfully execute our development and sales strategy of delivering our products and services on a solutions-based framework that can compete effectively against such cybersecurity vendors, this may place us at a competitive disadvantage. Furthermore, organizations continuously evaluate their security priorities and investments and may allocate their information security budgets to other solutions and strategies, including solutions offered by our competitors, and may not adopt or expand use of our solutions. Accordingly, we may also compete for budget priority, to a certain extent, with other cybersecurity solutions offered by Microsoft, Palo Alto Networks, and CrowdStrike Holdings.

       In particular, our competitors may enjoy advantages, such as greater name recognition and longer operating history; larger sales, marketing, research and acquisition resources; access to larger channel partner and customer bases; lower labor and development costs; lower product pricing; increased ability to respond and adapt their solutions to market demands, increased effectiveness in protecting, detecting and responding to product vulnerabilities and cyberattacks; superior customer or user experience and support services; greater or localized resources for customer support and provision of services; greater speed at which a solution can be deployed and implemented; broader product and service offerings, including bundling or other cross-selling strategies; stronger ecosystem of technology partners or broader integrations with other solutions and platforms; adoption and development of advanced machine learning and AI capabilities and potential resulting network effects of vast data sources applied by them; greater operational flexibility and less stringent accounting, auditing and legal standards such as those applied to privately held companies; greater financial and technical resources; a larger intellectual property portfolio or broader or localized product regulatory compliance. For example, some of our competitors might have the resources to include competitive features or products for free or at a lower price point as part of their software bundle or their marketed enterprise license agreement, which may lead to commoditization of our solutions, reducing the demand for and price of our products and services. Additionally, while we intend to continue incorporating AI and generative AI capabilities into our products, if we fail to differentiate ourselves from, or otherwise successfully compete against, other information security vendors that have incorporated AI technology into their products and services, or if we fail to continue to release AI capabilities that our customers find useful, our business, operating results, and financial condition may be harmed.

       From time to time, industry analysts may review our products and services either independently or against other cybersecurity solutions offered by our competitors. If we receive unfavorable reviews or a downgrade in our existing accreditation for any reason, including perceived shortcomings in product efficacy, the failure of our products and services to perform at a level expected by such analysts, negative assessments of our competitive positioning, or the failure to address any concerns previously identified by such analysts, this may adversely impact our standing within the industry, market confidence, customer trust, and our ability to attract and retain clients, and could result in diminished market share, impaired customer perception, and a negative impact on our financial performance.

       Our current and potential competitors may also establish collaborations or alliances among themselves or with third parties that may further enhance their resources and capabilities. Our collaborative efforts with our technology partners could also change if they develop and market competitive solutions, thus intensifying the competitive landscape, while adversely affecting our partnership efforts and their resale and marketing of our products. If we are not able to compete effectively under these circumstances, this may result in price reductions, fewer orders, reduced renewals, reduced revenue and gross margins, and loss of market share. Any failure to adequately address these factors could seriously harm our business and operating results and may impact our share price.

Real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant reputational, financial, and legal adverse impact.

Security products, solutions and services such as ours are complex in development, design and deployment and are subject to errors, bugs, gaps, design failures, misconfigurations or security vulnerabilities, some of which are potentially incapable of being remediated or detected until after their deployment, if at all. Additionally, our solutions have limitations in functionality and scope and cannot guarantee protection against any and all threats, specifically those outside the product’s boundary. Real or perceived errors, bugs, gaps, design failures, defects, vulnerabilities, limitations, misconfigurations in our solutions or their accompanying documentation, or untimely or insufficient remediation thereof, could cause our solutions not to meet their specifications or security standards. The affected solutions may not fulfill their primary security functions, falsely identify threats or create new security threats, and be vulnerable to security attacks. There is no guarantee that we will identify all vulnerabilities and gaps in our products or that our products will be free of flaws or vulnerabilities, and we may not correct all known vulnerabilities, gaps, or errors promptly, fully, or at all.

5


Further, our solutions serve as mission-critical applications in our customers’ operational environments, allowing them to manage access and privileges in their systems and networks. Any breach, interruption or shutdown of our solutions could significantly damage customers’ internal and external operations, and therefore we may suffer significant reputational, financial and legal adverse impact. Potential vulnerabilities or deficiencies associated with a product developed or obtained through an acquisition could also deteriorate our solutions’ security and expose our customers to additional risk (see “—We may fail to fully execute, integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.”).

Several of our solutions are made available to our customers as SaaS and involve our use of third-party cloud and SaaS infrastructure and related services. Providing SaaS solutions involves storage and transmission of customers’ proprietary information, including personal data, related to their assets, employees and users. Security breaches, bugs, vulnerabilities, gaps, defects or improper configuration of our solutions, cloud accounts or production and development environments (including those embedded in third-party technology, such as SaaS solutions, used in our products or by our customers) could result in loss or alteration of, or unauthorized access to this data and compromise of our networks or our customers’ networks secured by our SaaS solutions. Any such incident, whether or not caused by us, could result in significant liability or reputational harm.

Our solutions not only reinforce but also rely on the common security concept of placing multiple layers of security controls throughout an IT environment. The failure of our customers, channel partners, managed service providers, subcontractors or similar entities to correctly implement our solutions in accordance with security best practices, or effectively manage and maintain our solutions and the environments in which they are utilized, or to consistently implement and utilize generally accepted and comprehensive, multi-layered security measures and processes, may lessen the efficacy of our solutions, in whole or in part. These entities may also independently develop or change existing application programming interfaces (APIs) that we provide or other customizable components in an incorrect or insecure manner. Such failures or actions may lead to security breaches and data loss, which could result in a perception that our solutions or services failed and associated negative business implications. In addition, we are expected to provide timely notice and high levels of transparency regarding security vulnerabilities in our products, which, once conveyed, may increase our customers’ exposure to a security breach until they properly implement the relevant fix. Further, our failure to provide our customers and channel partners with adequate services or accurate product documentation and training related to the use, implementation and maintenance of our solutions, could lead to claims against us.

Similarly, a failure by a provider like us to effectively secure and detect threats within our own resources and networks, such as corporate, development or customer-serving production environments, could lead to threat actors compromising our customers’ environments through a breach or exploitation of our various networks and/or our products or services (see “—If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected.”). A similar effect could arise from the use of compromised or vulnerable third-party software, including open-source software, in or in relation to our products or use by our third-party vendors (see “— Our use of open-source software, third-party software, and other intellectual property may negatively affect our ability to offer our solutions and expose us to litigation or other risks.”) or through the use of AI technologies by our workforce, which could expose our solutions, networks and environments – and thereby our customers – to additional vulnerabilities and security incidents.

Additionally, the incorporation of machine learning, AI and generative AI capabilities into our products and services may create content that appears correct but is factually inaccurate or flawed. Our products, customers or others may rely on or use this flawed content to their detriment, which may expose us to brand or reputational harm, competitive harm, and/or legal liability.

As we increase our developers’ workforce globally to meet our business goals, including by engaging external developers or through mergers and acquisitions, the risk of errors, misconfigurations, vulnerabilities or intentional misconduct, may be heightened due to governance difficulties and limited centralized oversight. In addition, difficulties or delays in hiring and retaining personnel may impact the resources available to us for continuous improvement of our product security posture and therefore, increase this risk (see “—The highly competitive cybersecurity labor market has made it a challenge to attract and retain qualified personnel, and if we are unable to hire, retain and motivate qualified personnel, our business will suffer.”).

6


An actual or perceived error, bug, misconfiguration, vulnerability, gap, cyberattack or other security breach, regardless of whether the vulnerability or breach is attributable to the failure of our solutions or the related services we provide, could adversely affect the market’s perception of the efficacy of our solutions and our industry standing. Such circumstances could cause current or potential customers to look to our competitors for alternatives to our solutions and subject us to negative media attention, reputational harm, lawsuits (including class actions), regulatory investigations and other government inquiries, indemnity claims and financial losses, as well as the expenditure of significant financial resources to, among other actions, analyze, correct or eliminate any vulnerabilities. Provisions in our agreements and documentation that attempt to limit our liability towards our customers, channel partners, and relevant third parties may not withstand legal challenges, and certain liabilities may not be limited or capped. Additionally, any insurance coverage we have may not adequately cover all claims asserted against us and may leave a significant portion of such claims to be directly covered by us. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all.

If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected.

The confidentiality, integrity and availability of our IT network systems and of our third-party providers, and the perception thereof, is critical to our ability to deliver products and services to customers as well as to run internal operations. While we operate certain of these network systems, we also rely on third-party providers across an array of technologies and services that enable us to conduct, monitor and/or protect our business operations. For example, we rely on third parties to host our SaaS products (see “—We increasingly rely on third-party providers of cloud infrastructure services to deliver our SaaS solutions to customers, and any disruption of or interference with our use of these services, including any specifications limitations, could adversely affect our business.”) and support our customer relationship management and financial operation services (provided by our Enterprise Resource Planning system). In addition, in the ordinary course of business, we and our third-party providers generate, collect, process and store sensitive information and data, including proprietary and personal data belonging to us, to customers and to others.

We acknowledge that the threat landscape is broad and that threats are persistent. Being a prominent Israeli security company that provides solutions centered on privileged access security and identity management to leading global enterprises, we are and will remain an attractive target for cyber attackers and malicious actors, including insiders, as well as cyber terrorists, sophisticated criminal groups or nation-state affiliated actors. We and certain of our service providers regularly experience cyberattacks and security incidents and we expect such attacks and incidents to continue in varying degrees. For example, we have experienced incidents that have impacted our IT network systems, physical facilities, our data or our customers’ networks or data. While, to date, no attacks or incidents have had a material impact on our operations or financial results, we cannot guarantee that material incidents will not occur in the future. Further, as we deploy scanning tools in our infrastructure and systems, conduct penetration testing and engage in other threat detection practices, we regularly identify and track security vulnerabilities and security gaps of varying severities. Given the nature of complex systems, software, services and operations like ours and certain of our providers, we are unable to ensure that all vulnerabilities and gaps are mitigated at all times or to guarantee that effective mitigating measures will be applied before the foregoing can be exploited by a threat actor. Accordingly, we can provide no assurances that our or our providers’ cybersecurity risk management programs and processes, including our applicable controls, policies and procedures, will be fully implemented, complied with or effective in protecting our or our customers’ IT network systems, data, products or services.

7


The operation of our solutions relies at times on third-party software, including open-source and other software, services, networks, environments, and generative AI tools, which could also serve as an attack vector. Cyberattacks and security incidents are expected to accelerate in both frequency and impact as the use of cloud-based solutions expands and as the use of AI increases. In particular, the use of AI enables attackers to become increasingly sophisticated and provides them with tools, advanced techniques and new attack-vectors to circumvent controls, avoid detection, and remove or obfuscate forensic evidence. The techniques used to obtain unauthorized access to systems or sabotage systems or disable or degrade services are continuously evolving and can sometimes be unrecognizable until launched against a target and therefore we may be unable to anticipate these techniques and implement preventative measures. Our security measures, controls and processes might prove insufficient to protect us against any and all attacks. We might inadequately evaluate certain risks and threats, leading to a lack of prioritization. Additionally, there could be a lack of oversight and employee awareness. This means that we may be unable to detect, investigate, contain or recover from future attacks or incidents in a timely or effective manner. Disruptive attacks, such as through ransomware and other extortion-based tactics, that can temporarily or permanently disable operations are increasingly prevalent. For example, we face the risk of malicious third parties injecting malicious code into our products’ source code, disrupting our research and development pipelines and production environments and/or using our solutions and network as a point-of-entry to infiltrate our customers’ IT systems. Malicious third parties or insiders may also attempt to fraudulently induce employees or customers into disclosing sensitive information such as usernames, passwords or other information through phishing attempts, or otherwise compromise the security of our or our customers’ networks or data. Individuals who are able to circumvent our security measures may misappropriate proprietary, confidential or personal information held by or on behalf of us, disrupt our operations, damage our computers or otherwise damage our business. Additionally, we face ongoing risks due to the increased frequency of sophisticated cyberattacks coordinated by foreign nation-states and other actors. For example, the ongoing conflicts between Israel and Hamas, as well as other hostile countries, such as Iran, and Ukraine and Russia may result, and in certain cases have resulted, in a heightened threat environment and create unknown cyber risks, including increased risk of actors against Israeli companies, institutions and governmental bodies, or the proliferation of nation-state capabilities to non-state attack groups (see “—Conditions in Israel, including the ongoing war between Israel and Hamas and other conflicts in the region, as well as political and economic instability, may adversely impact our business operations.”)

As many companies continue to provide workers with the ability to operate remotely or in a hybrid environment the attack surface possibilities for cyberattacks against us, our customers, and third-party providers increases due the challenges associated with managing remote computing assets and security vulnerabilities inherent in many non-corporate and home networks. Material cyberattacks against our Company may also be caused by breaches of our contractors, channel partners, supply chain network, vendors, and other third parties associated with us, which could result from, among other causes, the sophistication of the attackers, human error, and insufficient employee training, or lack of security and compliance oversight and prioritization. Our workforce is exposed to and uses AI technologies for certain tasks related to our business which poses potential security risks relating to the protection of data, cybersecurity breaches and exposure of confidential information to unauthorized recipients.

In addition, the risk for a cyberattack on our networks and environments may be heightened if we fail to identify or remediate any deficiencies in the products, procedures, and policies of companies that we acquire (see “—We may fail to fully execute, integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value, and adversely affect our results of operations.”).

We and our third-party providers are also vulnerable to information technology system failures or network disruptions caused by a variety of factors, including pandemics, natural disasters (such as increased frequency and severity of storms, earthquakes, flooding, fires, heatwaves or drought), accidents, power disruptions, telecommunications failures, acts of terrorism, wars (including the conflicts between Israel and Hamas and Ukraine and Russia), computer viruses and malware (such as ransomware), or other events or disruptions. System redundancy, data back-ups and other continuity measures may be ineffective or inadequate, and our business continuity and disaster recovery planning may not be sufficient for all eventualities. Cyberattacks, security breaches and other incidents could result in significant damage to our market position and lead to costly remediation requirements, indemnity claims, legal claims (including class action litigation), regulatory investigations and fines or penalties, as well as the loss of proprietary and confidential data, trade secrets and customers (see “—The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our business.”). An actual or perceived failure, disruption, or breach of our network, our operations or privileged account security in our systems could adversely affect the market perception of our products and services, or of our expertise in this field. Moreover, if critical business functions or services from third-party providers are breached and become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms, our ability to manage our operations could be interrupted, our contractual service level commitments could be breached, and our ability to provide timely and adequate maintenance and support services to our customers could be impacted. Any of the foregoing events could have a material and adverse effect on our operations, reputation, financial condition and operating results and expenses.

8


With the increase in the likelihood and severity of security breaches and the increase in cybersecurity insurance premiums for our customers, negotiations with customers may require us to assume more risk, including higher liabilities with regards to security and data breaches. In addition, we are unable to ensure that any limitations of liability provisions in our customer contracts with respect to our information security operations or our product liability would be enforceable, adequate, or would otherwise protect us from any liabilities or damages with respect to any particular claim (including in cases where existing customers purchase new solutions based on previously agreed contractual terms). We also may not be able to adequately recover damages from third parties associated with us, who were involved in a security incident. Additionally, any insurance coverage we may have may not adequately cover any of these claims asserted against us or any related damage and may leave a significant portion of such claims to be directly covered by us. If any of the foregoing were to occur, our business may suffer materially adverse results due to extensive costs, reduced sales, negative share price impacts and/or a host of other consequences affecting our business.

The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our business.

Federal, state and international bodies continue to adopt, enact, and enforce new laws and regulations, as well as industry standards and guidelines, addressing cybersecurity, privacy, data protection and the collection, processing, storage, cross-border transfer and use of personal information.

We are subject to diverse laws and regulations relating to data privacy, including but not limited to the EU General Data Protection Regulation 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act as amended by the Health Information Technology for Economic and Clinical Health Act (HIPAA), the U.K. Data Protection Act 2018 (UK DPA) and the UK General Data Protection Regulation (together with the UK DPA, the UK GDPR), and, national privacy laws of EU Member States and other laws relating to privacy, data protection, and cloud computing. These laws impose comprehensive data privacy compliance obligations on us in relation to our collection, processing, sharing, disclosure, transfer and other use of data relating to an identifiable living individual. These laws are also evolving rapidly, as exemplified by the recent adoption by the European Commission of a new set of Standard Contractual Clauses, the U.K.’s adoption of its own international data transfer agreement, and the implementation of the California Privacy Rights Act, which expands upon the CCPA, as well as privacy legislation in several other U.S. states, and the EU’s AI Act and Cyber Resilience Act, which are politically agreed to, and proposed. Compliance with these laws, as well as the efforts required to understand and interpret new legal requirements, require us to expend significant capital and other resources. We could be found to not be in compliance with obligations or suffer from adverse interpretations of such legal requirements either as directly relating to our business or in the context of legal developments impacting our customers or other businesses, which could impact our ability to offer our products or services, impact operating results, or reduce demand for our products or services.

Additionally, any violation of data or security laws, or of our relevant measures and safeguards, by our third-party processors could have a material adverse effect on our business, result in applicable fines and penalties, damage our reputation, and/ or result in civil claims. Due to concerns about data security and integrity, a growing number of legislative and regulatory bodies have adopted breach notification and other requirements in the event that information subject to such laws is accessed by unauthorized persons and additional regulations regarding security of such data are possible. We may need to notify governmental authorities and affected individuals with respect to such incidents. For example, laws in the EU and UK and all 50 U.S. states may require businesses to provide notice to individuals whose personal information has been disclosed as a result of a data security breach. Complying with such numerous and complex regulations in the event of a data security breach would be expensive and difficult, and failure to comply with these regulations could subject us to regulatory scrutiny and additional liability. We may also be contractually required to notify customers or other counterparties of a security incident, including a data security breach.

9


Compliance with privacy and data protection laws and contractual obligations may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms that are not subject to these laws and regulations. For example, GDPR and the UK GDPR’s compliance regimes impose several stringent requirements for controllers and processors of personal data and increase our obligations such as, requiring robust disclosures to individuals, establishing an individual data rights regime (including the right to be “forgotten”), setting timelines for data breach notifications, imposing conditions for international data transfers, requiring detailed internal policies and procedures to demonstrate compliance through the principle of accountability and limiting retention periods. Ongoing compliance with these and other legal and contractual requirements may necessitate changes in services and business practices, which may lead to the diversion of engineering resources from other projects.

As a company that focuses on identity security with a foundation in Privilege Access Management, our customers may rely on our products and services as part of their own efforts to comply with security control obligations under GDPR, CCPA, HIPAA and other laws and contractual commitments. If our products or services are found insufficient to meet these standards in the context of an investigation into us or our customers, or we are unable to engineer products that meet these standards, we could experience reduced demand for our products or services. There is also increased international scrutiny of cross-border transfers of data, including by the EU for personal data transfers to countries such as the United States, following recent case law and regulatory guidance. This increased scrutiny, as well as evolving legal and other regulatory requirements around the privacy or cross-border transfer of personal data, including the new EU-US Data Privacy Framework or the UK extension to the EU-US Data Privacy Framework, could increase our costs, restrict our ability to store and process data as part of our solutions, or, in some cases, impact our ability to offer our solutions or services in certain jurisdictions.

We are also subject to federal privacy and security standards regarding the protection of individually identifiable health information under HIPAA and these carry significant enforcement penalties for non-compliance. Failure to comply with HIPAA can result in an injunction, regulatory action, civil monetary penalties, or in certain circumstances, criminal penalties with fines and/or imprisonment. We operate as a HIPAA business associate for certain of our customers and, therefore, must comply with applicable administrative, technical, and physical safeguards required by HIPAA. If we are unable to comply with our obligations as a HIPAA business associate, in addition to potential regulatory enforcement actions, we also could face contractual liability under applicable business associate agreements.

Since the CCPA went into effect, comprehensive privacy statutes that share similarities with the CCPA are now in effect and enforceable in Virginia, Colorado, Connecticut, and Utah, and similar laws will soon be enforceable in other states.

Additionally, laws, regulations, and standards covering marketing, advertising, and other activities conducted by telephone, email, mobile devices, and the internet may be applicable to our business. Numerous class-action suits under federal and state laws have been filed in recent years against companies who conduct telemarketing and/or SMS texting programs, with many resulting in significant liability. We send marketing messages via email and are subject to the CAN-SPAM Act and implementing legislation under Directive 2002/58 on Privacy and Electronic Communications which impose certain obligations regarding the content of emails and providing opt-outs (with the corresponding requirement to honor such opt-outs promptly).

Enactment of further privacy laws in the United States, at the state or federal level, or introduction of new services or products that are subject to additional regulations, including services based on machine learning or AI technologies, as well as ensuring compliance of solutions that we obtained through acquisitions, may require us to expend considerable resources to fulfill regulatory obligations, and could carry the potential for significant financial or reputational exposure to our business, delay introduction to the market and affect adoption rates.

The legal landscape pertaining to machine learning and AI technologies, including generative AI, remains undeveloped by competent legal tribunals and existing laws and regulations. Incorporating third-party AI technologies, including the output of generative AI, into our products and services may expose us to claims of copyright infringement or other intellectual property-related actions (see “— Our use of open-source software, third-party software, and other intellectual property may negatively affect our ability to offer our solutions and expose us to litigation or other risks.”). The potential for robust regulation around AI systems may necessitate substantial resources for the design, development, testing, and maintenance of our platform and products, including appropriate protections and safeguards for handling the use of customer data with such technologies. AI-related initiatives may attract heightened governmental and regulatory scrutiny, leading to various complications such as litigation, ethical concerns, and privacy and security risks. The prospect of new laws and regulations may adversely affect our business, reputation, financial results, and our ability to develop and offer AI-driven products and services, while also increasing compliance costs and operational complexities. Further, the uncertain landscape around AI may require us to undertake additional investment in the development and maintenance of proprietary datasets and machine learning models, development of new approaches and processes to provide attribution or remuneration to creators of training data, and development of appropriate protections and safeguards for handling the use of customer data with such technologies, which may be costly and could impact our expenses if we decide to expand AI technologies, including generative AI, into our product and services offerings. If our solutions are found to have incorporated AI-derived features that behaved or performed unethically, or subjected natural persons to bias, or if we are subject to claims that we or our service providers have failed to comply with new AI laws, even if we are not found liable, we may incur substantial expenses in connection with defending such claims, and our reputation and business could be adversely affected.

10


If there are claims against us that we or our service providers have breached our contractual obligations or failed to comply with applicable privacy, and data protection laws, such claims, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business. As a data processor, we are required to process customer data only on the documented instructions of our customers. If we acted outside of these instructions, we could face regulatory consequences. In addition to litigation, we could face regulatory investigations, negative market perception, potential loss of business, litigation expenses, enforcement notices and/or fines (which, for example, under GDPR / UK GDPR can be up to 4% of global turnover for the preceding financial year or €20 / £17.5 million, whichever is higher).

If our quarterly results of operations fluctuate due to condensed intra-quarter sales execution, seasonality or other factors, or if we fail to successfully operate as a subscription company, our revenues, ARR, operating results and share price may be adversely affected and we may fail to meet publicly announced financial guidance or other expectations about our business.

We offer our customers multiple software and delivery models, including SaaS, self-hosted subscriptions, and perpetual licenses, whose revenues are recognized differently based on the composition of the selected offering. In 2023, the majority of our annualized software sales were subscriptions or recurring revenue and only a declining, single digit, percentage of our annualized bookings were from perpetual licenses. We recently completed our transition to a subscription company, and therefore do not have a long history upon which to base forecasts for adding new customers, contract renewal rates or future operating revenue. The mix of our SaaS and self-hosted subscriptions, the mix of subscription and perpetual bookings and the duration of self-hosted subscriptions in any given quarter may be difficult to predict and may cause trends in revenue recognition to lag those in sales, potentially causing us to fall short of investor expectations for revenue and profitability metrics, even while meeting or exceeding periodic sales targets. In addition, due to our ongoing introduction of new solutions and features to meet market demands, our teams may have difficulty selling, supporting, developing and maintaining multiple license models, product environments and code bases which may negatively impact our operations, such as in sales execution, customer experience, or efficiencies of scale.

A meaningful portion of our quarterly bookings is typically generated through transactions of significant size. In addition, purchases of our solutions and services often occur at the end of each quarter. This sales pattern exposes us to risk, as any delays, slippage of deals, or unforeseen circumstances affecting the timely issuance of such purchase orders by our customers could have a disproportionately adverse impact on our financial performance, in particular, our ARR metric, recognized revenue related to self-hosted subscriptions and our operating results.

In addition, we experience quarterly and annual seasonality in our sales, demonstrated by increased sales in the third month of each quarter relative to the first two months, and increased sales in the fourth quarter of each year. The timing in which SaaS deals close may further exacerbate the seasonality impact on reported revenues due to the impact of ratable revenue recognition. In addition, our sales process can be intensely competitive, and our sales cycle can last several quarters from proof of concept to the actual sale and initial delivery of our solutions to our customers. At times, sales have occurred in a quarter that was either earlier than, or subsequent to, the anticipated quarter, and some sale opportunities that were expected to close did not close at all. A failure to close a large transaction in a particular quarter may adversely impact our revenues in that quarter and, in case of a large subscription transaction pending, may adversely impact our revenues in subsequent quarters. Closing an exceptionally large transaction in a certain quarter may disproportionately increase our revenues in that quarter, which may make it more difficult for us to meet growth rate expectations in subsequent quarters. Even if we close a sale during a given quarter, we may be unable to recognize the revenues derived from such sale during the same period due to revenue recognition accounting standards. Likewise, due to payment terms, net cash provided by operating activities is impacted by the timing of sales within a quarter, and may not be collected in that quarter, which could impact the net cash provided by operating activities for that period. This could result in not meeting the expectations of our investors. Furthermore, our ARR may fluctuate depending on our ability to close transactions and the size of transactions, among other factors. As a result of the foregoing, the timing of closing sales cycles and the associated revenue from such sales can be difficult to predict and may cause us to miss our guidance or fall short of market expectations. This may result in a decline in the price of our ordinary shares.

11


In addition, our financial condition and results of operations may vary and continue to fluctuate as a result of a number of other factors, many of which may be outside of our control or difficult to predict, including the amount and timing of our operating costs and cash collection, which may change also as a result of fluctuations in foreign currency exchange rates or changes in taxes or other applicable regulations (see “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations,”) the ability of our support and customer success operations to keep pace with sales to new and existing customers and the expansion of our solution portfolio, our ability to successfully expand our business globally, the introduction of new accounting pronouncements or changes in our accounting policies or practices, and geopolitical, economic, or regional instability, including the ongoing war between Israel and Hamas (see “—Conditions in Israel, including the ongoing war between Israel and Hamas and other conflicts in the region, as well as political and economic instability, may adversely impact our business operations.”). Any of these factors may result in significant fluctuations in our financial condition and operating results, which could result in our failure to meet our operating plan or the expectations of investors or analysts for any given period, causing the market price of our ordinary shares to be negatively impacted.

We increasingly rely on third-party providers of cloud infrastructure services to deliver our SaaS solutions to customers, and any disruption of or interference with our use of these services, including any specifications limitations, could adversely affect our business.

Our SaaS solutions are hosted by and dependent upon third-party providers of cloud infrastructure services (Cloud Service Providers), primarily Amazon Web Services (AWS). We do not have control over the operations or the facilities of the Cloud Service Providers that we use. If any of the services provided by the Cloud Service Providers fail, become unavailable, or experience service degradation due to earthquakes, flooding, fires, heatwaves, power loss, telecommunication failures, natural disasters, extended outages, cyberattacks, or other interruptions or similar events, our ability to operate our platform and deliver our SaaS solutions to customers could be materially negatively impacted, and the quality or perception of the quality, of our products and services could be diminished, which may result in a decrease in revenues, damage to our reputation, contractual liability, including for failure to meet service level agreements, regulatory actions and interruption of our ability to manage our finances and our processes for managing sales of our offerings. If we are unable to rapidly and cost-effectively substitute one Cloud Service Provider with another in circumstances of a failure or unavailability, or maintain or renew our agreements with our Cloud Service Providers on commercially reasonable terms, or we need to add new Cloud Service Providers to increase capacity and uptime, we could experience interruptions, downtime, delays, and additional expenses related to transferring to and providing support for these new platforms. Any of the above circumstances or events may harm our reputation and brand, expose us to liability, reduce the availability or usage of our platform or services, and impair our ability to attract new users, any of which could adversely affect our business, financial condition and results of operations.

Delivery of our SaaS solutions to our customers and operation of our platform depends on the ability of data centers and cloud infrastructure to allow for our customers’ configuration, architecture, features and interconnection requirements and other specifications. Any limitation on the capability of these data centers or cloud infrastructure to meet or maintain such specification requirements could impede our ability to onboard new customers or expand the usage of our existing customers, host our platform and services, or serve our customers, any of which could adversely affect our business, financial condition and results of operations.

12


The highly competitive cybersecurity labor market has made it a challenge to attract and retain qualified personnel, and if we are unable to hire, retain and motivate qualified personnel, our business will suffer.

Our future success, productivity, revenue growth, profitability and cash flow from operating activities depend, in part, on our ability to continue to timely attract and retain highly skilled personnel. The highly competitive cybersecurity labor market has created an intense hiring environment, resulting in us experiencing increased difficulty and enhanced costs in attracting and retaining qualified personnel. For example, the increased demand for AI or other cutting-edge technology expertise may result in increased competition for qualified personnel, making it challenging for us to secure top-tier talent; additionally, hiring and retaining qualified personnel to maintain our legacy products may also be challenging. Since we require a highly skilled workforce in order to successfully compete in an increasingly competitive cybersecurity market, we have experienced and may continue to experience difficulty in hiring, high employee turnover, and considerable costs and productivity as well as time to market losses, which, over time, may impact our productivity, ability to meet customers’ expectation and overall profitability levels. Many corporations and startup companies may have greater resources and compensation tools at their disposal for talent acquisition, which may not be available at our Company. Our compensation relies partially on different equity vehicles (such as RSUs (defined below) or our ESPP (defined below)). Volatility within the stock market, including fluctuations in the stock prices of technology companies, or poor stock performance may affect our employee attrition and ability to attract new talent. Our inability to attract or retain qualified personnel or delays in hiring such personnel may seriously harm our performance, business and financial condition and results of operations. Furthermore, if we hire employees who previously worked for our competitors, we may be subject to allegations that such employees have been improperly solicited or divulged proprietary or other confidential information, which could subject us to potential liability and litigation.

In order to meet our business goals and address the challenges of the labor market, we expanded our workforce, including by engaging external service providers, some of which are involved in our core product development activities. If we are unable to retain these personnel at a sufficient rate, or if our relationship with such service providers deteriorates or the engagement with them is otherwise terminated prematurely, our ability to reach our product goals and meet customer expectations may be materially adversely affected.

Additionally, we believe that our corporate culture has been, and will continue to be, a key contributor to our success and our ability to retain highly skilled personnel. As we grow and evolve, we may find it difficult to maintain our corporate culture. If we fail to continue to manage our expansion in a manner that preserves the key aspects of our corporate culture, this could negatively affect our brand and reputation and harm our ability to retain and attract customers and employees.

If we do not effectively execute our sales and marketing strategies, and expand, train and retain our sales, marketing and customer success personnel, our business may suffer.

We depend significantly on our sales force and go-to-market organization to execute our sales and marketing strategies, attract new customers, provide a positive customer experience, deliver a high level of customer service and support and expand sales to existing customers. Factors such as increased competition, shifts in market dynamics, or unforeseen challenges in customer engagement could impede the successful execution of these strategies (see “— The information security market is rapidly evolving within the increasingly challenging cyber threat landscape. If our solutions fail to adapt to market changes and demands, sales may not continue to grow or may decline.”).

We are dependent on our ability to train and enable our sales force to adapt to changes to our go-to-market strategy and evolving market trends, effectively position our products and services, differentiate ourselves from competitors or meet our customers’ expectations in terms of product performance, ease of use, customer support, and overall user experience. Failure to do so may result in decreased market share, reduced revenue, and hindered business growth. In 2024, we began transitioning our go-to-market strategy from traditional, siloed, product-specific licensing to a solutions-based framework to provide our customers with a unified user experience. Failure to adequately train our sales personnel on the new go-to-market approach may result in inability to execute or effectively communicate and implement this shift while adapting to evolving market dynamics and customer preferences.

Our ability to grow our revenues also depends, in part, on our success in recruiting, training, and retaining enough sales, customer success and marketing personnel to support our growth. The number of our sales, customer success and marketing personnel increased from 1,157 as of December 31, 2022, to 1,321 as of December 31, 2023. We expect to continue to expand our sales, customer success, and marketing personnel and to do so, we may face a number of challenges in achieving our hiring, retention, and integration goals (see “—The highly competitive cybersecurity labor market has made it a challenge to attract and retain qualified personnel, and if we are unable to hire, retain and motivate qualified personnel, our business will suffer.”).

13


Additionally, the training and integration of a large number of sales, customer success, and marketing personnel in a short time requires the allocation of significant internal resources. Based on our experience, it takes an average of approximately six to nine months before a new sales force member operates at target performance levels. We may not be able to recruit at our anticipated rate or achieve or maintain our target performance levels with large numbers of new sales personnel as quickly as we have done in the past, which may materially and adversely impact our business and results of operations. In addition, significant turnover in our sales, customer success, or marketing organizations, may impact our ability to retain and expand our customers, obtain new customers, or deliver on our revenue, profitability, or cash flow generation goals.

Changes within the executive team may be disruptive to the Company’s business operations and impact its ability to attract and retain top talent and execute its sales and marketing strategies. If we are unable to successfully manage and integrate changes within our executive team, our business, financial conditions and results of operations may be adversely affected.

We may fail to fully execute, integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value, and adversely affect our results of operations.

As part of our business strategy and to remain competitive, we continue to evaluate acquiring or making investments in complementary companies, products, or technologies. We may not be able to find suitable acquisition candidates or complete such acquisitions on favorable terms. We may incur significant expenses, divert employee and management time and attention from other business-related tasks and our organic strategy, and incur other unanticipated complications while engaging with potential target companies where no transaction is eventually completed. If we do complete acquisitions, we may not ultimately strengthen our competitive position or achieve our goals or expected growth, profitability or cash flow generation, and any acquisitions we complete could be viewed negatively by our customers, analysts, and investors, or create unexpected competition from market participants. Any integration process may require significant time and resources. We may not be able to manage the process successfully and may experience a decline in our profitability as we incur expenses prior to fully realizing the benefits of the acquisition. We could expend significant cash and incur acquisition-related costs and other unanticipated liabilities associated with the acquisition, the product, or the technology, such as contractual obligations, potential security vulnerabilities of the acquired company and its products and services and potential intellectual property infringement. In addition, any acquired technology or product may not comply with legal or regulatory requirements and may expose us to regulatory risk and require us to make additional investments to make them compliant. Further, we may not be able to provide the same support service levels to the acquired technology or product that we generally offer with our other products.

We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast the financial impact of an acquisition transaction, including accounting charges and tax liabilities. Further, the issuance of equity or securities convertible to equity to finance any such acquisitions could result in dilution to our shareholders and the issuance of debt could subject us to covenants or other restrictions that would impede our ability to manage our operations. We could become subject to legal claims following an acquisition or fail to accurately forecast the potential impact of any claims. The price and cost of an acquisition and its expected return, including in terms of revenue growth, profitability, cash flow generation, market expansion or technology enhancements, may not meet the expectations of our investors. Any of these issues could have a material adverse impact on our business and results of operations and may result in a decline in our stock price.

If we fail to maintain successful relationships with our channel partners, or if our channel partners fail to perform, our ability to market, sell, and distribute our solutions will be limited, and our business, financial condition, and results of operations will be harmed.

We rely on our channel partners to market, sell, support, and implement our solutions. We expect that indirect sales through our channel partners will continue to account for a significant percentage of our revenue. In the year ended December 31, 2023, we generated approximately 80% of our revenues from sales to channel partners, such as distributors, systems integrators, value-added resellers, managed security service providers, and marketplaces, and we expect that channel partners will represent a substantial portion of our revenues for the foreseeable future. Further, we cooperate with advisory firms in marketing our solutions and providing implementation services to our customers, in both direct and indirect sales. Our agreements with channel partners are non-exclusive, meaning our partners may offer customers information security products from other companies, including products that compete with our solutions.

14


If our channel partners do not effectively market and sell our solutions or choose to use greater efforts to market and sell their own products and services or the products and services of our competitors or adjacent security solutions, our ability to grow our business will be adversely affected. Further, new channel partners require training and may take several months or more to achieve productivity. The loss of key channel partners, the inability to replace them, or the failure to recruit additional channel partners due to a variety of factors, including introduction of new partner program terms, could materially and adversely affect our results of operations. Our reliance on channel partners could also subject us to lawsuits or reputational harm if, for example, a channel partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our solutions, or violates applicable laws, and, in addition, this may result in termination of such partner’s agreement and potentially curb future revenues associated with this channel partner. If we are unable to maintain our relationships with channel partners or otherwise develop and expand our indirect sales channel, or if we are unable to train our channel partners to independently sell, install and support our solutions, or if our channel partners fail to perform, our business, financial condition and results of operations could be adversely affected.

A portion of our revenues is generated by sales to government entities, which are subject to a number of challenges and risks, such as increased competitive pressures, administrative delays and additional approval requirements.

A portion of our revenues is generated by sales to U.S. and foreign federal, state, and local governmental agency customers, and we may increase sales to government entities in the future. Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will complete a sale, or imposing terms of sale which are less favorable than the prevailing market terms. Government demand and payment for our products and services may be impacted by public sector budgetary cycles and funding authorizations, funding reductions, government shutdowns or delays, adversely affecting public sector demand for our products. The foregoing may be intensified due to macroeconomic impacts (see “—Prolonged economic uncertainties or downturns, globally or in certain regions or industries, could materially adversely affect our business.”) Additionally, for purchases by the U.S. government, the government may require certain products to be manufactured, maintained or developed in the United States and other high-cost locations, and we may not manufacture, maintain or develop all products in locations that meet the requirements of the U.S. government. Finally, some government entities require products such as ours to comply with certain technical or security requirements or standards or be certified by industry-approved security agencies as a pre-condition of purchasing them. We cannot guarantee we will be successful in meeting or attaining such requirements, standards or certifications. Even if achieved, the process (including maintenance thereof) may be expensive and time-consuming. We are in the process of, and are incurring costs, to obtain authorization from the Federal Risk and Authorization Management Program (“FedRAMP”) for certain of our SaaS products. The grant and maintenance of such certifications depend on the then-current requirements of the certifying agency and our ability to meet them. We cannot be certain that any certificate will be granted, remain in effect or renewed, or that we will be able to satisfy the technological and other requirements to maintain certifications. The loss of any of our current product certificates, or the failure to obtain new ones, could result in the imposition of various penalties, reputational harm, loss of existing customers, or could deter new and existing customers from purchasing our solutions, additional products or our services, any of which could adversely affect our business, operating results or financial condition.

Prolonged economic uncertainties or downturns, globally or in certain regions or industries, could materially adversely affect our business.

Our business depends on our current and prospective customers’ ability and willingness to invest money in information security, which in turn is dependent upon their overall economic health and the strength of the broader macroeconomic environment. Uncertain economic conditions in the global economy or certain regions, including conditions resulting from financial and credit market fluctuations (including rising interest rates), exchange rate fluctuations, or inflation, and the potential for regional or global recessions, could cause a decrease in corporate spending on cybersecurity software. Other matters that influence customer confidence and spending, such as political unrest, public health crises, terrorist attacks, armed conflicts, rising energy costs, and natural disasters, could also negatively affect our customers’ spending on our products and services. Since a significant portion of our operations are based in Israel, hostilities within the region, including due to the war between Israel and Hamas, as well as any political uncertainty or reform, or a significant downturn in the economic or financial condition of Israel, could materially adversely affect our operations (see “— Conditions in Israel, including the ongoing war between Israel and Hamas and other conflicts in the region, as well as political and economic instability, may adversely impact our business operations.”). In addition, economic instability within areas experiencing armed conflicts can and has resulted in sanctions that restrict the selling or importing of goods, services, or technology in or from certain regions. Political instability could further exacerbate macroeconomic uncertainty on a global scale, including within specific revenue-generating industry verticals. Our international operations also involve risks that could increase our expenses, adversely affect our operating results, and require increased time and attention from our management. A significant portion of our business operations are concentrated in core geographic areas, and economic downturns in these areas could severely affect our business operations. In addition, some of our business operations depend on emerging markets that are less resilient to fluctuations in the global economy. In 2023, we generated 52.3% of our revenues from the United States, 30.0% of our revenues from Europe, the Middle East and Africa and 17.7% from the rest of the world, which includes countries from the Asia Pacific, Japan region, the Latin America region and Canada.

15


Negative economic conditions may cause key customers, or specific revenue-generating verticals, to reduce their IT spending. Customers may delay or cancel IT projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating subscription renewals or maintenance and support agreements, thus making it difficult to adequately forecast and plan future business activities accurately, or prolonging our sales cycles. Further, customers or channel partners may be more likely to make late payments in worsening economic conditions, which could lead to increased collection efforts and require us to incur additional associated costs to collect expected revenues. If the economic conditions of the general economy or industries in which we operate deteriorate from present levels, our business, results of operation and financial condition could be adversely affected.

We have incurred net losses and may not be able to generate sufficient revenue to achieve and sustain profitability, and may also impact our ability to expand our cash flow generated by operating activities.

We have incurred net losses of $130.4 million and $66.5 million in each of the years ended December 31, 2022 and 2023, respectively, and anticipate our cash flow from operating activities could fluctuate. Our ability to generate cash flow from operating activities as a subscription company will depend on the combination of our success in retaining high renewal rates with our customers, expanding sales with our existing customers, generating sales from new customers and executing and collecting annual or multi-year contracts which are paid for up front. We cannot be certain we will achieve the required renewal rates, increase sales from existing and new customers nor generate or collect based on the contract terms for the sales, which will improve our cash flow from operating activities. In addition, due to our continued investment in the growth of our business, we expect our operating expenses to increase over the next several years as we hire additional personnel, retain existing personnel in a competitive market and continue to enhance our solutions and identity security platform and deliver new services to market. Any failure to increase our revenue could prevent us from achieving profitability or maintaining or increasing cash flow from operating activities on a consistent basis. In addition, we may have difficulty achieving profitability under U.S. GAAP due to share-based compensation expense and other non-cash charges. If we are unable to navigate these challenges as we encounter them, our business, financial condition, and operating results may suffer.

We are subject to a number of regulatory and geopolitical risks associated with global sales and operations, which could materially affect our business.

We are a global company subject to varied and complex laws, regulations, and customs. The application of these laws and regulations to our business is often unclear, subject to interpretation and may, at times, conflict. Compliance with these laws and regulations may involve significant costs or require changes in our business practices or products, resulting in reduced revenue and profitability. Furthermore, business practices in the global markets that we serve may differ from those in the United States and may require us to include non-standard terms in customer contracts, such as extended payment or warranty terms. Further, there may be higher costs of doing business globally, including costs incurred by maintaining office space, securing adequate staffing, and localizing our contracts.

Additionally, our global sales and operations are subject to a number of risks, including the following:


failure to fully comply with various global data privacy and data protection laws (see “—The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our business.”);

16



fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business (see “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.”);


social, economic and political instability, war, civil disturbance or acts of terrorism, conflicts (including the ongoing conflicts between Israel and Hamas and Ukraine and Russia), security concerns, and any pandemics or epidemics;


greater difficulty in enforcing contracts and managing collections, as well as longer collection periods;


noncompliance with specific anti-bribery laws, without limitation, the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act of 2010 and the heightened risk of unfair or corrupt business practices in certain geographies, which may include the improper or fraudulent sales arrangements by us, or by our channel partners or service providers that may impact financial results and result in restatements of, or irregularities in, financial statements;


certain of our activities and products are subject to U.S., European Union, Israeli, and possibly other export and trade control and economic sanctions laws and regulations, which have and may additionally prohibit or restrict our ability to engage in business with certain countries and customers. If the applicable requirements related to export and trade controls change or expand, if we change the encryption functionality in our products, or if we develop other products, or export products from/to certain jurisdictions, we may fail to comply with such regulations or may need to satisfy additional requirements or obtain specific licenses to continue to export our products in the same global scope. Various countries also regulate the import or export of certain encryption products and other technologies and services and have enacted laws that could limit our ability to distribute or implement our products in those countries. In addition, applicable export control and sanctions laws and regulations may impact our ability to sell our products, directly or indirectly, to countries or territories that are the target of comprehensive sanctions or to prohibited parties;


unexpected changes in regulatory practices and foreign legal requirements may adversely affect our business. The introduction of new cybersecurity laws and regulations and changes in existing ones or their enforcement, may impair our ability to sell our solutions in certain jurisdictions if we are not able to adapt our products and offerings to conform with such regulations. In addition, changes in tax regulations and uncertain tax obligations and effective tax rates, may result in recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, or changes in the valuation of our deferred tax assets and liabilities;


new and developing laws and regulations, and compliance with, and the uncertainty of, laws and regulations that apply or may in future apply to our areas of business, including cybersecurity, corporate governance, anti-trust and competition, local and regional employment (including cross-border travel), employee and third-party complaints, supply chain regulation, limitation of liability, conflicts of interest, AI, securities regulations and other regulatory requirements affecting trade, local tariffs, product localization and investment;


reduced or uncertain protection of intellectual property rights in some countries; and


management communication and integration problems resulting from cultural and geographic dispersion.

17


These and other factors could harm our ability to generate future global revenues and, consequently, materially impact our business, results of operations and financial condition. Non-compliance could also result in government investigations, fines, damages, or criminal sanctions against us, our officers or our employees, prohibitions on the conduct of our business, and damage to our reputation.

Intellectual property claims may increase our costs or require us to cease selling certain products, which could adversely affect our financial condition and results of operations.

The information security industry is characterized by the existence of a large number of relevant patents and frequent claims and litigations regarding patents and other intellectual property rights. Leading companies in the information security industry have extensive patent portfolios. In addition, the scope of copyright protection and other legal protections for intellectual property generated by certain new technologies, such as generative AI, is uncertain. The use of generative AI and other forms of AI, whether incorporated into our products and services or used by our workforce, may expose us to risks because the intellectual property ownership and license rights, including copyright, of generative and other AI output has not been fully interpreted by courts in the United States or been fully addressed by federal or state regulation in the United States or foreign jurisdictions. From time to time, third parties have asserted, and in the future may assert, their patent, copyright, trademark, and other intellectual property rights against us, our channel partners, or our customers. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property rights pursuant to our agreements with our customers and channel partners. Such indemnification provisions are customary in our industry. We cannot ensure that we will have the resources to defend against such claims. Successful claims of infringement or misappropriation by a third party against us or a third party that we indemnify, could prevent us from distributing certain products or performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing, or using solutions that are alleged to infringe or misappropriate the intellectual property of others, to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology, to enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify our customers and channel partners (and parties associated with them). The failure to obtain a license or the costs associated with any license could cause our business, results of operations, or financial condition to be materially and adversely affected. Defending against claims of infringement, regardless of their validity, or being deemed to be infringing the intellectual property rights of others could be very expensive and time-consuming to defend, harm our reputation, and impair our ability to innovate, develop, distribute, and sell our current and planned products and services.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Our functional and reporting currency is the U.S. dollar. In 2023, most of our revenues were denominated in U.S. dollars and the remainder was primarily in Euros and British pounds. In 2023, most of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in Euros and British pounds. Our foreign currency-denominated expenses consist primarily of personnel, facilities, consulting and travel costs. Since the portion of our expenses generated in NIS and British pounds is greater than our revenues in NIS and British pounds, respectively, any appreciation of the NIS or the British pounds relative to the U.S. dollar could adversely impact our operating loss. In addition, if the portion of our revenues generated in Euros is greater than our expenses incurred in Euros, any depreciation of the Euro relative to the U.S. dollar would create exposure to our reported revenue and operating results . We estimate that a 10% strengthening or weakening in the value of the NIS against the U.S. dollar would have increased or decreased, respectively, our operating loss by approximately $17.7 million in 2023. We estimate that a 10% strengthening or weakening in the value of the Euro against the U.S. dollar would not change our operating loss in 2023. We estimate that a 10% strengthening or weakening in the value of the British pounds against the U.S. dollar would have increased or decreased, respectively, our operating loss by approximately $2.0 million in 2023. These estimates of the impact of fluctuations in currency exchange rates on our historical results of operations may be different from the impact of fluctuations in exchange rates on our future results of operations since the mix of currencies comprising our revenues and expenses may change. For example, fluctuations in the different currencies in 2023, as compared to 2022 exchange rates, decreased total operating loss by approximately $14.7 million. We periodically evaluate the various currencies to which we are exposed and, as appropriate, may enter into hedging transactions designed to reduce or eliminate certain currency exchange rate impacts. We expect that most of our revenues will continue to be generated in U.S. dollars with the balance primarily in Euros and British pounds for the foreseeable future, and that a significant portion of our expenses will continue to be denominated in NIS, U.S. dollars, British pounds and in Euros. We cannot provide any assurances that our hedging activities will be successful in protecting us from adverse impacts from currency exchange rate fluctuations. In addition, we have monetary assets and liabilities that are denominated in non-U.S. dollar currencies. For example, we have a significant NIS linked liability related to our operational leases in Israel. As a result, significant exchange rate fluctuations could have a negative effect on our net income (see “Item 11— Quantitative and Qualitative Disclosures About Market Risk—Foreign Currency Risk.”).

18


If our products fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and results of operations could be materially and adversely affected.

We generate a substantial portion of our revenues from our products and services that enable our customers to achieve and maintain compliance with certain government regulations and industry standards, and we expect that to continue for the foreseeable future. Governments and other customers may require our products to comply with certain privacy, security or other certifications and standards with respect to those solutions utilized by them as a control demonstrating compliance with government regulations and industry standards. We have maintained a SOC 2 accreditation for multiple products since 2019. Additionally, we have maintained the ISO 27001 annual certification since April 2017 and attained ISO 27018 certification in 2023. We are pursuing the evaluation of having our Privilege Access Management solution for international Common Criteria certification. We are also in the process of seeking authorization from the Federal Risk and Authorization Management Program (FedRAMP), for certain SaaS products. However, we are unable to guarantee that we will achieve the foregoing authorizations in a timely manner, or at all, or maintain compliance with them once they have been achieved. If our products are late in achieving or failing to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.

Additionally, industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses, including in connection with AI. If we are unable to adapt our solutions to changing government regulations and industry standards in a timely manner, or if our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors. In addition, if government regulations and industry standards related to information security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses and may be less willing to purchase our products and services. In either case, our sales and financial results would suffer (see also “—The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our business.”).

If we are unable to adequately protect our proprietary technology and intellectual property rights, our business could suffer substantial harm.

The success of our business depends on our ability to protect our proprietary technology, brands and other intellectual property and to enforce our rights in that intellectual property. We attempt to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.

As of December 31, 2023, we had 147 issued patents in the United States and 48 pending U.S. patent applications. We also had 62 issued patents and 18 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.

19


The process of obtaining patent protection is expensive and time-consuming, and we may not be able to complete all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not be approved, that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. Finally, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights, if such exist, in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property. We cannot be certain that we have adequately protected our rights in every such agreement or that we have executed an agreement with every such party. Finally, in order to benefit from the protection of patents and other intellectual property rights, we must monitor and detect infringement and pursue infringement claims under certain circumstances in relevant jurisdictions. Litigating claims related to the enforcement of intellectual property rights is very expensive and can be burdensome in terms of management time and resources. Any litigation related to intellectual property rights or claims against us could result in loss or compromise of our intellectual property rights or could subject us to significant liabilities. As a result, we may not be able to obtain adequate protection or to effectively enforce our issued patents or other intellectual property rights.

In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented proprietary intellectual property and technology. Unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners, subcontractors and customers, and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot be certain that the steps taken by us will prevent misappropriation of our intellectual property or technology or infringement of our intellectual property rights. In addition, the laws of some foreign countries where we sell our products do not protect intellectual property rights and technology to the same extent as the laws of the United States, and these countries may not enforce these laws as diligently as government agencies and private parties in the United States. If we are unable to protect our intellectual property, we may find ourselves at a competitive disadvantage to others who do not incur the additional expense, time and effort to create the innovative products nevertheless benefiting from such innovation due to misappropriation.

Our use of open-source software, third-party software, and other intellectual property may negatively affect our ability to offer our solutions and expose us to litigation or other risks.

We integrate certain open-source software components from third parties into our software, and we expect to continue to use open-source software in the future. Some open-source software licenses require, among other things, that users who distribute or make available as a service, open-source software with their own software products, add appropriate copyright notices and disclaimers, publicly disclose all or part of the source code of the users’ developed software or make available any derivative works of the open-source code under open-source license terms or at no cost. Our efforts to use the open-source software in a manner consistent with the relevant license terms that would not require us to disclose our proprietary code or license our proprietary software at no cost may not be successful. We may face claims by third parties seeking to enforce the license terms applicable to such open-source software, including by demanding the release of our proprietary source code, or we may face termination of such licenses if the owner of the open-source software asserts that we are in breach of its license terms. In addition, if the license terms for the open-source code change or the license is terminated, we may be forced to re-engineer our software or incur additional costs. In addition, open-source software typically comes without warranties or indemnities from the owner, whereas we are expected to offer our customers both. Accordingly, if there were technical problems with open-source software that we used in our products, or if such open-source software infringed third-party intellectual property rights, we could have a warranty obligation or infringement indemnity obligation to our customer without a corresponding warranty or indemnification obligation from the owner of the open-source software. In addition, regardless of the validity of claims against us, our business, financial condition, and results of operations could be harmed by litigation and defense costs, payment of damages, the disclosure of our source code, additional expenditure to enter into royalty or licensing agreements, and additional expenses and research and development time to render existing products non-infringing.

20


Moreover, some open-source software that we use may include generative AI software or other software that incorporates or relies on generative AI or other AI technologies. The use of such open-source software may expose us to risks in connection with claims of intellectual property infringement by other third parties (see “—If we are unable to adequately protect our proprietary technology and intellectual property rights, our business could suffer substantial harm.”).

We have no assurance that any open-source software that we use in our products and may patch will be free from vulnerabilities or malicious code. While customary in the industry, our use of open-source software and third-party software in our solutions may expose us, and our customers using our solutions, to additional vulnerabilities and security breaches, which may result in significant adverse impacts to us and our customers, especially if such open-source software or third-party software is not maintained by its authors (see “—Real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant reputational, financial, and legal adverse impact.”).

Further, some of our products and services include other software or intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties for our own business operations. This exposes us to risks over which we may have little or no control. For example, a licensor may have difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licenses to us. There can be no assurance that the licenses we use will be available on acceptable terms, if at all. In addition, a third party may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages from us, or both. Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation regarding these matters, could result in delays in releases of new products, and could otherwise disrupt our business, until equivalent technology can be identified, licensed, or developed.

Risks Related to Our Ordinary Shares

Our share price may be volatile, and our shareholders may lose all or part of their investment.

From January 2021 through January 2024, our ordinary shares have traded on the Nasdaq Global Select Market (“Nasdaq”) at a price per share between a range of $107.33 and $237.87. In addition, the market price of our ordinary shares could be highly volatile and may fluctuate substantially as a result of many factors, some of which are beyond our control, including, but not limited to:


actual or anticipated fluctuations in our results of operations and the results of other similar companies;


variance in our financial performance from the expectations of market analysts;


announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions or expansion plans;


changes in the prices of our products and services or in our pricing models;


our involvement in litigation;


our sale of ordinary shares or other securities in the future;


market conditions in our industry;


speculation in the press or the investment community;


the trading volume of our ordinary shares;


changes in the estimation of the future size and growth rate of our markets;


any merger and acquisition activities; and


general economic and market conditions.

21


The price of our ordinary shares could also be affected by possible sales of our ordinary shares by investors who view our Convertible Notes as a more attractive means of equity participation in our Company, and by hedging and arbitrage trading activity that such investors may engage in.

In addition, the stock markets have experienced price and volume fluctuations. Broad market and industry factors may materially harm the market price of our ordinary shares, regardless of our operating performance, and may affect our ability to access new capital, which may materially harm our liquidity, and limit our ability to grow our business. In the past, following periods of volatility in the market price of a company’s securities, securities class action litigation has often been instituted against that company. If we are involved in any similar litigation, we could incur substantial costs and our management’s attention and resources could be diverted, which could materially adversely affect our business.

Our business could be negatively affected as a result of the actions of activist shareholders, and such activism could impact the trading value of our securities.

In recent years, U.S. and non-U.S. companies listed on securities exchanges in the United States have been faced with governance-related demands from activist shareholders, unsolicited tender offers and proxy contests. Although as a foreign private issuer we are not subject to U.S. proxy rules, responding to any action of this type by activist shareholders could be costly and time-consuming, disrupting our operations and diverting the attention of management and our employees. Such activities could interfere with our ability to execute our strategic plans. In addition, a proxy contest for the election of directors at our annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and our board of directors. The perceived uncertainties due to such actions of activist shareholders could also affect the market price of our securities.

As a foreign private issuer whose ordinary shares are listed on Nasdaq, we may follow certain home country corporate governance practices instead of otherwise applicable SEC and Nasdaq requirements and are exempt from a number of requirements under U.S. securities laws. This may result in less protection for, or limit the information available to, our shareholders.

As a foreign private issuer whose ordinary shares are listed on Nasdaq, we are permitted to follow certain home country corporate governance practices instead of certain rules of Nasdaq. We currently follow Israeli home country practices with regard to the quorum requirement for shareholder meetings and the requirements relating to distribution of our annual report to shareholders. As permitted under the Israeli Companies Law, 5759-1999 (the “Companies Law”), our amended and restated articles of association provide that the quorum for a meeting of shareholders convened pursuant to a resolution adopted by the board of directors shall be at least two shareholders present in person or by proxy who hold at least 25% of the voting power of our shares instead of 33 1/3% of our issued share capital (as prescribed by Nasdaq’s rules). Further, as permitted by the Companies Law and in accordance with the generally accepted business practice in Israel, we do not distribute our annual report to shareholders but make it available through our public website. We may in the future elect to follow Israeli home country practices with regard to other matters such as director nomination procedures, separate executive sessions of independent directors and the requirement to obtain shareholder approval for certain dilutive events (such as for the establishment or amendment of certain equity-based compensation plans, issuances that will result in a change of control of the Company, certain transactions other than a public offering involving issuances of a 20% or more interest in the Company and certain acquisitions of the stock or assets of another company). Accordingly, our shareholders may not be afforded the same protection as provided under Nasdaq corporate governance rules. Following our home country governance practices as opposed to the requirements that would otherwise apply to a U.S. company listed on Nasdaq may provide less protection than is accorded to shareholders of domestic issuers. See “Item 16G. Corporate Governance.”

As a foreign private issuer, we are exempt from a number of requirements under U.S. securities laws that apply to public companies that are not foreign private issuers. In particular, we are exempt from the rules and regulations under the Exchange Act related to the furnishing and content of proxy statements, and our officers, directors and principal shareholders are exempt from the reporting and short-swing profit recovery provisions contained in Section 16 of the Exchange Act. In addition, we are not required under the Exchange Act to file annual, quarterly, and current reports and financial statements with the SEC, as frequently or as promptly as domestic companies whose securities are registered under the Exchange Act. We are also exempt from the provisions of Regulation FD, which prohibits issuers from making selective disclosure of material nonpublic information. Even though we intend to comply voluntarily with Regulation FD, these exemptions and leniencies will reduce the frequency and scope of information and protections to which our shareholders are entitled as investors. For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules applicable to U.S. domestic companies. Because of these exemptions for foreign private issuers, our shareholders do not have the same information generally available to investors holding shares in public companies that are not foreign private issuers.

22


Our Convertible Notes may impact our financial results, result in the dilution of existing shareholders, create downward pressure on the price of our ordinary shares, and restrict our ability to take advantage of future opportunities.

In November 2019, we issued $575.0 million aggregate principal amount of 0.00% Convertible Senior Notes due 2024 (the “Convertible Notes”). The Convertible Notes may affect our earnings per share figures, as accounting procedures may require that we include in our calculation of earnings per share the number of ordinary shares into which the Convertible Notes are convertible. The Convertible Notes will mature on November 15, 2024, unless earlier converted, repurchased, or redeemed. Prior to the close of business on the business day immediately preceding May 15, 2024, the Convertible Notes will be convertible at the option of the holders thereof only upon the satisfaction of the specified conditions and during certain periods. On or after May 15, 2024 until the close of business on the third scheduled trading day preceding the maturity date, the Convertible Notes will be convertible at the option of the holders at any time. The current conversion rate on the Convertible Notes is 6.3478 ordinary shares of ours per each $1,000 principal amount of the Convertible Notes, which is equivalent to the current conversion price of approximately $157.53 (in each case, subject to applicable adjustments). Assuming that the prevailing market price of our ordinary shares remains in excess of the conversion price of the Convertible Notes prior to their maturity date, we expect the Convertible Notes to be converted by the holders thereof, on the terms specified in the Convertible Notes. Such conversions may be settled, at our election, in cash, ordinary shares or a combination thereof, and all conversions on or after May 2024 until the close of business on the third scheduled trading day preceding the maturity date are required to be settled using a single settlement method. At present, the default settlement method for any such conversions is physical settlement. If our ordinary shares are issued to the holders of the Convertible Notes in settlement upon conversion, there will be dilution to our shareholders’ equity above the cap price of the Capped Call Transactions described below, and the market price of our ordinary shares may decrease due to the additional selling pressure in the market. Any downward pressure on the price of our ordinary shares caused by the sale or potential sale of ordinary shares issuable upon conversion of the Convertible Notes could also encourage short sales by third parties, creating additional downward pressure on our share price.

In addition, in connection with the pricing of the Convertible Notes, we entered into privately negotiated capped call transactions (the “Capped Call Transactions”) with certain of the initial purchasers of the Convertible Notes. The Capped Call Transactions cover, collectively, the number of our ordinary shares underlying the Convertible Notes, subject to anti-dilution adjustments substantially similar to those applicable to the Convertible Notes. The Capped Call Transactions are expected generally to reduce the potential dilution to the ordinary shares upon any conversion of the Convertible Notes (including in the form of us receiving the cash value of such ordinary shares determined pursuant to the terms of the Capped Call Transactions) and/or offset any cash payments we are required to make in excess of the principal amount upon conversion of the Convertible Notes under certain events described in the Capped Call Transactions, in the event that the market price of our ordinary shares is greater than the strike price of the Capped Call Transactions, with such reduction of potential dilution and/or offset subject to a cap (currently equal to $229.14 per share, subject to adjustments as set forth in the terms of the Capped Call Transactions). We are subject to the risk that one or more of the counterparties to the Capped Call Transactions may default, or otherwise fail to perform, or may exercise certain rights to terminate, their obligations under the Capped Call Transactions. Our exposure to the Capped Call Transactions will depend on many factors but, generally, our exposure will increase if the market price or the volatility of our common stock increases. Upon a default, a failure to perform or a termination of obligations by a counterparty to the Capped Call Transactions, we may suffer adverse tax consequences or experience more dilution than we currently anticipate with respect to our ordinary shares.

Furthermore, the indenture for the Convertible Notes will prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the Convertible Notes. These and other provisions in the indenture could deter or prevent a third party from acquiring us even when the acquisition may be favorable.

23


We currently anticipate that we will be able to rely on and to implement certain clarifications from the Israeli Tax Authorities, with respect to the administration of our Israeli withholding tax obligations in relation to considerations to be paid to the holders of the Convertible Notes (if any) upon their future conversion and settlement. Unexpected failure to ultimately obtain such anticipated clarifications from the Israeli Tax Authorities could under certain conditions potentially result in increased Israeli withholding tax gross-up costs and implications.

We may not have the ability to raise the funds necessary to repurchase the Convertible Notes upon a fundamental change, and our future debt may contain limitations on our ability to repurchase the Convertible Notes.

Holders of the Convertible Notes will have the right under the indenture governing the Convertible Notes to require us to repurchase all or a portion of their Convertible Notes upon the occurrence of a fundamental change before the maturity date, at a repurchase price equal to 100% of the principal amount of such Convertible Notes to be repurchased, plus accrued and unpaid special interest, excluding the applicable fundamental change repurchase date, if any. We may not have enough available cash or be able to obtain financing, or obtain financing on favorable terms, at the time we are required to make such repurchases of the Convertible Notes.

Our ability to repurchase the Convertible Notes may be limited by law, regulatory authority or agreements governing our future indebtedness. Our failure to repurchase the Convertible Notes at a time when the repurchase is required by the indenture would constitute a default under the indenture. A default under the indenture or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the payment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Convertible Notes.

We may lose our foreign private issuer status, which would then require us to comply with the rules and regulations applicable to U.S. domestic issuers and cause us to incur significant legal, accounting and other expenses.

Since a majority of our voting securities are either directly or indirectly owned by residents of the United States, we would lose our foreign private issuer status if any of the following were to occur: (i) the majority of our executive officers or directors were U.S. citizens or residents, (ii) more than 50 percent of our assets were located in the United States, or (iii) our business was administered principally in the United States. Similarly, if we were to acquire a U.S. company in the future, it could put us at heighted risk of losing our foreign private issuer status. Although we have elected to comply with certain U.S. regulatory provisions, our loss of foreign private issuer status would make such provisions mandatory. In addition, we would lose our ability to rely on Nasdaq exemptions from certain corporate governance requirements that are available to foreign private issuers. If we were to lose our foreign private issuer status, the regulatory and compliance costs to us under U.S. securities laws as a U.S. domestic issuer may be significantly higher.

If we are unable to satisfy the requirements of Sections 404(a) and 404(b) of the Sarbanes-Oxley Act of 2002 or if our internal control over financial reporting is not effective, investors may lose confidence in the accuracy and the completeness of our financial reports, and the trading price of our ordinary shares may be negatively affected.

Pursuant to Section 404(a) of the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), we are required to furnish a report by management on the effectiveness of our internal control over financial reporting. Additionally, pursuant to Section 404(b) of the Sarbanes-Oxley Act, we must include an auditor attestation on our internal control over financial reporting.

Our business transition into a subscription model affected our internal control over financial reporting, and requires us to enhance existing, and implement new, financial reporting and management systems, procedures and controls in order to address new risks raised from our business transition to a subscription model and to manage our business effectively and support our growth in the future. If we identify material weaknesses in our internal control over financial reporting, if we are unable to comply with the requirements of Section 404(a) or 404(b) in a timely manner or to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion or issues an adverse opinion in its attestation as to the effectiveness of our internal control over financial reporting required by Section 404(b), investors may lose confidence in the accuracy and completeness of our financial reports and the trading price of our ordinary shares could be negatively affected. We could also become subject to investigations by Nasdaq, the SEC or other regulatory authorities, which could require additional financial and management resources.

24


Our U.S. shareholders may suffer adverse tax consequences if we are classified as a “passive foreign investment company.”

Generally, if for any taxable year, after the application of certain look-through rules, 75% or more of our gross income is passive income, or at least 50% of the average quarterly value of our assets (which may be measured in part by the market value of our ordinary shares, which is subject to change) are held for the production of, or produce, passive income (as defined in the relevant provisions of the Internal Revenue Code of 1986, as amended (the “Code”)), we would be characterized as a “passive foreign investment company” (“PFIC”), for U.S. federal income tax purposes under the Code. Based on our market capitalization and the nature of our income, assets and business, we believe that we should not be classified as a PFIC for the taxable year that ended December 31, 2023. However, PFIC status is determined annually and requires a factual determination that depends on, among other things, the composition of our income, assets and activities in each taxable year, and can only be made after the close of each taxable year. Furthermore, because the value of our gross assets is likely to be determined in part by reference to our market capitalization, a decline in the value of our ordinary shares may result in our becoming a PFIC. Accordingly, there can be no assurance that we will not be considered a PFIC for any taxable year. If we are a PFIC for any taxable year during which a U.S. Holder (as defined in “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences”) holds our ordinary shares, certain adverse U.S. federal income tax consequences could apply to such U.S. Holder. Prospective U.S. Holders should consult their tax advisors regarding the potential application of the PFIC rules to them. See “Item 10.E. Taxation— Certain United States Federal Income Tax Consequences—Passive Foreign Investment Company Considerations.”

If a U.S. person is treated as owning at least 10% of our ordinary shares, such holder may be subject to adverse U.S. federal income tax consequences.

If a U.S. person is treated as owning (directly, indirectly or constructively) at least 10% of the value or voting power of our ordinary shares, such person may be treated as a “U.S. shareholder” with respect to each controlled foreign corporation (“CFC”), in our group (if any). If our group includes one or more U.S. subsidiaries (as has been the case for 2023), certain of our non-U.S. subsidiaries will be treated as CFCs regardless of whether we are treated as a CFC. A U.S. shareholder of a CFC may be required to report annually and include in its U.S. taxable income its pro rata share of such CFC’s “Subpart F income,” “global intangible low taxed income” and investments in U.S. property by CFCs, regardless of whether we make any distributions. An individual who is a U.S. shareholder with respect to a CFC generally would not be allowed certain tax deductions or foreign tax credits that would be allowed to a U.S. shareholder that is a U.S. corporation. Failure to comply with these reporting obligations may subject a U.S. shareholder to significant monetary penalties and may prevent the statute of limitations with respect to such U.S. shareholder’s U.S. federal income tax return for the year for which reporting was due from starting. We cannot provide any assurances that we will be able to assist holders of ordinary shares in determining whether any of our non-U.S. subsidiaries is treated as a CFC or whether any holder of ordinary shares should be treated as a U.S. shareholder with respect to any such CFC or furnish to any U.S. shareholders information that may be necessary to comply with the aforementioned reporting and tax paying obligations. The United States Internal Revenue Service provided limited guidance on situations in which investors may rely on publicly available alternative information to comply with their reporting and tax paying obligations with respect to foreign controlled CFCs. U.S. investors are strongly advised to consult their own tax advisors regarding the potential application of these rules to their investment in our ordinary shares.

Changes in tax law relating to multinational corporations could adversely affect our tax position.

There can be no assurance that our effective tax rate will not increase over time as a result of changes in corporate income tax rates or other changes in the tax laws in the jurisdictions in which we operate. Any changes in tax laws could have an adverse impact on our financial results. Corporate tax reform, base-erosion efforts and tax transparency continue to be high priorities in many tax jurisdictions where we have business operations. As a result, policies regarding corporate income and other taxes in numerous jurisdictions are under heightened scrutiny, and tax reform legislation is being proposed or enacted in a number of jurisdictions.

25


For example, the recent Inflation Reduction Act enacted in the United States introduced, among other changes, a 15% corporate minimum tax on certain United States corporations and a 1% excise tax on certain stock redemptions by United States corporations (which the U.S. Treasury indicated may also apply to certain stock redemptions by a foreign corporation funded (or deemed funded) by certain United States affiliates). In addition, there is growing pressure in many jurisdictions and from multinational organizations such as the Organization for Economic Cooperation and Development (“OECD”) and the EU to amend existing international taxation rules in order to align the tax regimes with current global business practices. Specifically, in October 2015, the OECD published its final package of measures for reform of the international tax rules as a product of its Base Erosion and Profit Shifting (“BEPS”) initiative, which was endorsed by the G20 finance ministers. Many of the initiatives in the BEPS package required and resulted in specific amendments to the domestic tax legislation of various jurisdictions and to existing tax treaties. We continuously monitor these developments. Although many of the BEPS measures have already been implemented or are currently being implemented globally (including, in certain cases, through adoption of the OECD’s “multilateral convention” (to which Israel is also a party) to effect changes to tax treaties which entered into force on July 1, 2018 and through the European Union’s “Anti-Tax Avoidance” Directives), it is still difficult in some cases to assess to what extent these changes will have on our tax liabilities in the jurisdictions in which we conduct our business or to what extent they may impact the way in which we conduct our business or our effective tax rate due to the unpredictability and interdependency of these potential changes. In January 2019, the OECD announced further work in continuation of the BEPS project, focusing on two “pillars.” In October, 2021, 137 countries approved a statement known as the OECD BEPS Inclusive Framework, which builds upon the OECD’s continuation of the BEPS project. The first pillar is focused on the allocation of taxing rights between countries for in-scope large multinational enterprises (with revenue in excess of €20 billion and profitability of at least 10%) that sell goods and services into countries with little or no local physical presence. We do not expect to be within the scope of the first Pillar. The second pillar is focused on developing a global minimum tax rate of at least 15% applicable to in-scope multinational enterprises (with consecutive revenue in excess of €750 million during a certain prescribed period). The agreement reached by 137 of the 140 members of the OECD BEPS Inclusive Framework targeted law enactment to take effect in 2023 with applicability from fiscal years beginning on or after December 31, 2023. On December 20, 2021, the OECD published model rules to implement the Pillar Two rules with commentary to those rules released in March 2022 and administrative guidance published in February 2023 and July 2023. The model rules commentary and guidance allow the OECD BEPS Inclusive Framework members to begin implementing the Pillar Two rules in accordance with the agreement reached in October 2021. Israel is one of the 137 jurisdictions that has agreed in principle to the adoption of the global minimum tax rate. As the Two Pillar solution is subject to implementation by each member country, the timing and ultimate impact of any such changes on our tax obligations, including the impact on Preferred Technological Enterprises currently eligible for reduced corporate tax rate of 12%, is uncertain. Further, given these developments, it is generally expected that tax authorities in various jurisdictions in which we operate may increase their audit activity and may seek to challenge some of the tax positions we have adopted. It is difficult to assess if and to what extent such challenges, if raised, might impact and potentially increase our future effective tax rate.

We do not intend to pay dividends on our ordinary shares for the foreseeable future, so any returns will be limited to changes in the value of our ordinary shares.

We have never declared or paid any cash dividends on our ordinary shares. We currently anticipate that we will retain future earnings for the development, operation, and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to shareholders will, therefore, be limited to the increase, if any, of our share price, which may or may not occur.

Risks Relating to Our Incorporation and Location in Israel

Conditions in Israel, including the ongoing war between Israel and Hamas and other conflicts in the region, as well as political and economic instability, may adversely impact our business operations.

Our headquarters, certain members of our board of directors and management, most of our research and development activities, and other significant operations are located in Israel and may be impacted by regional instability and extreme security tension. Political, economic and security conditions in Israel and the surrounding region could directly affect our business. Any political instability, terrorism, armed conflicts, reserve mobilization, cyberattacks, boycotts, direct or indirect sanctions and restrictions, or any other hostilities involving Israel or the interruption or curtailment of trade between Israel and its trading partners could adversely affect our operations.

26


In October 2023, Hamas terrorists infiltrated Israel’s southern border from the Gaza Strip and conducted a series of attacks on civilian and military targets. Hamas also launched extensive rocket attacks on Israeli population and industrial centers. These attacks resulted in extensive deaths, injuries, and kidnapping of civilians and soldiers, as well as evacuations of tens of thousands of civilians from their homes. Following the attacks, Israel’s security cabinet declared war against Hamas and commenced a military campaign.

Since the commencement of these events, there have been additional active hostilities, including with Hezbollah located in Lebanon and with the Houthi movement which controls parts of Yemen. It is possible that these hostilities will escalate in the future into a greater regional conflict, and that additional terrorist organizations and, possibly, countries, will actively join the hostilities.

Further, as an Israeli company, there is heightened risk of cyberattacks on our and our supply chain’s IT networks by our adversaries in general, and more so as a result of a war. Although the current war has not materially impacted our business or operations as of the date of this report, any escalation or expansion of the war could have a negative impact on both global and regional conditions and may adversely affect our business, financial condition, and results of operations.

Currently, the war has impacted the availability of a limited number of our workforce in Israel in various ways – a small part of our workforce has been called to active duty, and others have been supporting friends or family members engaged in the war. While many military reservists have been released, some remain obligated to return in the coming months. If the situation escalates, they may be called up for additional reserve duty sooner than expected, additional employees may be called for service, and such persons may be absent for an extended period of time. This may materially and adversely affect our business operations, including product development, and our ability to meet our customers’ expectations, and could impact our competitive position and cause our sales to decrease.

The scope, intensity and duration of the current war are difficult to predict, as are the economic implications on our business and operations and on Israel’s economy in general. For example, these events may be intertwined with wider macroeconomic factors relating to a deterioration of Israel’s economic standing that may involve, for instance, a downgrade in Israel’s credit rating by rating agencies (such as the recent downgrade by Moody’s of its credit rating of Israel from A1 to A2, as well as the downgrade of its outlook rating from “stable” to “negative”). Any of these implications on Israel’s economy or financial conditions may have an adverse effect on our ability to effectively conduct our operations.

Moreover, the perception of Israel and Israeli companies by the global community (including, for example, in light of the interim ruling rendered by the International Court of Justice (ICJ) in a case filed by South Africa against Israel in January 2024) may cause an increase in sanctions and other adverse measures against Israel, Israeli companies and their products and services. Additionally, there have been increased efforts by countries, activists and organizations to cause companies and consumers to boycott Israeli goods and services or otherwise restrict business with Israel and with Israeli companies, which may impact our ability to do business with our existing and potential customers. Such efforts, particularly if they become widespread, as well as the ICJ ruling and possible future rulings and orders of other tribunals against Israel, could materially and adversely impact our business operations.

The hostilities with Hamas, Hezbollah and other organizations and countries have included and may include various methods of armed attacks that have already caused and may cause further damage to private and public facilities, infrastructure, utilities, and telecommunication networks. This may require the temporary closure of our offices or facilities or affect our employees’ ability to work, negatively impacting our operational capacity and disrupting supply chains that impact our ability to conduct business efficiently, thereby leading to increased costs associated with alternative solutions or contingency measures. Such attacks may also pose risks to the safety and effectiveness of our workforce and impair our ability to maintain business continuity, which would likely result in substantial direct and indirect costs that may not be recoverable from our commercial insurance. Although the Israeli government currently covers the reinstatement value of direct damages that are caused by terrorist attacks or acts of war, we cannot be assured that such government coverage will be maintained or that it will sufficiently cover our potential damages. Any losses or damages incurred by us could have a material adverse effect on our business.

27


Further, Israel has held five general elections between 2019 and 2022, and prior to the Hamas attack in October 2023, the Israeli government had been pursuing legislative changes, which, if adopted, will alter the current state of separation of powers among the three branches of government and, as a result, have sparked a considerable political debate. Many individuals, organizations, and institutions, within and outside of Israel, voiced concerns over the potential negative impacts of such changes and the controversy surrounding them on the business and financial environment in Israel. Such negative impacts may include, among others, increased interest rates, currency fluctuations, inflation, civil unrest and volatility in securities markets, which could adversely affect the conditions in which we operate and potentially deter foreign investors and organizations from investing or transacting business with Israeli-based companies. To date, these initiatives have been substantially put on hold, but if such changes to Israel’s judicial system are again pursued by the government and approved by the parliament, or if any of the foregoing negative impacts were to materialize, it may have an adverse effect on our business, our results of operations and our ability to raise additional funds.

The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes.

We were granted an Approved Enterprise status under the Israeli Law for the Encouragement of Capital Investments, 5719-1959 (the “Investment Law”). In the past, we elected the alternative benefits program, pursuant to which income derived from the Approved Enterprise program was tax-exempt for two years and enjoyed a reduced tax rate of 10.0% to 25.0% for up to a total of eight years, depending on the percentage of foreign investors’ ownership. We were also eligible for certain tax benefits provided to Benefited Enterprises under the Investment Law. In March 2013, we notified the Israel Tax Authority that we applied the new tax Preferred Enterprise regime under the Investment Law instead of our Approved Enterprise and Benefited Enterprise. Accordingly, we were eligible for certain tax benefits provided to Preferred Enterprises under the Investment Law. If we do not meet the conditions stipulated in the Investment Law and the regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be canceled, and we would be required to repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary penalties). Starting from 2017, we were recognized as eligible for the Technological Preferred Enterprise regime, a sub-category of the Preferred Enterprise regime, which grants enhanced tax benefits to enterprises with significant research and development activities. In the future these tax benefits may be reduced or discontinued. If these tax benefits are reduced, cancelled or discontinued, our Israeli taxable income could be subject to regular Israeli corporate tax rates, which could negatively affect our financial condition and results of operation. Additionally, if we increase our activities outside of Israel through acquisitions, for example, our expanded activities may not be eligible for inclusion under future Israeli tax benefit regimes. See “Item 5. Operating and Financial Review and Prospects—Critical Accounting Estimates—Law for the Encouragement of Capital Investments, 5719-1959.” 

We may become subject to claims for remuneration or royalties for assigned service invention rights by our employees.

We enter into assignment-of-invention agreements with our employees pursuant to which such individuals agree to assign to us all rights to any inventions created in the scope of their employment or engagement with us. A significant portion of our intellectual property has been developed by our employees during the course of their employment by us. Under the Israeli Patent Law, 5727-1967, inventions conceived by an employee during the scope of his or her employment with a company are regarded as “service inventions” which belong to the employer, absent a specific agreement between the employee and employer giving the employee service invention rights. Although our employees have agreed to assign to us service invention rights, as a result of uncertainty under Israeli law with respect to service invention rights and the efficacy of related waivers, including with respect to remuneration and its extent, we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required to pay additional remuneration or royalties to our current and/or former employees, or be forced to litigate such claims, which could negatively affect our business.

As a public company incorporated in Israel, we may become subject to further compliance obligations and market trends or restrictions, which may strain our resources and divert management’s attention.

Being an Israeli publicly traded company in the United States and being subject to both U.S. and Israeli rules and regulations may make it more expensive for us to obtain and maintain directors and officers liability insurance. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee, and qualified executive officers. In accordance with the provisions of the Companies Law, approval of our directors’ and officers’ insurance is limited to the terms of our duly approved compensation policy, unless otherwise approved by our shareholders.

28


Provisions of Israeli law and our articles of association may delay, prevent, or otherwise impede a merger with or an acquisition of us, even when the terms of such a transaction are favorable to us and our shareholders.

Our articles of association contain certain provisions that may delay or prevent a change of control. These provisions include that our directors (other than external directors, if applicable) are elected on a staggered basis, and therefore a potential acquirer cannot readily replace our entire board of directors at a single annual general shareholder meeting. In addition, Israeli corporate law regulates acquisitions of shares through tender offers and mergers, requires special approvals for transactions involving directors, officers or significant shareholders and regulates other matters that may be relevant to such types of transactions.

Furthermore, Israeli tax considerations may make potential transactions unappealing to us or to our shareholders whose country of residence does not have a tax treaty with Israel exempting such shareholders from Israeli tax. For example, Israeli tax law does not recognize tax-free share exchanges to the same extent as U.S. tax law. With respect to mergers involving an exchange of shares, Israeli tax law allows for tax deferral in certain circumstances but makes the deferral contingent on the fulfillment of a number of conditions, including, in some cases, a holding period of two years from the date of the transaction during which sales and dispositions of shares of the participating companies are subject to certain restrictions. Moreover, with respect to certain share swap transactions, the tax deferral is limited in time, and when such time expires, the tax becomes payable even if no disposition of the shares has occurred. These provisions of Israeli law and our articles of association could have the effect of delaying or preventing a change in control in us and may make it more difficult for a third party to acquire us, even if doing so would be beneficial to our shareholders, and may limit the price that investors may be willing to pay in the future for our ordinary shares.

It may be difficult to enforce a judgment of a U.S. court against us, our officers and directors or the Israeli auditors named in this annual report in Israel or the United States, to assert U.S. securities laws claims in Israel or to serve process on our officers and directors and these auditors.

We are incorporated in Israel and our Israeli auditors named in this annual report reside outside of the United States. Further, a majority of our directors and executive officers, and most of our assets and most of the assets of these persons are located outside of the United States. Therefore, a judgment obtained against us, or any of these persons, including a judgment based on the civil liability provisions of the U.S. federal securities laws, may not be collectible in the United States and may not be enforced by an Israeli court. It also may be difficult for our shareholders to effect service of process on these persons in the United States or to assert U.S. securities law claims in original actions instituted in Israel. Israeli courts may refuse to hear a claim based on an alleged violation of U.S. securities laws reasoning that Israel is not the most appropriate forum in which to bring such a claim. In addition, even if an Israeli court agrees to hear a claim, it may determine that Israeli law and not U.S. law is applicable to the claim. If U.S. law is found to be applicable, the content of applicable U.S. law must be proven as a fact by expert witnesses, which can be a time consuming and costly process. Certain matters of the procedure will also be governed by Israeli law. There is little binding case law in Israel that addresses the matters described above. As a result of the difficulty associated with enforcing a judgment against us in Israel, our shareholders may not be able to collect any damages awarded by either a U.S. or foreign court.

The rights and responsibilities of our shareholders are, and will continue to be, governed by Israeli law which differs in some material respects from the rights and responsibilities of shareholders of U.S. corporations.

The rights and responsibilities of the holders of our ordinary shares are governed by our articles of association and by Israeli law. These rights and responsibilities differ in some material respects from the rights and responsibilities of shareholders in U.S. corporations. In particular, a shareholder of an Israeli company has a duty to act in good faith and in a customary manner in exercising its rights and performing its obligations towards the company and other shareholders, and to refrain from abusing its power in the company, including, among other things, in voting at a general meeting of shareholders on matters such as amendments to a company’s articles of association, increases in a company’s authorized share capital, mergers and acquisitions and related party transactions requiring shareholder approval. In addition, shareholders have a general duty to refrain from discriminating against other shareholders and a shareholder who is aware that it possesses the power to determine the outcome of a shareholder vote or to appoint or prevent the appointment of a director or chief executive officer in the company has a duty of fairness toward the company with regard to such vote or appointment. There is limited case law available to assist us in understanding the nature of this duty or the implications of these provisions. These provisions may be interpreted to impose additional obligations and liabilities on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations. See “Item 6.C. Board Practices — Approval of Related Party Transactions under Israeli Law—Fiduciary Duties of Directors and Office Holders.”

29


ITEM 4.              INFORMATION ON THE COMPANY
 

A.
History and Development of the Company
 
Our History
 
CyberArk Software Ltd. was founded in 1999 with the vision of protecting high-value business data and pioneering our Digital Vault technology. That same year, we began offering our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provided a secure platform for our customers’ employees to share sensitive files. We began with our early vaulting technology, which has enabled us to evolve into a company that provides a comprehensive solution to secure identities anchored on Privileged Access Management. In 2005, we introduced our Privileged Access Management Solution, upon which we built our leadership position in the Privileged Access Management market, providing a layer of security that protects high-level and high-value access across an organization. In September 2014, we listed our ordinary shares on the Nasdaq Stock Market LLC (Nasdaq). In addition to investing in organic research and development, in 2015 we began to execute a merger and acquisition strategy and acquired Viewfinity, Inc., a provider of Windows least privilege management and application control software, as well as Cybertinel Ltd., a cybersecurity company specializing in cyber threat detection technology. In May 2017, we acquired Conjur Inc., a provider of DevOps security software. In May 2020, we acquired IDaptive Holdings, Inc., an Identity as a Service (IDaaS) provider. In March 2022, we acquired Aapi.io, a provider of no-code application integration and workflow automation solutions, and in July 2022, we acquired C3M, LLC, a provider of multi-cloud security and compliance solutions. With our organic investment in research and development to drive new product releases and innovation, coupled with the incremental acquisitions of selected technologies and the execution of our go-to-market (GTM) strategy, today CyberArk is the global leader in Identity Security, centered on intelligent privilege controls. We enable secure access for all human and machine identities to help organizations secure critical business assets and applications, protect their distributed workforce and customers, and accelerate business across cloud, hybrid and self-hosted environments. Our solutions enable Zero Trust by enforcing least privilege with continuous identity threat detection and protection.
 
We are a company limited by shares organized under the laws of the State of Israel. We are registered with the Israeli Registrar of Companies. Our registration number is 51-229164-2. Our principal executive offices are located at 9 Hapsagot St., Park Ofer B, POB 3143, Petach-Tikva, 4951040, Israel, and our telephone number is +972 (3) 918-0000. Our website address is www.cyberark.com. Information contained on, or that can be accessed through, our website is not part of this annual report and is not incorporated by reference herein. We have included our website address in this annual report solely for informational purposes. Our SEC filings are available to you on the SEC’s website at http://www.sec.gov. This site contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC. Our agent for service of process in the United States is CyberArk Software, Inc., located at 60 Wells Avenue, Newton, MA 02459, and our telephone number is (617) 965-1544.
 
Principal Capital Expenditures
 
Our cash capital expenditures for fiscal years 2021, 2022 and 2023 amounted to $8.9 million, $12.5 million, and $4.9 million, respectively. Capital expenditures consist primarily of investments in leasehold improvements for our office space, purchases of furniture, computers and related equipment and internal use software capitalization. We anticipate our capital expenditures in fiscal year 2024 to be less than 1.5% of revenues. We anticipate our capital expenditures in 2024 will be financed with cash on hand and cash provided by operating activities.

30

 

B.
Business Overview

CyberArk is the global leader in Identity Security, centered on intelligent privilege controls, with a focus on protecting organizations against identity-based cyberattacks. We apply intelligent privilege controls to all identities – human and machine – with continuous threat detection and prevention across the entire identity lifecycle. With CyberArk, organizations can enable Zero Trust and least privilege with complete visibility, ensuring that every identity can securely access any approved resource, located anywhere, from everywhere – with a single Identity Security Platform. 

As the category-defining leader in Privileged Access Management, we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the kingdom.” These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications; keeping them out of the hands of malicious or careless insiders or external attackers and preventing disruption to the business.

With the rapid rise in mobile workers, hybrid and multi-cloud adoption, and digitalization of the enterprise, physical and network security barriers are less relevant for securing data and assets than ever before. Compromised identities and their associated privileges now represent the fastest attack path to an organization’s most valuable assets. As a result, identity controls are now becoming the new security perimeter and are a critical foundation for implementing Zero Trust strategies. Our approach is unique as CyberArk recognizes that every identity can become privileged under certain conditions, and we offer the broadest range of security controls to reduce that risk while delivering a high-quality experience to the end user. This includes securing our customers’ workforce, information technology (IT), developers, and machine identities by replacing complex, patchworked and siloed legacy access and privileged access management solutions to improve security and operational efficiencies.

With the increase in identity-related incidents over the past year, it is imperative for organizations to secure every identity with the right level of privilege controls. In the Identity and Access Management (IAM) market, the silos of Access Management (AM), Privileged Access Management (PAM) and Identity Governance and Administration (IGA) overlap and thus there may be inefficiencies if they are provided by separate vendors, or from vendors who bundle discreet solutions without the benefit of a unified platform. Standalone, legacy Access Management is focused on managing identities, not securing them. Legacy PAM vendors focus on a narrow scope around IT administrators and ignore other personas, and legacy IGA solutions are sprawling and complex. We believe that a siloed approach is inefficient and does not provide adequate security.

We believe an Identity Security Platform must do far more than manage one group of identities; it must provide solutions to secure all identities, across all environments. Our goal is to reinvent and modernize capabilities across the established silos while inventing new ways to secure modern identities.

When we look at all identities that need to be secured across a typical organization, we see that there is a spectrum in four key groups: workforce, IT, developers and machines. Each of these secured identity groups have a different level of risk and complexity associated with their access based on their target resources and typical activities. All of these identities can become privileged or high risk, and they all need to be secured differently than they have been in the past.

By reinventing the standalone IAM markets into a comprehensive Identity Security Platform, which provides solutions to secure all identities with the right level of privilege controls and appropriate type of access, we help organizations to stay a step ahead of attackers.

Recently, CyberArk has taken steps to focus its GTM strategy on a solution-based framework that will enable CyberArk to evolve from product-focused sales to solution selling, which is expected to better align with our customers’ problems. We expect that this change will move us from a more fragmented market positioning to messaging our core differentiators holistically to stand out in the market and continue to drive our Identity Security leadership. Our new secured identity framework and solutions are expected to help our GTM teams to take full advantage of the market opportunity while delivering value-based solutions for customers.

In order to facilitate this new framework, we have identified and designed eight solutions taken from our platform capabilities. These solutions, derived from across our existing platform, focus on the capabilities that are needed to secure each identity. The solutions will be presented through a simplified packaging and pricing model, which is expected to facilitate a more efficient buying process and enhance our ability to secure a broader range of identities within our customers' employee base. These solutions are expected to make it easier for our customers to buy the capabilities they need to secure every identity across their organization.

CyberArk has reimagined what it means to secure workforce users by recognizing that privilege access is not limited to IT users but that the workforce must be able to do their job without security getting in their way. We have modernized and extended our PAM capabilities beyond traditional IT users to cloud operations and third parties who need flexible access controls to all their target resources. We have invented new, secure technologies based on our foundation of privilege controls to enable developers to securely work at the speed of their developments.

31


During 2023, we continued to add new customers and cross-sell to existing customers directly and through channels. As of December 31, 2023, we had more than 8,800 customers. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology, and telecommunications, as well as federal and local government agencies in multiple countries. We sell our solutions through a high-touch hybrid model that includes direct sales, channel sales, managed security service providers, and advisory firm partners.

As we continue to sell more subscription licenses and services, we expect perpetual licenses to continue to decline as a percentage of overall sales. Throughout 2024, we will continue to build on this momentum and operate as a subscription company.
 
Our Growth Strategy
 
The key elements of our long-term growth strategy include:
 

Strengthening our Identity Security leadership position by delivering ongoing innovation. We intend to extend our leadership position by enhancing our solutions, including utilization of AI, introducing new functionality and developing new offerings to address additional use cases. Our strategy includes both internal development and an active mergers and acquisition program in which we acquire or invest in complementary businesses or technologies.


Extending our global go-to-market reach. We market and sell our solutions through a high-touch hybrid model that includes direct and indirect sales. We leverage our sophisticated marketing capabilities, such as account-based and inbound marketing, GTM plays, and our CyberArk IMPACT and IMPACT World Tour conferences, to drive demand and generate pipeline. We plan to expand our sales reach by adding new direct sales capacity, expanding our indirect channels by deepening our relationships with existing partners and by adding new partners, including value-added resellers, system integrators, managed security service providers, distributors, and C3 Alliance partners. We are also expanding our routes to market to include cloud provider marketplaces.
 

Growing our customer base. The global threat landscape, digitalization of the enterprise, cloud migration and the broad security skills shortage are contributing to the need for Identity Security solutions. We believe that every organization, regardless of size or vertical, needs Identity Security. We plan to pursue new customers in the enterprise and corporate segments of the market with our sales and partner teams, as well as through our brand awareness and lead generation campaigns.
 

Expanding our relationships with existing customers. As of December 31, 2023, we had more than 8,800 customers. We have worked hard to develop strong relationships with our customers. Our Customer Success team will focus on expanding these relationships by growing the number of users who access our solutions and cross-selling additional products and services.
 

Driving strong adoption of our solutions and retaining our customer base. An important part of our overall strategy, particularly for our SaaS and self-hosted subscription customers, is delivering fast time to value from our solutions. We will continue to deliver high levels of customer service and support and invest in our Customer Success team to help ensure that our customers are up and running quickly and derive benefit from our software, which we believe will result in higher customer retention rates.
 

Attracting, developing and retaining a diverse and inclusive employee base. A key pillar of our growth strategy is attracting, developing and retaining our employees. Our people are one of our most valuable assets, and our culture is a key business differentiator for CyberArk. We value diversity and inclusion, which allows for the exchange of ideas, creates a strong community, and helps ensure our employees feel valued and respected.
 
Industry Background
 
Securing identities and their associated privileges are a main focus of product investment due to the growth of our market and several key drivers that we have identified based on multi-year trends.
 
Digital Transformation and Shift Left: The digitalization of business creates a larger digital landscape full of opportunities for improved engagement with customers, vendors and employees, but also greater exposure to cyber threats. New digital technologies require expanded privileged access for both humans and machines that must be properly secured. Companies are adopting DevOps methodologies to speed up the pace of innovation. Hybrid and multi-cloud adoption drive the need for centralized solutions that help secure access of all types enterprise-wide. This trend has continued as companies provide hybrid and remote capabilities for the workforce and look for additional online options to stay viable.

32

 
Cloud Migration and SaaS Applications: Broad acceptance and adoption of hybrid and cloud-based infrastructure, the level of speed and automation across IT environments, and an increasing reliance on SaaS applications, significantly impact how organizations approach security. Until a few years ago, organizations would typically prioritize protection of their most critical systems and data, with a particular focus on protecting privileged access. “Privileged users” were understood at the time to be mostly IT administrators accessing shared administrative accounts in systems and applications. However, in today’s cloud and SaaS environment, every identity can become privileged under certain conditions.
 
All identities operating in a modern environment (such as employees, partners, IT administrators, DevOps team members and developers, applications and robots, vendors and customers) might have some level of privilege that, if improperly secured, can provide an attack path into an organization’s most valuable assets. This trend is coupled with the rapid expansion and adoption of hybrid and cloud infrastructure, applications and APIs, mobile and remote workers, and use of third parties. We now live in a world where the number, types and interrelationships of identities have exploded, creating new dimensions to the threat landscape.
 
In addition, the underlying environments are highly dynamic with much more ephemeral infrastructure where compute capacity is easily scaled up or scaled down. The rates of change in these modern environments are exponentially faster, which requires organizations to implement more automation into their identity security controls for both traditional and cloud native applications built using DevOps methodologies.
 
Zero Trust Security: A conventional security approach that relies on perimeter-based security is relatively less effective and applicable in a modern environment, as organizations adopt cloud and SaaS applications and as more of the workforce continues to work remotely. In parallel, it has become increasingly difficult to keep attackers out of an organization’s network altogether. The expansion of the attack surface and prevalence of threats has led to a growing application of a Zero Trust approach to security.

While traditional, perimeter-based security relies on a strategy of trying to separate legitimate users from threat actors and assumes that systems and traffic within the corporate networks and datacenters can be trusted, Zero Trust assumes that the threat actors have already established a network presence and have access to an organization’s applications and systems. In a Zero Trust security model, organizations aim to have every identity continuously authenticated and authorized before granting it access.
 
Zero Trust is not a single technology, but an approach that ensures every user’s identity is verified, their device is validated, and their access is intelligently limited to just what they need – and taken away when they no longer need it. CyberArk’s Identity Security solutions deliver capabilities that are foundational to adopting a Zero Trust approach.
 
Skills Gap: The skills gap in cybersecurity creates meaningful challenges, not only for Chief Information Security Officers (CISOs), but also for implementing mission-critical strategic initiatives. As cloud adoption accelerates the speed of business, companies are relying more heavily on applications, technology and automation to compete. CISOs are evaluating staffing requirements for adding new security tools and implementing new projects and business initiatives. To address the staffing shortage and skills gap, organizations are looking at opportunities to consolidate vendors and increase the implementation of automation to free up security and IT teams to focus on more value-added initiatives.
 
Governance and Compliance: Industry regulations such as Sarbanes Oxley, Payment Card Industry Data Security Standard, SWIFT Customer Security Controls Framework, HIPAA, GDPR, U.K. Data Protection Act 2018 (UK DPA) and the UK General Data Protection Regulation, California Privacy Rights Act, and industry frameworks, such as U.S. National Institute of Standards and Technology (NIST) and the Center for Internet Security, for example, require and/or reflect strong Identity Security controls as an important part of safeguarding data privacy and data sovereignty. Interest in CyberArk’s Identity Security solutions is also being fueled by customers who are purchasing cyber insurance policies, engaging in diligence as part of a corporate transaction, or recovering from a major cybersecurity incident; and in each of these cases, customers need to demonstrate a sound plan to implement and manage Identity Security controls to obtain insurance coverage and lower their premiums.
 
33


Our Products
 
Our Identity Security Platform provides a complete and flexible set of Identity Security capabilities across six main product areas: Workforce and Customer Access, Endpoint Privilege Security, Privileged Access Management, Secrets Management, Cloud Security, and Identity Management.  
 
 
Privileged Access Management
 
CyberArk’s Privileged Access Management products can be used to secure, manage, and monitor privileged access. Privileged accounts can be found on endpoints, in applications, and from hybrid to multi-cloud environments.
 

o
Privileged Access Manager. CyberArk Privileged Access Manager and CyberArk Privilege Cloud include risk-based credential security and session management to protect against attacks involving privileged access. CyberArk’s self-hosted Privileged Access Manager solution can be deployed in a self-hosted data center or in a hybrid cloud or a public cloud environment. CyberArk Privileged Cloud is a SaaS solution.
 

o
Vendor Privileged Access Manager. CyberArk Vendor Privileged Access Manager combines Privileged Access Manager or Privilege Cloud and Remote Access, a SaaS solution, to provide fast, easy and secure privileged access to third-party vendors who need access to critical internal systems via CyberArk, without the need to use passwords. By not requiring VPNs or agents, Vendor Privileged Access Manager removes operational overhead for administrators, makes it easier and quicker to deploy and improves organizational security.
 

o
Dynamic Privileged Access. CyberArk Dynamic Privileged Access is a SaaS solution that provisions just-in-time (JIT), privileged access to Linux Virtual Machines (VMs hosted in AWS and Azure and on-premises windows servers). The solution leverages attribute-based access control and full session isolation to drive measurable risk reduction. Dynamic Privileged Access allows organizations to unify controls for JIT and standing privileged access across public cloud and on-premises systems, enabling operational efficiencies while progressing towards Zero Standing Privileges and Zero Trust initiatives.
 
34

Endpoint Privilege Security
 

o
Endpoint Privilege Manager. CyberArk Endpoint Privilege Manager is a SaaS solution that secures privileges on the endpoint (Windows servers, Windows desktops and Mac desktops) and helps contain attacks early in their lifecycle. It enables revocation of local administrator rights, while minimizing impact on user productivity, by seamlessly elevating privileges for authorized applications or tasks. Application control, with automatic policy creation, allows organizations to prevent malicious applications from executing, and runs unknown applications in a restricted mode. This, combined with credential theft protection, helps prevent malware such as ransomware from gaining a foothold and contains attacks on the endpoint.
 

o
Secure Desktop. CyberArk Secure Desktop solution lets businesses protect access to endpoints and enforce the principle of least privilege without complicating IT operations or hindering user productivity. The unified endpoint multifactor authentication and privilege management solution helps organizations strengthen access security, optimize user experiences, and eliminate the manually intensive, error-prone administrative processes that can lead to over provisioning and privilege abuse.
 
Workforce & Customer Access
 
We deliver robust IDaaS which provides a comprehensive AI-based and security-first approach to managing identities that is both adaptive and context-aware. CyberArk Identity includes capabilities to secure both workforce and customer identities.
 
Workforce Identity offers:
 

o
Adaptive Multi-factor Authentication (MFA). Adaptive MFA enables an enterprise to enforce risk-aware and strong identity assurance controls within the organization.
 

o
Single Sign-On (SSO). SSO is the ability to use a single secure identity to access all applications and resources within an organization. CyberArk Identity enables SSO for all types of users (workforce, partners, and consumers) to all types of workstations, systems, VPNs, and applications both in the cloud and on-premises.
 

o
Secure Web Sessions. Secure Web Sessions records, audits and protects end-user activity within designated web applications. The solution uses a browser extension on an end-user’s endpoint to monitor and segregate web apps that are accessed through SSO and deemed sensitive by business application owners, enterprise IT and security administrators.
 

o
Workforce Password Management. CyberArk Workforce Password Management is an enterprise-focused password manager providing a user-friendly solution to store data from business applications -like website URLs, usernames, passwords and notes – in a centralized vault and securely share it with other users in the organization.
 

o
Application Gateway. With the CyberArk Identity Application Gateway service, customers can enable secure remote access and expand SSO benefits to on-premises web apps — like SharePoint and SAP — without the complexity of installing and maintaining VPNs.
 

o
Identity Lifecycle Management. This module enables CyberArk Identity customers to automate the joiner, mover, and leaver processes within the organization. This automation is critical to ensure that privileges don’t accumulate, and a user’s access is turned off as soon as the individual changes roles or leaves the organization.
 

o
Directory Services. Allows customers to use identity where they control it. In other words, we do not force our customers to synchronize their on-premises Active Directory implementation with our cloud. Our cloud architecture can work seamlessly with any existing directory, such as Active Directory, LDAP-based directories, and other federated directories. CyberArk Identity also provides its own highly scalable and flexible directory for customers who choose to use it.

Customer Identity offers authentication and authorization services, MFA, directory, and user management to enable organizations to provide customers and partners with easy and secure access to websites and applications.

In alignment with our Identity Security strategy, we sell packaged offerings that align with the requirements of workforce users, privileged users, and external vendors. The workforce user offering includes credential vaulting and sharing, Adaptive MFA, and SSO. The privileged users offering includes full credential management, session management, and Remote Access. The external vendor offering aligns to the capabilities detailed above for Vendor Privileged Access Manager.
 
35


Secrets Management
 
Our capabilities in the area of Secrets Management are focused on securing secrets used by machine identities such as applications, scripts, containers, DevOps tools, and third-party security solutions. Secrets Manager enables organizations to avoid the need to store secrets within applications and instead allows them to easily and securely access the required credentials from the CyberArk Vault. Secrets Manager supports traditional applications with its Credential Providers and dynamic applications with Conjur.
 

o
Secrets Manager Credential Providers. Credential Providers can be used to provide and manage the credentials used by third-party solutions such as security tools, RPA, and IT management software, and also supports internally developed applications built on traditional monolithic application architectures. Credential Providers works with CyberArk’s on-premises and SaaS based solutions.
 

o
Conjur Enterprise and Conjur Cloud. For cloud-native applications built using DevOps methodologies, Conjur Enterprise and Conjur Cloud provide a secrets management solution tailored specifically to the unique requirements of these environments delivered either on-premises or in the cloud. We also provide an open-source version to better meet the needs of the developer community.
 

o
Secrets Hub. CyberArk Secrets Hub enables security teams to have centralized visibility and management across secrets in native vaults, such as AWS Secrets Manager and Azure Key Vault, without impacting developer workflows.
 
Cloud Security
 

o
Secure Cloud Access. Secure Cloud Access is a service provided from the Identity Security Platform, offering secure, native access to cloud consoles, native services and workloads with zero standing privileges. This service addresses the needs of developers, site reliability engineers and administrators accessing services in their cloud environments via the console or command line interface (CLI). Secure Cloud Access greatly reduces the risk of compromised access in the public cloud, while providing native user experiences for the Cloud Engineering and DevOps teams leading digital transformation.
 
Identity Management
 
Our capabilities in Identity Management include Lifecycle Management, Identity Flows, Identity Compliance and directory services. Our Identity Management solutions are designed to provide a single view of who has access to what, ensuring that the right access is granted for the right amount of time to the right people. CyberArk Lifecycle Management streamlines provisioning and management of entitlements throughout a user’s employment, including approval workflows, access certifications and providing and revoking access. CyberArk Identity Flows is a no-code identity management workflow solution that reduces complexity and manual tasks to easily create workflows and automate business processes. CyberArk Identity Compliance enables customers to discover, certify, remediate and audit access, ensuring that an organization can implement Zero Trust across the enterprise.
 
Secure Browser

The CyberArk Secure Browser is a hardened and purpose-built technology that further extends the CyberArk Identity Security Platform to the web browser. It provides enhanced security, privacy and productivity across the enterprise, while delivering a familiar and customized user experience. The CyberArk Secure Browser minimizes the risk of unauthorized access by helping to prevent the malicious use of compromised identities, endpoints, and credentials both at and beyond the login stage. It provides secure access to sensitive data for the complete workforce across the complete identity journey. By providing a centralized, consistent and secure launchpad to every resource and application across the enterprise, it can help safeguard the most sensitive and valuable resources while increasing productivity and privacy.
 
Our Technology
 
Our portfolio provides a complete and flexible set of Identity Security capabilities that leverage the following core technologies:
 
Identity Security Platform Shared Services. Our Shared Services enable operational efficiencies, leveraging a single admin portal with unified audit, consistent authentication and authorization for all identities and Identity Security intelligence. The platform allows for secure role-based access to CyberArk SaaS through a single user interface to improve operational efficiencies for CyberArk solutions.

36

 
Artificial Intelligence. Our Identity Security Platform leverages AI to both improve identity security threat detection and response and provide productivity and ease of use to administrators. By building multidimensional risk profiles for identities based on activities from multiple products and use cases, our use of AI in this context is designed to detect irregular activities. The platform uses these insights for automatic remediation either by step-up MFA or PAM correction activities (such as rotation, or account onboarding). The platform also uses AI to automate the creation of EPM policies. By “wisdom of the crowd,” the system can deduce usage patterns and recommend relevant privilege elevation and application control to a customer’s environment based on industry peers or similar organizations.
 
Secure Digital Vault Technology. Our proprietary Digital Vault technology provides a highly secure, isolated environment, independent of other software, and is engineered with multiple layers of security. Our on-premises and SaaS PAM solutions use the highly secured Digital Vault to safely store, audit and manage passwords, privileged credentials, policy information and privileged access session data.
 
Privileged Session Recording and Controls. Our innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s IT systems from end-user desktops, while monitoring and auditing privileged session activities. The architecture blocks direct communication between an end-user’s desktop and a target system, thus preventing potential malware on the desktop from infiltrating the target system. This architecture further ensures that privileged credentials will remain protected and will not be exposed to the end-user or reach the desktop. CyberArk session monitoring solutions support native connectivity, whether from browser, native RDP or SSH tools, and via the CLI. Risk scoring can be applied to each recorded session, automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize workloads based on risk.
 
Secure Remote Access. The cloud-based, multifactor authentication provided with Remote Access leverages the biometric capabilities from smartphones which in turn allows authorized remote vendors simple just-in-time secure privileged access. Once authenticated, all privileged sessions are automatically recorded for full audit and monitored in real-time.
 
Strong Application Authentication and Credential Management. The Secrets Manager architecture allows an organization to eliminate hard-coded application credentials, such as passwords and encryption keys, from applications and scripts. Our secure, proprietary technology permits authentication of an application during run-time, based on any combination of the application’s signature, executable path or IP address, and operating system user. Following application authentication, the authenticated application uses a secure API, to request privileged account credentials during run-time and, based on the application permissions in Privileged Access Manager, up-to-date credentials are provided to the application.
 
Strong Endpoint Security. Our endpoint agent technology provides policy-based privilege management, application control and credential theft protection capabilities. The agent detects privileged commands, and application installation or invocation on the endpoint to validate whether it is permissible in accordance with the organization’s security policy, otherwise blocking the operation or allowing it to run in a restricted mode. Having users operate in a least privilege mode together with our agent-based technology effectively reduces the attack surface that attackers or malware can exploit. The solution leverages third-party threat and reputation information to further strengthen controls and block bad or malicious applications based on such security intelligence.
 
Adaptive Multi-factor Authentication. Our Adaptive MFA enforces risk-aware and strong identity assurance controls within an organization. These controls include a broad range of built-in authentication factors such as passwordless authenticators like Windows Hello and Apple TouchID, high assurance authenticators like USB security keys, and our patented Zero Sign-on certificate-based authentication.
 
Single Sign-on. Our Single Sign-on (SSO) solution facilitates the secure access to many different applications, systems, and resources while only requiring a single authentication. Our SSO solution offers a modern identity provider supporting popular SSO protocols to any system or app that supports SAML, WS-Fed, OIDC and OAuth2, as well as an extensive application catalog with out-of-the-box integration for thousands of applications.
 
37


Our Solutions
 
Our solutions are comprised of:
 
Workforce
 
The CyberArk Identity Security platform ensures a security-first approach to giving users seamless access to the right resources at the right time. Our workforce solutions not only reimagine what it means to protect users beyond legacy access management capabilities like MFA & SSO, but also add additional, modern access management capabilities like secure browsing and workforce password management. We also layer in the right level of privilege controls, like endpoint privilege security and secure web sessions, because privileged users are no longer just IT administrators. While performing their duties, members of the workforce travel the risk spectrum, moving between typical and high-risk access throughout the day depending on the tools they access and the tasks they are performing.
 
IT
 
The CyberArk Identity Security Platform provides end-to-end security for IT administrators, third-party vendors and cloud operations teams across hybrid environments with our privileged access management capabilities. The platform secures high-risk access used to migrate, scale and operate applications on-premises or in the cloud. It supports shared or federated access for customer-facing or internal applications. It layers the needed access management capabilities with the right level of privileged access management and governance across all identities. Additionally, the Platform offers role-specific least privilege, just-in-time and Zero Standing Privilege workflows. By providing the right level of privilege control with the right type of access, organizations can protect the working environment of the most targeted users in the organization.
 
Developers
 
The CyberArk Identity Security Platform provides extensive controls to secure native access to every layer of a cloud environment – from Cloud Native services to dynamic workloads running on the cloud, to lift-and-shift workloads and SaaS applications. The solution helps organizations to better control and secure multi-cloud environments, using elevating just-in-time access with Zero Standing Privileges. By taking this approach, developers receive the permissions they need to do their job, while reducing risks of credential theft by removing excessive access and unnecessary entitlements. Developers retain their native user experience without impacting their productivity.
 
Machine Identities
 
Credentials in application code and across the software supply chain are increasingly being targeted for cyberattacks. With CyberArk, organizations can establish strong machine authentication, provide secure standing access or just-in-time access, and centrally rotate and manage credentials. By replacing hardcoded and static secrets with rotated and dynamic secrets, the platform dramatically increases security while avoiding any change to developer workflows.
 
For organizations looking to combine secure access for developers, cloud teams and the secrets that they use, our developer solution can be combined with our machine solutions to secure access to all layers of the cloud environment and provide a centralized secrets management capability to ensure developers can continue to move at the speed of the business while remaining secure.
 
Our Customers
 
As of December 31, 2023, we had more than 8,800 customers. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies.
 
Our business is not dependent on any particular customer. No customer or channel partner accounted for more than 10% of our revenues in the last three years. Our diverse global footprint is evidenced by the fact that in 2023, we generated 52.3% of our revenues from customers in the United States, 30.0% from the EMEA region and 17.7% from the rest of the world, including countries in North and South America other than the United States, and countries in the Asia Pacific and Japan region.
 
38


Go-to-Market
 
Marketing
 
Our marketing strategy is focused on further strengthening our brand, communicating the benefits of our solutions to our target audiences, driving market engagement, and creating a pipeline with prospects, resulting in an increase in sales to existing and new customers. We are uniquely positioned as the global leader in Identity Security. Centered on intelligent privilege controls, we provide comprehensive security solutions for human and machine identities across business applications, distributed workforces, hybrid cloud workloads, and throughout DevOps pipelines. The world’s leading organizations trust CyberArk to help secure their most critical assets.
 
We execute our strategy by leveraging a combination of internal marketing professionals and a network of channel partners to communicate our value proposition and differentiation for our products, generating qualified leads for our sales force and channel partners. Our marketing efforts include global inbound and outbound demand generation campaigns, account-based marketing, highly targeted brand awareness campaigns, public relations in multiple geographies and the publication of a broad array of content made available through our website. We also participate in key industry events around the world, engaging with audiences through exhibits and demonstrations, speaking sessions and executive meetings.
 
In May 2023, we hosted our 17th annual CyberArk IMPACT Conference for customers, partners and prospects in Boston, MA, with more than 1,100 attendees. The event included a hybrid/virtual component for those who could not travel to attend in person, with an additional 1,000 people joining virtually. Building on the success of our 2022 series, in 2023, we extended IMPACT to a global series, branded CyberArk IMPACT World Tour and hosted similar events in 19 other cities around the globe, with hundreds of customers, partners and prospects attending at each location. With more than 3,000 attendees in-person, IMPACT and IMPACT World Tour represent the largest Identity Security conference worldwide.
 
Sales
 
We believe that our hybrid sales model, which combines the leverage of high-touch, channel sales with the account control of direct sales, has played an important role in the growth of our customer base to date. We maintain a highly trained sales force that is responsible for developing and closing new business, the management of relationships with our channel partners and the support and expansion of relationships with existing customers. Our sales organization is organized by geographic regions, consisting of the Americas, EMEA, Asia Pacific and Japan. As of December 31, 2023, our global network of channel partners consisted of more than 1,300 global system integrators, managed service providers, solution providers, strategic outsourcers, advisories and distributors, as well as global and regional marketplaces. Our channel partners generally complement our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers, introducing new products to existing customers, and offering post-sale professional services and technical support. In 2023, we generated approximately 20% of our revenues from direct sales from our field offices located throughout the world. We work with many global systems integration partners and several leading regional security value added resellers, such as Optiv Security Inc., Merlin International, Computacenter United States Inc., Netpoleon, SHI, M.Tech and GuidePoint Security. These companies were each among our top 15 channel partners in 2022 and 2023 by revenues, and we have derived a meaningful amount of revenues from sales to each of them during the last two years. Further, we work with advisory firms such as Deloitte, PricewaterhouseCoopers LLP, and KPMG in co-marketing and co-delivery of our solutions and providing implementation services to our customers.
 
Through CyberArk’s C3 Alliance, our global technology partner program, we bring together enterprise software, IT, Security, and cloud providers to build on the power of Identity Security to better protect customers from cyber threats. Our CyberArk Marketplace provides a trusted platform for customers to easily find and deploy integrations from the C3 Alliance, partners, and community members.
 
In 2024, we plan to make our Managed Service Provider Console generally available to respond to our managed services providers’ requirements to operationalize Privilege Cloud deployments across multiple customers and infrastructures efficiently and cost effectively, with the goal of reducing operational overhead and accelerating new customer registrations.
 
Our sales cycle varies by customer size, the number of products purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks for incremental sales to existing customers to several months for large deployments. We also typically experience seasonality in our sales, particularly demonstrated by increased sales in the last month of a quarter and the last quarter of the year. To support our broadly dispersed global channel partners and customer base in our hybrid model, we had sales personnel in 42 countries as of December 31, 2023. We plan to continue investing in our sales organization to support both the growth of our channel partners and our direct sales organization.

39

 
Professional and Support Services
 
Maintenance and Support
 
Our maintenance and support program provides all customers who purchase maintenance and support in conjunction with their perpetual licenses, and customers who purchase self-hosted and SaaS subscriptions, the right to software bug repairs, the latest software enhancements, and updates on an if-and-when available basis during the maintenance period or subscription term, and access to our technical support services. Customers who purchase maintenance and support in conjunction with their initial perpetual license purchase typically buy for one year or three years and can subsequently continue to renew maintenance and support for additional one- or three-year periods. These two alternative maintenance and support periods are common in the software industry. Customers typically pay for each alternative in full at the beginning of their terms. However, in select situations, customers can opt for annual payments.
 
Our technical support services are provided to perpetual and subscription customers via our online support center, which enables customers to submit new support queries and monitor the status of open and past queries. Our online support system also provides customers with access to our CyberArk Knowledge Base, an online user-driven information repository that provides customers with the ability to address their own queries. Additionally, we offer email and telephone support during business hours to customers that purchase a standard support package and 24/7 availability to customers that purchase our 24/7 support or subscription package.
 
Our global customer support organization has expertise in our software and how it interacts with complex IT environments. We typically provide all levels of support directly to our customers. However, when sales are made through channels, the channel partner may provide the first and second level support, and we typically provide third level support if the issue cannot be resolved by the channel partner.
 
Professional Services
 
Our products are designed to allow for online trials, or to allow customers to download, install and deploy them on their own or with training and professional assistance. Our solutions are highly configurable, and many customers will select either one of our many trained channel partners or our CyberArk Security Services team to provide expert professional services. Our Security Services team can be contracted to assist customers in planning, installing, and configuring our solution to meet the needs of their security and IT environment, and provide technical account management services. Our Security Services team provides ongoing consulting services regarding best practices for achieving Identity Security, and recommends ways to implement our solutions to meet specific customer requirements. Additionally, they share best practices associated with Identity Security to educate customers and partners on such best practices through virtual classroom, live face-to-face, or self-paced classes. We also have Red Team services, which specialize in adversary simulations to test customers’ and prospects’ cloud and hybrid environments, DevOps pipelines and processes to help make their environment more secure.
 
In 2021, we introduced new professional services solutions aimed at delivering faster time to value and helping customers streamline the deployment of certain CyberArk SaaS products, while providing a resource to help to implement a phased approach to a Privileged Access Management program, from planning, to pilot, to production. In addition, in 2022, we expanded our professional services packages by offering outcome-based services that corresponded with each of our SaaS solutions.
 
The most comprehensive program of its kind, CyberArk Blueprint is designed to help customers take a future-proof, phased and measurable approach to reducing Identity Security risks. The experience of the CyberArk Labs and Red Team (CyberArk teams involved in cybersecurity research) and incident response engagements shows that nearly every targeted attack follows a similar pattern of identity and privileged credential compromise. These patterns influenced CyberArk Blueprint’s three guiding principles, which are foundational to the program: prevent credential theft; stop lateral and vertical movement; and limit privilege escalation and abuse. The CyberArk Blueprint uses a simple, prescriptive approach based on these guiding principles to reduce risk across five stages of Identity Security maturity. Customers benefit from being able to prioritize quick wins, progressively address advanced Identity Security use cases, and align security controls to digital transformation efforts across hybrid environments.
 
40


Research and Development
 
Continued investment in research and development is critical to our business. Our research and development efforts are focused primarily on improving and continuing to enhance existing products and services, as well as developing new solutions, services, products, features and functionality to meet market needs. We believe the timely development of new products and capabilities is essential to maintaining our competitive position. The majority of our newly released products are delivered as SaaS, but we continue to invest in both our self-hosted and SaaS solutions, in which we regularly incorporate new features and enhancements to existing features. We also maintain a dedicated CyberArk Labs team that research reported cyberattacks, emerging attack techniques and post-exploit methods that lead to new security development initiatives for our products, and provides thought-leadership on new product capabilities and targeted attack mitigation. As part of the expansion of our research and development and product development resources, we also established an Artificial Intelligence Center of Excellence to advance the use of AI and machine learning to improve security and productivity for our customers, by exploring opportunities to embed AI into our existing products, as well as researching the impact of generative AI on attacker innovation to help evolve AI-powered defenses. Our CyberArk Labs research team is also taking part in certain AI-related research, supported and funded by the Israeli Innovation Agency.
 
As of December 31, 2023, we had 922 employees focused on research and development. We conduct our research and development activities primarily in Israel, as well as other locations such as the United States and India. We believe this provides access to world class engineering talent. Our research and development expenses were $142.1 million, $190.3 million, and $211.4 million in 2021, 2022, and 2023, respectively.
 
Intellectual Property
 
We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protect our technology and the related intellectual property.
 
As of December 31, 2023, we had 147 issued patents in the U.S., and 48 pending U.S. patent applications. We also had 62 issued patents and 18 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.
 
The inventions for which we have sought patent protection relate to current and future elements of our products and technology. The following list of products identifies some of those with patent-protected features, but other products may also be the subject matter of one or more patents: Privileged Access Security (PAS) solutions, including Privileged Access Manager, Vendor Privileged Access Manager, Privileged Session Manager (PSM), Enterprise Password Vault (EPV), Privilege Cloud, Dynamic Privilege Access (DPA), CyberArk DNA (Discovery and Audit), Privileged Threat Analytics (PTA), Endpoint Privilege Manager (EPM), Sensitive Information Management (SIM) and Cloud Entitlements Manager (CEM); Secret Management Solutions, including Conjur Enterprise, Conjur Open Source, Conjur Cloud, Credential Providers, Secretless and Secretless Broker; and Access Management Solutions, including CyberArk Identity, Workforce Identity, Customer Identity and Secure Web Sessions.
 
We generally enter into confidentiality agreements with our employees, consultants, service providers, resellers and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. These agreements and measures may not effectively prevent unauthorized use or disclosure of our intellectual property or technology, and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology.
 
Our industry is characterized by the existence of many relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. Leading companies in the security industry have extensive patent portfolios. As our market position continues to grow, we believe that competitors will be more likely to try to develop products that are like ours and that may infringe our proprietary rights. It may also be more likely that competitors or third parties will claim that our products infringe their proprietary rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners, users, or customers, whom our standard license and other agreements may obligate us to indemnify against such claims under certain circumstances. Successful claims of infringement or misappropriation by a third party could prevent us from developing, distributing, licensing, using certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements to obtain the right to use necessary technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected.
 
41


Competition
 
The information security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with multiple established and emerging companies that offer a broad array of information security products that employ different approaches and delivery models.
 
Specifically, our Identity Security Platform competes across a variety of markets and competitors, including, but not limited to:
 

PAM, including Endpoint Privilege Management, such as Delinea and BeyondTrust;
 

IAM, such as Okta and Microsoft; and
 

Secrets Management, including broad DevOps solutions, such as Hashi Corporation.
 
The maturity and growth of the information security market could also make it appealing for new players, such as large or emerging cybersecurity vendors or those in related markets (Endpoint, Cloud Security, DevOps or IaaS), to enter markets where we specialize. Given the critical importance of identity in the attack chain, which increases demand for our solutions, larger vendors, including cloud hyperscalers, and large cybersecurity platform vendors may meaningfully enter the identity security market. These organizations have extensive resources and competing with them could impact our business.
 
Additionally, potential consolidation among cybersecurity vendors may create an opportunity for our competitors to provide a greater breadth of offerings, including more integrations and bundled products. Accordingly, if customers prefer to utilize one vendor for multiple cybersecurity capabilities and if we fail to successfully execute our sales strategy of delivering our products and services on a solutions-based framework that can compete effectively against such cybersecurity vendors, this may place us at a competitive disadvantage. Furthermore, organizations continuously evaluate their security priorities and investments, and may allocate their information security budgets to other solutions and strategies, including solutions offered by our competitors, and may not adopt or expand use of our solutions. Accordingly, we may also compete for budget priority, to a certain extent, with other cybersecurity solutions offered by Microsoft, Palo Alto Networks, and CrowdStrike Holdings. The principal competitive factors in our market include:
 

o
the breadth and completeness of a security solution;
 

o
reliability and effectiveness in protecting, detecting and responding to cyberattacks;
 

o
analytics and accountability at an individual user level;
 

o
the ability of customers to achieve and maintain compliance with compliance standards and audit requirements;
 

o
strength of sale and marketing efforts, including advisory firms and channel partner relationships;
 

o
global reach and customer base;
 

o
scalability and ease of integration with an organization’s existing IT infrastructure and security investments;
 

o
brand awareness and reputation;
 

o
innovation, including AI and generative AI capabilities, and thought leadership;
 

o
quality of customer support and professional services;
 

o
the speed at which a solution can be deployed and implemented; and
 

o
the price of a solution, including bundled or free offerings, and cost of maintenance and professional services.
 
We believe we compete favorably with our competitors based on these factors. However, some of our current competitors may enjoy one or some combination of potential competitive advantages, such as greater name recognition, longer operating history, larger market share, larger existing user base and greater financial, technical, and operational capabilities.
 
In addition, industry analysts may review our products and services either independently or against other cybersecurity solutions offered by our competitors. If we receive unfavorable reviews or a downgrade in our existing accreditation for any reason, including perceived shortcomings in product efficacy, the failure of our products and services to perform at a level expected by such analysts, negative assessments of our competitive positioning, or the failure to address any concerns previously identified by such analysts, this may adversely impact our standing within the industry, market confidence, customer trust, or our ability to attract and retain clients, and could result in diminished market share, impaired customer perception, and a negative impact on our financial performance.
 
42


Properties
 
Our corporate headquarters are in Petach-Tikva, Israel, in an office consisting of approximately 139,100 square feet to which we moved in September 2017. The current lease expires in September 2027 with an extension option for one successive 24-month period. Our U.S. headquarters are in Newton, Massachusetts in an office consisting of approximately 32,463 square feet. The lease expires in February 2025 with an extension option for the entire premises through December 2025. We maintain additional offices in Israel, the U.S., the U.K., Singapore, France, Germany, Spain, Italy, Turkey, Australia, Japan, India, and the Netherlands. We believe that our facilities are sufficient to meet our current needs and that we will be able to obtain additional facilities on commercially reasonable terms if we require additional space to accommodate our growth.
 
Internal Cybersecurity
 
As we offer Identity Security solutions and services, we are sensitive to potential cyberattacks that may result in unauthorized access to our information, and potentially that of our customers. We are also aware that, as an Israeli company, we are likely to be targeted by cyber terrorists, cyber criminals, nation-state actors, or nation-state affiliated actors. Any actual or perceived breach of our networks, systems or data could adversely impact the market perception of our solutions and services and expose us to potential liability.
 
For more information regarding the risks involved with cybersecurity, see “Item 3.D. Risk Factors— Real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant reputational, financial, and legal adverse impact” and “—If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected.”
 
By staying informed on the latest cybersecurity threats and trends, we continuously focus on implementing and maintaining technologies and solutions to assist in the prevention of potential cyberattacks, as well as protective measures and contingency plans in the event of an actual attack. We maintain cybersecurity risk management policies and procedures, including internal controls, audits and disclosure protocols for handling and responding to cybersecurity events. These policies and procedures include conducting regular penetration testing and security assessments to identify and address vulnerabilities, internal notifications and engagements and, as necessary, cooperation with law enforcement. Our controls are designed to limit and monitor access to our systems, networks, and data, prevent inappropriate or unauthorized access or modification, and monitor for threats or vulnerabilities. We periodically review and modify our cybersecurity risk management policies and procedures to reflect changes in technology, the regulatory environment, industry and security practices and other business needs. For example, we assess the impact of emerging technologies such as AI on our cybersecurity posture and adjust our security policies and security measures accordingly, including through the incorporation of advanced AI technologies into our products and systems like AI-powered threat detection and behavioral analytics. We conduct periodic trainings for our employees, including on phishing, malware and other cybersecurity risks, and we have mechanisms in place designed to promote rapid internal reporting of potential or actual cybersecurity breaches.
 
We continue to make significant investments in technical and organizational measures to establish and manage compliance with laws and regulations governing our activities regarding protected data (such as GDPR), which enhance our data protection and cybersecurity. Furthermore, we monitor cybersecurity risks, certifications or assessments at our third-party cloud infrastructure providers and other IT service providers, and reevaluate those contractual relationships as appropriate.
 
The audit committee of our board periodically reviews our cybersecurity risks and controls with senior management, keeping our board informed of key issues.
 
Government Regulations
 
For information regarding the material effects of government regulations, see “—Industry Background” above, “Item 3.D. Risk Factors— The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our business,” “—We are subject to a number of regulatory and geopolitical risks associated with global sales and operations, which could materially affect our business,” “The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes,” and “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations and Government Programs.”

43

 
Legal Proceedings
 
See “Item 8.A. Consolidated Statements and Other Financial Information—Legal Proceedings.”
 

C.
Organizational Structure
 
The legal name of our Company is CyberArk Software Ltd., and we are organized under the laws of the State of Israel.
 
The following table sets forth our key subsidiaries, all of which are 100% owned directly or indirectly by CyberArk Software Ltd.:
 
Name of Subsidiary
Place of Incorporation
CyberArk Software, Inc.
Delaware, United States
Cyber-Ark Software (UK) Limited
United Kingdom
CyberArk Software (Singapore) Pte. Ltd.
Singapore
CyberArk Software (DACH) GmbH
Germany
CyberArk Software Italy S.r.l.
Italy
CyberArk Software (France) SARL
France
CyberArk Software (Netherlands) B.V.
Netherlands
CyberArk Software (Australia) Pty Ltd.
CyberArk Software (Japan) K.K.
CyberArk Software Canada Inc.
CyberArk USA Engineering, GP, LLC
Australia
Japan
Canada
Delaware, United States
CyberArk Software (Spain), S.L.
Spain
CyberArk Software (India) Private Limited
C3M India Private Limited
CyberArk Turkey Siber Güvenlik Yazılımı Anonim Şirketi
India
India
Turkey
 

D.
Property, Plant and Equipment
 
See “Item 4.B.—Business Overview—Properties” for a discussion of property, plant and equipment, as applicable.
 
ITEM 4A.          UNRESOLVED STAFF COMMENTS
 
Not applicable.

ITEM 5.             OPERATING AND FINANCIAL REVIEW AND PROSPECTS
 
The following discussion and analysis should be read in conjunction with our consolidated financial statements and the related notes contained elsewhere in this annual report. This discussion and analysis may contain forward-looking statements based upon current expectations that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth in “Item 3.D. Risk Factors” of this annual report. Our financial statements have been prepared in accordance with U.S. GAAP.
 
Company Overview

CyberArk is a global leader in Identity Security, centered on intelligent privilege controls, with a focus on protecting organizations against identity-based cyberattacks. CyberArk applies intelligent privilege controls to all identities – human and machine – with continuous threat detection and prevention across the entire identity lifecycle. With CyberArk, organizations can enable Zero Trust and least privilege with complete visibility, ensuring that every identity can securely access any approved resource, located anywhere, from everywhere – with a single Identity Security Platform. 

44


We secure access for human or machine identities to help organizations secure critical business assets, protect their distributed workforce and customers, and accelerate business in the cloud. CyberArk’s vision is to deliver an Identity Security Platform that contextually authenticates each identity, dynamically authorizes the least amount of privilege required, secures credentials, and thoroughly audits the entire cycle – giving organizations peace of mind to drive their businesses fearlessly forward.

As the category-defining leader in Privileged Access Management, we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the kingdom.” These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications, keeping them out of the hands of malicious or careless insiders or external attackers and preventing disruption to the business.

Securing these human and machine identities is now more important than ever. With the rapid rise in mobile workers, hybrid and multi-cloud adoption, AI and, in particular, generative AI, and digitalization of the enterprise, physical and network security barriers are less relevant at securing data and assets than ever before. Compromised identities and their associated privileges represent an attack path to an organization’s most valuable assets. We believe that identity has become the new security perimeter and is at the foundation of Zero Trust security models. Our approach is unique since CyberArk recognizes that every identity can become privileged under certain conditions, and we offer the broadest range of security controls to reduce risk while delivering a high-quality experience to the end user. This includes securing workforce, IT, developer, partner, customer and machine identities by replacing complex, patchworked, and siloed legacy access management solutions to improve security and operational efficiencies.

Prior to 2020, we primarily derived our revenues by licensing our cybersecurity software, selling maintenance and support contracts, and providing professional services. We began executing our transition to a subscription business model in early 2021, and, in 2023, we reached our transition goals of selling primarily through subscriptions, including both SaaS and self-hosted subscriptions. We believe that annual recurring revenue (ARR), subscription portion of ARR, recurring revenues, Remaining Performance Obligations (RPO), deferred revenue and Net cash provided by operating activities are indicators of the overall health of the business. For the full year 2023, we increased our ARR by 36% to $774 million as of December 31, 2023. The growth in ARR was driven by an increase in bookings from self-hosted and SaaS subscriptions. Our subscription revenues increased by 68% to $472.0 million in 2023, and recurring revenues increased by 36% to $679.6 million in 2023.
 
We plan to continue to invest in research and development in order to continue to develop technology to protect modern enterprises from Identity Security risk from hybrid to cloud-native environments. During the years ended December 31, 2021, 2022 and 2023, our revenues were $502.9 million, $591.7 million and $751.9 million, respectively, representing year-over-year growth of 17.7% and 27.1% in 2022 and 2023, respectively. Our net loss for the years ended December 31, 2021, 2022 and 2023 was $(83.9) million, $(130.4) million and $(66.5) million, respectively.

We have also increased our number of employees and subcontractors from 2,768 as of December 31, 2022 to 3,018 as of December 31, 2023. We intend to continue to execute our strategy of growing our business to meet the needs of our customers and to pursue opportunities in new and existing verticals, geographies, and products. We intend to continue to invest in our sales and marketing teams, with a particular focus on expanding our channel partnerships including managed service providers, targeting new customers, expanding our relationships with existing customers, creating technology partnerships and further building out our customer success operations for existing customers.
 
Key Performance Indicators and Recent Business Developments
 
We transitioned our business to a subscription model by incentivizing our team to shift our sales from perpetual licenses to recurring subscriptions, including SaaS and self-hosted subscriptions during 2021 and the first part of 2022. In 2023, more than 90% of our revenue was recurring, generated from SaaS and self-hosted subscriptions and maintenance contracts. Over the medium term, we expect maintenance revenues associated with perpetual license contracts to decline annually as more customers embrace our SaaS and self-hosted subscription solutions. In addition, the shift toward a recurring revenue business is resulting in an increase in single year payment terms for our customer contracts, which is customary in a subscription business model, in contrast to upfront payments for multi-year maintenance contracts and upfront payments for perpetual licenses, as we experienced in the perpetual license model. Lastly, the duration of our contract length for our self-hosted subscriptions also impacts the amount of recognized revenue in a period. These dynamics may impact our profitability and net cash provided by operating activities in the near term. Over the long term, we expect the subscription model to result in higher visibility, stronger durability of our business and the return to profitability and strong cash flow. The subscription business model is directly aligned with the broad market trends related to digital transformation and cloud migration as well as our Identity Security strategy.
 
45

 
We are focusing on the following metrics to evaluate the health of our business:

   
Year ended December 31,
 
   
2021
   
2022
   
2023
 
   
($ in millions)
 
Total ARR (as of period-end)
 
$
393
   
$
570
   
$
774
 
Subscription Portion of ARR (as of period-end)
 
$
183
   
$
364
   
$
582
 
Recurring revenues          
 
$
349
   
$
498
   
$
680
 
Deferred revenue (as of period-end)          
 
$
317
   
$
408
   
$
481
 
RPO (as of period-end)          
 
$
516
   
$
713
   
$
972
 
Net cash provided by operating activities          
 
$
75
    $ 50    
$
56
 

ARR. ARR is a performance indicator that provides more visibility into the growth of our recurring business in the upcoming year. ARR is defined as the annualized value of active SaaS, self-hosted subscriptions and their associated maintenance and support services, and maintenance contracts related to the perpetual licenses in effect at the end of the reported period. ARR should be viewed independently of revenues and total deferred revenue as it is an operating measure and is not intended to be combined with or to replace either of those measures. ARR is not a forecast of future revenues and can be impacted by contract start and end dates and renewal rates. This visibility allows us to make informed decisions about our capital allocation and level of investment.

Subscription Portion of Annual Recurring Revenue. The subscription portion of ARR is a performance indicator that provides more visibility into the area of the business that will drive the long-term growth of our recurring business. The subscription portion of ARR is defined as the annualized value of active SaaS and self-hosted subscription contracts in effect at the end of the reported period. The subscription portion of ARR excludes maintenance contracts related to perpetual licenses. The subscription portion of ARR should be viewed independently of revenues and total deferred revenue as it is an operating measure and is not intended to be combined with or to replace either of those measures. The subscription portion of ARR provides management with more visibility into our revenue stream for the upcoming year. This visibility allows us to make informed decisions about our capital allocation and level of investment.
 
Recurring Revenue. Recurring revenue is defined as revenue derived from SaaS and self-hosted subscription contracts, and maintenance contracts related to perpetual licenses during the reported period. Management monitors the growth of our recurring revenue to evaluate the health of our business. Recurring revenue also provides enhanced visibility and predictability of future revenues.
 
Total Deferred Revenue. Our total deferred revenue consists of maintenance and support and professional services that have been invoiced and collected but that have not yet been recognized as revenues because they do not meet the applicable criteria, and of self-hosted and SaaS subscription contracts, where there are unconditional rights for a consideration, that have been invoiced but have not yet been recognized. In 2023, an increasing percentage of our total deferred revenue and the substantial portion of our total deferred revenue growth was related to SaaS contracts that have not been recognized. Management monitors our total deferred revenue because it represents a significant portion of revenues to be recognized in future periods. The material factors driving changes in our license revenues are discussed under “—Comparison of Period to Period Results of Operations.”

46

 
Remaining Performance Obligations. RPOs represent non-cancelable contracts that have not yet been recognized, which include deferred revenues and amounts not yet received that will be recognized as revenue in future periods. Management monitors the value of RPO to provide visibility into near term and multi-year revenue streams. This visibility allows us to make informed decisions about our capital allocations and level of investment.
 
Net cash provided by operating activities. We monitor Net cash provided by operating activities as a measure of the amount of cash generated by the business and our overall business performance. Our cash provided by operating activities is driven in part by up-front payments for subscription, maintenance and professional services offerings. Monitoring cash provided by operating activities enables us to assess our financial performance, excluding non-cash effects of certain items such as share-based compensation costs or depreciation and amortization, which allows us to better understand and manage the cash needs of our business.
 

A.
Operating Results
 
For a discussion of our results of operations for the year ended December 31, 2021, including a year-to-year comparison between 2022 and 2021, refer to Item 5. “Operating and Financial Review and Prospects” in our annual report on Form 20-F for the fiscal year ended December 31, 2022, filed with the SEC on March 2, 2023.
 
Components of Statements of Operations
 
Revenues
 
Our revenues consist of the following:
 
o          Subscription Revenues. Subscription revenues include SaaS and self-hosted subscription revenues, as well as maintenance and support services associated with self-hosted subscriptions. Subscription revenues are generated primarily from sales of our Privileged Access Manager (Privilege Cloud and self-hosted), Endpoint Privilege Manager, Conjur Enterprise and Credential Providers, Vendor Privileged Access Manager, Workforce and Customer Access, Secure Cloud Access and Identity Management. We are seeing an increasing percentage of our business coming from our SaaS solutions, which have ratable revenue recognition, increasing our total deferred revenue that will be recognized over time. Our SaaS and self-hosted subscriptions represented over 60% of our total revenues in 2023, and we expect our subscription revenues to continue to grow in the near and long term. Privileged Access Manager, Workforce Identity and Secure Cloud Access are licensed per user. Endpoint Privilege Manager is licensed by target system (workstations and servers). Conjur Enterprise and Credential Providers have two different licensing approaches based on the types of applications being secured. The first is licensed by agent for mission-critical and static applications, and the second is licensed by site/region and number of clusters for more dynamic cloud native applications and DevOps pipelines.
 
o          Perpetual License Revenues. Perpetual license revenues are generated primarily from sales of our Privileged Access Manager. We are seeing a single digit percentage of our business coming from perpetual licenses, which have upfront revenue recognition. We expect revenues from perpetual licenses to continue to decrease as a percentage of total revenue as we continue to operate as a subscription company.
 
 o          Maintenance and Professional Services Revenues. Maintenance revenues are generated from maintenance and support contracts purchased by our customers who bought perpetual licenses in order to gain access to the latest software enhancements and updates on an if-and-when available basis and to telephone and email technical support. With the continued decline of new perpetual licenses and related new maintenance contracts, we are expecting our total maintenance revenues to decline in the near and long term in absolute dollars. We also offer advanced services, including professional services and technical account management, for consulting, deployment and training of our customers to fully leverage the use of our products. We increasingly leverage partners to provide services around implementation and ongoing management of our solutions and we are shifting our service delivery team toward higher value services that are often recurring in nature, like technical account management.
 
47

 
Geographic Breakdown of Revenues
 
The United States is our biggest market, with the balance of our revenues generated from the EMEA region and the rest of the world, which includes Canada, Central and South America, and the Asia Pacific and Japan region. The following table sets forth the geographic breakdown of our revenues by region for the periods indicated:
 
     
Year ended December 31,
 
      2021    
      2022    
      2023    
 
      Amount
      % of Revenues
      Amount
      % of Revenues
      Amount
      % of Revenues
 
     
($ in thousands)
 
United States
 
$
253,811
     
50.5
%
 
$
312,816
     
52.9
%
 
$
393,355
     
52.3
%
EMEA
   
163,328
     
32.5
     
178,344
     
30.1
     
225,738
     
30.0
 
Rest of World
   
85,778
     
17.0
     
100,550
     
17.0
     
132,795
     
17.7
 
Total revenues
 
$
502,917
     
100.0
%
 
$
591,710
     
100.0
%
 
$
751,888
     
100.0
%

Cost of Revenues
 
Our total cost of revenues consists of the following:
 
o
Cost of Subscription Revenues. The cost of subscription revenues consists primarily of personnel costs related to our customer support and cloud operations. Personnel costs consist primarily of salaries, benefits, bonuses and share-based compensation. The cost of subscription revenues also includes cloud infrastructure costs, amortization of intangible assets and depreciation of internal use software capitalization. As we shift more of our sales to SaaS and self-hosted subscription offerings, we expect the absolute cost of subscription revenues to increase.
 
  o   Cost of Perpetual License Revenues. The cost of perpetual license revenues consists primarily of appliance expenses and allocated personnel costs to support delivery and operations related to perpetual licenses. Personnel costs consist primarily of salaries, benefits, bonuses and share-based compensation. As we shift more of our sales to SaaS and self-hosted subscription contracts, we expect the absolute cost of perpetual license revenues and the cost of perpetual license revenues as a percentage of total revenues to decrease.
 
o
Cost of Maintenance and Professional Services Revenues. The cost of maintenance related to perpetual license contracts and professional services revenues primarily consists of allocated personnel costs for our global customer support and professional services organization. Such costs consist primarily of salaries, benefits, bonuses, share-based compensation and subcontractors’ fees. As new perpetual licenses and their associated maintenance contracts continue to decrease, we are expecting our total cost of maintenance revenues to decline. Concurrently, we anticipate cost of professional services revenues to increase due to our expanding customer base and ongoing investment in our services teams, aimed at delivering exceptional customer experiences.
 
Gross Profit and Gross Margin
 
Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a percentage of total revenues. Our gross margin has historically fluctuated from period to period as a result of changes in the mix of revenues between SaaS, self-hosted Subscriptions and Perpetual Licenses, as well as maintenance and professional services revenues, cloud infrastructure costs and personnel costs. We expect our gross margin to be relatively consistent in the near term. As our subscription revenue mix continues to increase, we continue to streamline our cloud cost management, which is partially offset by ongoing investments in our services team, which focuses on our customer experience.

48

 
Operating Expenses
 
Our operating expenses are classified into three categories: research and development, sales and marketing and general and administrative. For each category, the largest component is personnel costs, which consist primarily of salaries, employee benefits (including commissions and bonuses) and share-based compensation expense. Operating expenses also include allocated overhead costs for IT, facilities and office expenses, as well as depreciation and amortization. Allocated costs for facilities and office expenses primarily consist of rent, office maintenance, utilities and office supplies. We expect personnel and all allocated costs to continue to increase in absolute dollars as we hire new employees and add facilities to continue to grow our business.
 
Research and Development. Research and development expenses consist primarily of personnel costs attributable to our research and development personnel, consultants and contractors, cloud infrastructure and software expenses, and allocated overhead costs. We expect that our research and development expenses will continue to increase in absolute dollars as we continue to grow our research and development headcount to further strengthen our technology platform and invest in the development of both existing and new solutions, products and services. At the same time, we expect our research and development expenses as a percentage of revenue to decline as we recognize the benefits of being a recurring revenue company and as we scale the organization.
 
Sales and Marketing. Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, including commissions, as well as marketing programs and general sales costs, software and related expenses, travel expenses and allocated overhead costs. We continue to invest to extend the reach of our sales organization, which means we continue to invest in both direct and indirect sales channels and related marketing expenses. We expect that sales and marketing expenses will continue to increase in absolute dollars, as we plan to expand our GTM efforts globally. At the same time, we expect our sales and marketing expenses as a percentage of revenue to decline, as we recognize the benefits of being a recurring revenue company and as we scale the organization. We continue to expect sales and marketing expenses will remain our largest category of operating expenses.
 
General and Administrative. General and administrative expenses consist primarily of personnel costs for our executive, finance, human resources, legal and administrative personnel. General and administrative expenses also include external legal, audit, accounting and other professional service fees and insurance premium. We continue to expect that general and administrative expenses will increase in dollars as we grow and expand our operations.
 
Financial Income (Expense), Net
 
Financial income (expense), net consists of mainly interest income, gain from investments in privately held companies, amortization of debt discount and issuance costs, foreign currency exchange gains or losses and foreign exchange forward transactions expenses. Interest income consists of interest earned on our cash, cash equivalents, short and long-term bank deposits, marketable securities and money market funds. We expect interest income to vary depending on our average investment balances and market interest rates during each reporting period. Foreign currency exchange changes reflect gains or losses related to transactions denominated in currencies other than the U.S. dollar.
 
Tax benefit (taxes on income)
 
Tax benefit (taxes on income) consists of taxes related to our activity in Israel, the United States, and numerous other foreign jurisdictions in which we conduct business.
 
The ordinary corporate tax rate in Israel is 23.0%.
 
As discussed in greater detail below under “Israeli Tax Considerations and Government Programs,” we have been entitled to various tax benefits under the Investment Law. Under the Investment Law, our tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is generally 12.0%.
 
Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits, including accelerated deduction of research and development expenses, accelerated depreciation and amortization rates for tax purposes on certain intangible assets and deduction of public offering expenses in three equal annual installments. 
 
Our non-Israeli subsidiaries are taxed according to the tax laws in their respective jurisdictions of tax residency. Due to our multi-jurisdictional operations, we apply significant judgment to determine our consolidated income tax position.
 
For a reconciliation of our Tax benefit (taxes on income) to the theoretical income tax benefit according to Israeli statutory rate of 23% and for further explanation of our provision for income taxes, refer to Note 13 to our consolidated financial statements included in Item 18 of this annual report.
 
49


Comparison of Period to Period Results of Operations
 
The following table sets forth our results of operations in dollars and as a percentage of revenues for the periods indicated:

   
Year ended December 31,
 
   
2021
   
2022
   
2023
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
 
   
($ in thousands)
 
Revenues:
                                   
Subscription          
 
$
134,628
     
26.8
%
 
$
280,649
     
47.4
%
 
$
472,023
     
62.8
%
Perpetual license          
   
115,738
     
23.0
     
49,964
     
8.5
     
21,037
     
2.8
 
Maintenance and professional services
   
252,551
     
50.2
     
261,097
     
44.1
     
258,828
     
34.4
 
                                                 
Total revenues          
   
502,917
     
100.0
     
591,710
     
100.0
     
751,888
     
100.0
 
                                                 
Cost of revenues:
                                               
Subscription          
   
25,837
     
5.2
     
46,249
     
7.8
     
74,623
     
9.9
 
Perpetual license          
   
3,904
     
0.8
     
2,893
     
0.5
     
1,873
     
0.2
 
Maintenance and professional services
   
63,566
     
12.6
     
76,904
     
13.0
     
79,635
     
10.6
 
                             
                 
Total cost of revenues          
   
93,307
     
18.6
     
126,046
     
21.3
     
156,131
     
20.7
 
                                                 
Gross profit          
   
409,610
     
81.4
     
465,664
     
78.7
     
595,757
     
79.3
 
                                                 
Operating expenses:
                                               
Research and development          
   
142,121
     
28.2
     
190,321
     
32.2
     
211,445
     
28.1
 
Sales and marketing          
   
274,401
     
54.6
     
345,273
     
58.4
     
405,983
     
54.0
 
General and administrative          
   
71,425
     
14. 2
     
82,520
     
13.9
     
94,801
     
12.6
 
                                                 
Total operating expenses          
   
487,947
     
97. 0
     
618,114
     
104.5
     
712,229
     
94.7
 
                                                 
Operating loss          
   
(78,337
)
   
(15.6
)
   
(152,450
)
   
(25.8
)
   
(116,472
)
   
(15.5
)
Financial income (expense), net          
   
(12,992
)
   
(2.6
)
   
15,432
     
2.6
     
53,214
     
7.1
 
                                                 
Loss before taxes on income          
   
(91,329
)
   
(18.2
)
   
(137,018
)
   
(23.2
)
   
(63,258
)
   
(8.4
)
Tax benefit (taxes on income)          
   
7,383
     
1.5
     
6,650
     
1.1
     
(3,246
)
   
(0.4
)
                                                 
Net loss          
 
$
(83,946
)
   
(16.7
)%
 
$
(130,368
)
   
(22.0
)%
 
$
(66,504
)
   
(8.8
)%

50

 
Year Ended December 31, 2022 Compared to Year Ended December 31, 2023
 
Revenues

   
Year ended December 31,
 
   
2022
   
2023
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Revenues:
                                   
 Subscription
  $
280,649
     
47.4
%
 
$
472,023
     
62.8
%
 
$
191,374
     
68.2
%
Perpetual license          
   
49,964
     
8.5
     
21,037
     
2.8
     
(28,927
)
   
(57.9
)
Maintenance and professional services
   
261,097
     
44.1
     
258,828
     
34.4
     
(2,269
)
   
(0.9
)
                                                 
Total revenues          
  $
591,710
     
100.0
%
 
$
751,888
     
100.0
%
 
$
160,178
     
27.1
%
 
Revenues increased by $160.2 million, or 27.1%, from $591.7 million in 2022 to $751.9 million in 2023. This increase was primarily due to the growth of SaaS sales in 2022 and 2023 as well as the increase in self-hosted subscription sales, offset in part by the decline in perpetual license sales due to the Company’s transition away from the perpetual to subscription model. In addition, our strong SaaS and self-hosted subscription renewals further contributed to these results and allowed CyberArk to maintain its base of recurring business and build the foundation for growth. The largest increase in revenue occurred in United States, where revenues increased by $80.5 million, while the increase in EMEA and the rest of the world was $47.4 million and $32.2 million, respectively. We increased our number of customers from over 8,000 as of December 31, 2022, to more than 8,800 as of December 31, 2023.
 
Subscription revenues increased by $191.4 million, or 68.2%, from $280.6 million in 2022 to $472.0 million in 2023 as we increased the mix of our subscription sales.
 
Perpetual license revenues declined by $28.9 million, or 57.9%, from $50.0 million in 2022 to $21.0 million in 2023. The decline in perpetual license revenue is consistent with our transition from selling perpetual licenses to selling SaaS and self-hosted subscription licenses.
 
Maintenance and professional services revenues declined by $2.3 million, or 0.9%, from $261.1 million in 2022 to $258.8 million in 2023. Maintenance revenues declined by $10.1 million from $217.7 million in 2022 to $207.6 million in 2023. Despite our strong renewal rates, we did not add enough maintenance associated with new perpetual license sales to offset the customers who converted from maintenance to SaaS and self-hosted subscription contracts as well as churn.
 
Professional services revenues increased by $7.8 million from $43.4 million in 2022 to $51.2 million in 2023. The increase in professional services was also driven by the expansion of our professional services packages, which often include recurring services.

51

 
Cost of Revenues and Gross Profit

   
Year ended December 31,
 
   
2022
   
2023
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Cost of revenues:
                                   
Subscription          
 
$
46,249
     
7.8
%
 
$
74,623
     
9.9
%
 
$
28,374
     
61.4
%
Perpetual license          
   
2,893
     
0.5
     
1,873
     
0.2
     
(1,020
)
   
(35.3
)
Maintenance and professional services
   
76,904
     
13.0
     
79,635
     
10.6
     
2,731
     
3.6
 
                                                 
Total cost of revenues          
 
$
126,046
     
21.3
%
 
$
156,131
     
20.7
%
 
$
30,085
     
23.9
%
                                                 
Gross profit          
 
$
465,664
     
78.7
%
 
$
595,757
     
79.3
%
 
$
130,093
     
27.9
%
 
Cost of subscription revenues increased by $28.4 million, or 61.4%, from $46.2 million in 2022 to $74.6 million in 2023. The increase in cost of subscription revenues was primarily driven by a $13.9 million increase in personnel costs and related expenses, an $8.7 million increase in cloud infrastructure costs to support the growth in our SaaS and subscription revenues, a $2.1 million impairment of capitalized software development costs, a $1.1 million increase in the use of third-party consultants for services rendered, a $0.9 million increase in amortization of intangible assets, and a $0.4 million increase in amortization of capitalized software costs.
 
Cost of perpetual license revenues decreased by $1.0 million, or 35.3%, from $2.9 million in 2022 to $1.9 million in 2023. The decrease in cost of perpetual license revenues was primarily driven by a $0.7 million decrease in personnel costs and related expenses as we continue to shift our business towards SaaS and subscription.
 
Cost of maintenance and professional services revenues increased by $2.7 million, or 3.6%, from $76.9 million in 2022 to $79.6 million in 2023, as we increase investments in our service teams while cost of maintenance continue to decrease due to decline in new perpetual licenses. The increase in cost of maintenance and professional services revenues was primarily driven by a $2.0 million increase in personnel costs and related expenses, a $1.0 million increase in the use of third-party consultants for services rendered, and a $0.5 million increase in software and cloud infrastructure costs, partially offset by a decrease of $0.3 million in travel expenses.
 
Our headcount related to cost of revenues grew from 493 at the end of 2022 to 533 at the end of 2023.
 
Gross profit increased by $130.1 million, or 27.9%, from $465.7 million in 2022 to $595.8 million in 2023. Gross margins increased from 78.7% in 2022 to 79.3% in 2023. This was primarily driven by management of our cloud costs.
 
52


Operating Expenses

   
Year ended December 31,
 
   
2022
   
2023
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Operating expenses:
                                   
Research and development          
 
$
190,321
     
32.2
%
 
$
211,445
     
28.1
%
 
$
21,124
     
11.1
%
Sales and marketing          
   
345,273
     
58.4
     
405,983
     
54.0
     
60,710
     
17.6
 
General and administrative          
   
82,520
     
13.9
     
94,801
     
12.6
     
12,281
     
14.9
 
                                                 
Total operating expenses          
 
$
618,114
     
104.5
%
 
$
712,229
     
94.7
%
 
$
94,115
     
15.2
%

Research and Development. Research and development expenses increased by $21.1 million, or 11.1%, from $190.3 million in 2022 to $211.4 million in 2023. This increase was primarily attributable to an $18.3 million increase in personnel costs and related expenses, attributable in part to significant hiring of R&D headcount late in 2022 leading to an uptick in expenses for 2023. Additionally, there was a $2.9 million increase in cloud and software costs and a $1.7 million increase in expenses related to consultants and contractors.

Our research and development team headcount grew from 901 at the end of 2022 to 922 at the end of 2023.
 
Sales and Marketing. Sales and marketing expenses increased by $60.7 million, or 17.6%, from $345.3 million in 2022 to $406.0 million in 2023. This increase was primarily attributable to a $55.5 million increase in personnel costs and related expenses due to increased headcount in all regions to expand our GTM teams. The increase was also attributable to a $2.4 million increase in cloud and software costs, a $2.3 million increase in marketing expenses and sales events and a $1.3 million increase in travel expenses.
 
Our sales and marketing headcount grew from 1,157 at the end of 2022 to 1,321 at the end of 2023.
 
General and Administrative. General and administrative expenses increased by $12.3 million, or 14.9%, from $82.5 million in 2022 to $94.8 million in 2023. This increase was primarily attributable to an increase of $11.8 million in personnel costs and related expenses due to increased headcount and a $1.1 million increase in software expenses, partially offset by a decrease of $0.7 million in services fees for external legal counsel, accounting advisors and patent administration.
 
Our general and administrative headcount grew from 217 at the end of 2022 to 242 at the end of 2023.
 
Financial Income, Net. Financial income, net increased by $37.8 million, or 245%, from $15.4 million in 2022 to $53.2 million in 2023. This increase resulted primarily from an increase of $35.5 million in interest income, mainly due to higher market interest rates and increased investment balances in marketable securities, short-term and long-term bank deposits, and money market funds.
 
Tax benefit (taxes on income). Tax benefit (taxes on income) changed from a tax benefit of $6.7 million in 2022 to taxes on incomes of $3.2 million in 2023. This change was mainly attributed to a decrease in our loss before taxes on income.
 

B.
Liquidity and Capital Resources
 
We fund our operations with cash generated from operating activities. We have also raised capital through issuing convertible senior notes, the sale of equity securities in public offerings and, to a lesser extent, through exercised options. Our primary current uses of our cash are ongoing operating expenses and capital expenditures.
 
As of December 31, 2022 and 2023, our principal sources of liquidity were cash, cash equivalents, bank deposits and marketable securities of $1.2 billion and $1.3 billion, respectively. We believe that our cash generated from operating activities, along with existing cash, cash equivalents, marketable securities and bank deposits will be sufficient to fund our working capital and capital expenditures for at least the next 12 months and for the foreseeable future. Our future capital requirements will depend on many factors, including our revenue growth rate, renewal rates and timing of renewals, the expansion of our sales and marketing activities, the timing and extent of spending to support product development efforts and expansion into new geographic locations, the timing of introductions of new products and enhancements to existing products, the timing and extent of additional expenditures to invest in scaling our operations and the continuing market acceptance of our offerings. We have, and may in the future, acquire or invest in complementary businesses and technologies.

53

 
The following table presents the major components of net cash flows for the periods presented:



Year Ended December 31,
 


2022
   
2023
 


($ in thousands)
 
Net cash provided by operating activities          

$
49,708


$
56,204

Net cash used in investing activities          

 
(68,392
)

 
(85,828
)
Net cash provided by financing activities          


12,225


 
38,084

 
A substantial source of our net cash provided by operating activities is our deferred revenue, which is included on our consolidated balance sheet as a liability. Our deferred revenue consists of SaaS contracts and self-hosted subscriptions that have been invoiced but not yet recognized and maintenance and support and professional services that have been invoiced and collected but that have not yet been recognized as revenues. We assess our liquidity, in part, through an analysis of our short-term and long-term deferred revenue that has not yet been recognized as revenues together with our other sources of liquidity. Revenues from SaaS contracts and maintenance and support contracts are recognized ratably on a straight-line basis over the term of the related contract, which is typically one year or three years, and revenues from professional services are recognized as services are performed. Thus, upfront payments add to the liquidity of our operations since we frequently recognize self-hosted subscription, SaaS, maintenance and support and professional services revenues and expenses in subsequent periods to when the payments may be received. The duration of our contracts also impacts our deferred revenue.
 
Net Cash Provided by Operating Activities
 
Our cash flow reflects our net loss coupled with changes in our non-cash working capital.
 
During the year ended December 31, 2023, operating activities provided $56.2 million in cash as a result of $66.5 million of net loss, adjusted by $140.1 million of non-cash charges related to share-based compensation expense, $19.3 million related to depreciation and amortization expenses, $3.0 million in non-cash interest expense related to the amortization of debt discount and issuance costs and a net change of $9.2 million in non-cash working capital, partially offset by a $41.0 million net change from other long-term assets and liabilities and a $7.9 million increase in deferred tax assets.
 
The change of $9.2 million in non-cash working capital was due to an $81.3 million increase in short-term deferred revenue, an increase of $7.0 million in employees and payroll accruals, and an increase of $6.6 million in other current liabilities, partially offset by an increase of $65.7 million in trade receivables, a $17.3 million net change from other current assets and a decrease of $2.7 million in trade payables.
 
During the year ended December 31, 2022, operating activities provided $49.7 million in cash as a result of $130.4 million of net loss, adjusted by $120.8 million of non-cash charges related to share-based compensation expense, $16.2 million related to depreciation and amortization expenses, $3.0 million in non-cash interest expense related to the amortization of debt discount and issuance costs and a net change of $109.1 million in non-cash working capital, partially offset by a $53.4 million net change from other long-term assets and liabilities and a $15.6 million increase in deferred tax assets.
 
The change of $109.1 million in non-cash working capital was due to a $97.0 million increase in short-term deferred revenue, an increase of $0.7 million in employees and payroll accruals, an increase of $4.1 million in trade payables, an $8.8 million net change from other current assets and a decrease of $6.1 million in other current liabilities, partially offset by an increase of $7.6 million in trade receivables.
 
During the years ended December 31, 2022 and 2023, our days’ sales outstanding (“DSO”) were 75 days and 91 days, respectively. The increase in DSO was mainly due to the increase in open Account Receivable and unbilled Account Receivable as a result of an increase in sales.
 
Net Cash Used in Investing Activities
 
Investing activities have consisted of investment in, and proceeds from, short-term and long-term deposits, investment in, and proceeds from sales and maturities of marketable securities, payments for business acquisitions and purchases of property and equipment.
 
54


Net cash used in investing activities was $68.4 million and $85.8 million for the years ended December 31, 2022 and 2023, respectively.
 
The increase of $17.4 million in net cash used in investing activities in 2023 was due to a net increase of $66.3 million in investments in short- and long-term deposits, marketable securities and others, partially offset by a decrease of $41.3 million in payments for business acquisitions, net of cash acquired, and a decrease of $7.6 million in capital expenditures.
 
The decrease of $159.8 million in net cash used in investing activities in 2022 was due to a net decrease of $204.7 million in investments in short and long-term deposits, marketable securities and other, partially offset by an increase of $41.3 million in payments for business acquisitions, net of cash acquired, and an increase of $3.6 million in capital expenditures.
 
Net Cash Provided by Financing Activities
 
Our financing activities have consisted of proceeds from shares issued in connection with our ESPP (defined below), proceeds from the exercise of share options, payments of contingent consideration related to acquisitions and proceeds from (payments of) withholding tax related to employee stock plans.
 
Net cash provided by financing activities was $12.2 million and $38.1 million for the years ended December 31, 2022 and 2023, respectively.
 
The increase of $25.9 million in net cash provided by financing activities in 2023 was due to an increase of $11.4 million in proceeds from withholding tax related to employee stock plans, an increase of $9.1 million in proceeds from the exercise of stock options, a decrease of $4.7 million in payments of contingent consideration related to acquisitions, and an increase of $0.7 million in proceeds from shares issued in connection with employee stock purchase plan.
 
Our Material Contractual Obligations
 
The following table summarizes our contractual obligations as of December 31, 2023:
 
   
Total
   
Less than 1 year
   
1 – 3 years
   
3 – 5 years
   
More than 5 years
 
($ in thousands)
           
             
Operating lease obligations(1)
 
$
32,546
   
$
8,304
   
$
12,798
   
$
8,795
   
$
2,649
 
Uncertain tax obligations(2)
   
5,960
     
     
     
     
 
Severance pay(3)
   
8,337
     
     
     
     
 
0.00% Convertible Senior Notes due 2024(4)
   
575,000
     
575,000
     
     
     
 
 Non-cancelable material purchase obligations(5)
   
214,244
     
50,487
     
115,007
     
48,750
     
 
                                         
Total
 
$
836,087
   
$
633,791
   
$
127,805
   
$
57,545
   
$
2,649
 
 
(1) Operating lease obligations consist of our contractual rental expenses under operating leases of facilities and certain motor vehicles.
 
(2) Consists of accruals for certain income tax positions under ASC 740 that are paid upon settlement, and for which we are unable to reasonably estimate the ultimate amount and timing of settlement. See Note 13(j) to our consolidated financial statements included elsewhere in this annual report for further information regarding our liability under ASC 740. Payment of these obligations would result from settlements with tax authorities. Due to the difficulty in determining the timing of resolution of audits, these obligations are only presented in their total amount.
 
(3) Severance pay relates to accrued severance obligations mainly to our Israeli employees as required under Israeli labor laws. These obligations are payable only upon the termination, retirement or death of the respective employee and may be reduced if the employee’s termination is voluntary. These obligations are partially funded through accounts maintained with financial institutions and recognized as an asset on our balance sheet. As of December 31, 2023, $3.2 million is unfunded. See Note 2(l) to our consolidated financial statements included elsewhere in this annual report for further information.
 
(4) For additional information, see Note 11 to our consolidated financial statements included elsewhere in this annual report.
 
(5) Consists of agreements related to the receipt of cloud infrastructure services and subscription-based cloud services.

55

 

C.
Research and Development, Patents and Licenses, etc.
 
We conduct our research and development activities primarily in Israel as well as other locations such as India and the United States. As of December 31, 2023, our research and development department included 922 employees and contractors. In 2023, research and development costs accounted for 28.1% of our total revenues.
 
For a description of our research and development policies, see “Item 4.B. Business Overview—Research and Development.”
 
For information regarding our patents, see “Item 4.B. Business Overview—Intellectual Property.”
 

D.
Trend Information
 
Other than as disclosed elsewhere in this annual report, we are not aware of any trends, uncertainties, demands, commitments or events since December 31, 2023, that are reasonably likely to have a material adverse effect on our net revenue, income, profitability, liquidity or capital resources, or that caused the disclosed financial information to be not necessarily indicative of future operating results or financial condition.
 
E.           Critical Accounting Estimates
 
Our accounting policies and their effect on our financial condition and results of operations are more fully described in our consolidated financial statements included elsewhere in this annual report. We have prepared our financial statements in conformity with U.S. GAAP, which requires management to make estimates and assumptions that in certain circumstances affect the reported amounts of assets and liabilities, revenues and expenses and disclosure of contingent assets and liabilities. These estimates are prepared using our best judgment, after considering past and current events and economic conditions. While management believes the factors evaluated provide a meaningful basis for establishing and applying sound accounting policies, management cannot guarantee that the estimates will always be consistent with actual results. In addition, certain information relied upon by us in preparing such estimates includes internally generated financial and operating information, external market information, when available, and when necessary, information obtained from consultations with third parties. Actual results could differ from these estimates and could have a material adverse effect on our reported results. See “Item 3.D. Risk Factors” for a discussion of the possible risks which may affect these estimates.
 
We believe that the accounting policies discussed below are critical to our financial results and to the understanding of our past and future performance. These accounting policies involve estimates that have been made in accordance with generally accepted accounting principles that involve a significant level of estimation uncertainty and have had or are reasonably likely to have a material impact on our financial condition or results of operations.
 
Revenue Recognition
 
We substantially generate revenues from providing the right to access SaaS solutions and licensing the rights to use software products, as well as from maintenance and professional services. Subscription revenues include SaaS offerings and on-premises subscription (“Self-hosted subscription”). We sell products through our direct sales force and indirectly through resellers. Payment is typically due within 30 to 90 calendar days of the invoice date.

56

 
We recognize revenues in accordance with ASC No. 606 “Revenue from Contracts with Customers.” As such, we identify a contract with a customer, identify the performance obligations in the contract, determine the transaction price, allocate the transaction price to each performance obligation in the contract and recognize revenues when (or as) we satisfy a performance obligation.
 
We enter into contracts that can include combinations of products and services, which are generally capable of being distinct and accounted for as separate performance obligations and may include an option to provide services. Perpetual license and self-hosted subscription are distinct as the customer can derive the economic benefit of the software without any professional services, updates or technical support.
 
The transaction price is determined based on the consideration to which we will be entitled in exchange for transferring goods or services to the customer. We do not grant a right of return to our customers.
 
In instances of contracts where revenue recognition differs from the timing of invoicing, we generally determined that those contracts do not include a significant financing component. The primary purpose of the invoicing terms is to provide customers with simplified and predictable ways of purchasing our products and services, not to receive or provide financing. We use the practical expedient and do not assess the existence of a significant financing component when the difference between payment and revenue recognition is a year or less.
 
We allocate the transaction price to each performance obligation based on its relative standalone selling price. For maintenance, we determine the standalone selling price based on the price at which we separately sell a renewal contract. For professional services, we determine the standalone selling prices based on the prices at which we separately sell those services. For SaaS, self-hosted subscriptions and perpetual licenses, we determine the standalone selling prices by taking into account available information such as historical selling prices, contract value, geographic location, and our price list and discount policy.
 
The license portion of self-hosted subscriptions and perpetual licenses are recognized at the point of time when the license is made available for download by the customer. Maintenance revenue related to perpetual license contracts and the maintenance component of the self-hosted subscription offering as well as SaaS revenues are recognized ratably, on a straight-line basis over the term of the related contract, which is generally one to three years. Professional services revenues are substantially recognized as the services are performed.
 
Contract liabilities consist of deferred revenue and include unearned amounts received under maintenance and support contracts and professional services that do not meet the revenue recognition criteria as of the balance sheet date. Contract liabilities also include unearned, invoiced amounts in respect of SaaS and self-hosted subscription contracts whereby there is an unconditional right for the consideration. Deferred revenues are recognized as (or when) the Company performs under the contract.
 
The transaction price allocated to remaining performance obligations represents non-cancelable contracts that have not yet been recognized, which includes deferred revenues and amounts not yet received that will be recognized as revenue in future periods.
 
Deferred Contract Costs
 
We pay sales commissions primarily to sales and certain management personnel based on their attainment of certain predetermined sales goals. Sales commissions are considered incremental and recoverable costs of obtaining a contract with a customer. Sales commissions paid for initial contracts, which are not commensurate with sales commissions paid for renewal contracts, are capitalized and amortized over an expected period of benefit. We estimate the expected period of benefit based on assumptions related to our technology, customer contracts and other factors. We have determined the expected period of benefit to be approximately five years. Sales commissions for initial contracts, which are commensurate with sales commissions paid for renewal contracts, are capitalized and amortized correspondingly to the recognized revenue of the related initial contracts. Sales commissions for renewal contracts are capitalized and amortized over the related contractual renewal period and aligned with the revenue recognized from these contracts. Amortization expense of these costs is substantially included in sales and marketing expenses.
 
Share-Based Compensation
 
We account for share-based compensation in accordance with ASC No. 718, “Compensation - Stock Compensation” (ASC No. 718). ASC No. 718 requires companies to estimate the fair value of equity-based payment awards on the date of grant using an option-pricing model. The value of the award is recognized as an expense over the requisite service periods, which is generally the vesting period of the respective award, on a straight-line basis when the only condition to vesting is continued service. If vesting is subject to a performance condition, recognition is based on the implicit service period of the award. Expense for awards with performance conditions is estimated and adjusted on a quarterly basis based upon the assessment of the probability that the performance condition will be met.

57

 
We selected the Black-Scholes-Merton option-pricing model as the most appropriate fair value method for our option awards and Employee Share Purchase Plan (ESPP). The fair value of restricted share units (RSUs) and performance share units (PSUs) without market conditions, is based on the closing market value of the underlying shares at the date of grant. For PSUs subject to market conditions, we use a Monte Carlo simulation model, which utilizes multiple inputs to estimate payout level and the probability that market conditions will be achieved.
 
The Black-Scholes-Merton and Monte Carlo models require a number of assumptions, of which the most significant are the expected share price volatility and the expected option term. We recognize forfeitures of equity-based awards as they occur. For graded vesting awards subject to service conditions, the Company recognizes compensation cost using the straight-line attribution method.
 
These estimates involve uncertainties and the application of judgment. If circumstances are changed and different estimates are used, our expenses could materially differ in the future.
 
Business combination
 
We account for our business combinations in accordance with ASC No. 805, “Business Combinations” using the acquisition method of accounting, which requires, among other things, allocation of the fair value of purchase consideration to the tangible and intangible assets acquired and liabilities assumed at their estimated fair values on the acquisition date. The excess of the fair value of purchase consideration over the values of these identifiable assets and liabilities is recorded as goodwill. When determining the fair value of assets acquired and liabilities assumed, we make estimates and assumptions, especially with respect to intangible assets. Our estimates of fair value are based upon assumptions believed to be reasonable, but which are inherently uncertain and unpredictable, and, as a result, actual results may differ from estimates. During the measurement period, not to exceed one year from the date of acquisition, we may record adjustments to the assets acquired and liabilities assumed, with a corresponding offset to goodwill if new information is obtained related to facts and circumstances that existed as of the acquisition date. Acquisition costs, such as legal and consulting fees, are expensed as incurred.
 
Goodwill and Other Intangible Assets
 
Goodwill and certain other purchased intangible assets have been recorded in our financial statements as a result of acquisitions.
 
ASC No. 350, “Intangible—Goodwill and Other” requires goodwill to be tested for impairment at least annually and, in certain circumstances, between annual tests. The accounting guidance gives the option to perform a qualitative assessment to determine whether further impairment testing is necessary. The qualitative assessment includes judgement and considers events and circumstances that might indicate that a reporting unit’s fair value is less than its carrying amount.
 
For the years ended December 31, 2021, 2022 and 2023, no impairment losses were identified.
 
Convertible Senior Notes
 
For the year ended December 31, 2021, prior to the adoption of ASU 2020-06, we accounted for our convertible senior notes in accordance with ASC No. 470-20, “Debt with Conversion and Other Options.” We allocated the principal amount of the convertible senior notes between its liability and equity component. The liability component at issuance is recognized at fair value, which is based on estimations. The calculation is based on the fair value of a similar instrument of similar credit rating and maturity that does not have a conversion feature. The equity component is based on the excess of the principal amount of the convertible senior notes over the fair value of the liability component and is recorded in additional paid-in capital. We allocated the total issuance costs incurred to the liability and equity components of the convertible senior notes based on the same proportions as the proceeds from the notes.
 
Issuance costs attributable to the liability are netted against the principal balance and are amortized to interest expense using the effective interest method over the contractual term of the notes. The effective interest rate of the liability component of the notes is 3.50%. The effective interest rate calculation was based on estimations and assumptions related to economic and market factors.

58

 
Issuance costs attributable to the equity component are netted with the equity component in additional paid-in capital.
 
On January 1, 2022, we adopted ASU 2020-06, “Debt - Debt with Conversion and Other Options (subtopic 470-20) and Derivatives and Hedging - Contracts in Entity’s Own Equity (subtopic 815-40)," using the modified retrospective method. As a result, the convertible notes' previously recognized equity component was combined with the liability component, and the convertible notes were accounted for as a single unit of account.
 
Legal Contingencies
 
From time to time, we may be subject to legal proceedings and claims arising in the ordinary course of our business. Such matters are subject to many uncertainties and outcomes are not predictable with assurance. We accrue for contingencies when the loss is probable and we can reasonably estimate the amount of any such loss. In determining the probability of a loss and consequently determining a reasonable estimate, we are required to use significant judgment. We are currently not a party to any material litigation and are not aware of any pending or threatened material legal or administrative proceedings against us. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
 
Income Taxes
 
We calculate income tax provisions based on our results in each jurisdiction in which we operate. The calculation is based on estimated tax consequences and on assumptions as to our entitlement to various benefits under the applicable local tax laws.
 
Significant judgment is required in evaluating our uncertain tax positions. We establish reserves for uncertain tax positions based on the evaluation of whether or not our uncertain tax position is “more likely than not” to be sustained upon examination based on our technical merits. We record estimated interest and penalties pertaining to our uncertain tax positions in the financial statements as income tax expense.
 
Deferred tax assets are recognized for unused tax losses, unused tax credits, and deductible temporary differences to the extent that it is probable that future taxable profits will be available, against which they can be used. Deferred taxes for each jurisdiction are presented as a net asset or liability, net of any valuation allowances. We estimate the need for any valuation allowance by applying significant judgment and considering all available evidence including past results and future projections. We reassess our estimates periodically and record a partial or full valuation allowance release if needed.
 
We cannot assure that future final tax outcomes will not be different than our tax provisions and reserves for uncertain tax positions. To the extent that the final tax outcome of these matters is different than the amounts recorded, such differences will impact the provision for income taxes in the period in which such determination is made.
 
Israeli Tax Considerations and Government Programs
 
The following is a summary of the material Israeli tax laws applicable to us, and certain Israeli Government programs that benefit us. To the extent that the discussion is based on new tax legislation that has not yet been subject to substantive judicial or administrative interpretation, we cannot provide assurance that the appropriate tax authorities or the courts will accept the views expressed in this discussion. The discussion below is subject to change, including due to amendments under Israeli law or changes to the applicable judicial or administrative interpretations of Israeli law, which could affect the tax consequences described below.
 
General Corporate Tax Structure in Israel
 
Ordinary taxable income is subject to a corporate tax rate of 23% as of 2018. However, the effective tax rate payable by a company that derives income from an Approved Enterprise, a Benefited Enterprise, a Preferred Enterprise or a Preferred Technology Enterprise (as discussed below) may be considerably lower. Capital gains derived by an Israeli company are generally subject to tax at the prevailing ordinary corporate tax rate.

59

 
Tax Benefits for Research and Development
 
Israeli tax law allows, under certain conditions, a tax deduction for research and development expenditures, including capital expenditures, for the year in which they are incurred. Expenditures are deemed related to scientific research and development projects if:
 

o
the expenditures are approved by the relevant Israeli government ministry, determined by the field of research;
 

o
the research and development is for the promotion or development of the company; and
 

o
the research and development is carried out by or on behalf of the company seeking the deduction.
 
However, the amount of such deductible expenses shall be reduced by the sum of any funds received through government grants for the finance of such scientific research and development projects. No deduction under these research and development deduction rules is allowed if such deduction is related to an expense invested in an asset depreciable under the general depreciation rules of the Ordinance (defined below). Expenditures not so approved are deductible over a three-year period from the first year that the expenditures were made if the research or development is for the promotion or development of the company.
 
Law for the Encouragement of Industry (Taxes), 5729-1969
 
The Law for the Encouragement of Industry (Taxes), 5729-1969, generally referred to as the Industry Encouragement Law, provides several tax benefits for “Industrial Companies.”
 
The Industry Encouragement Law defines an “Industrial Company” as an Israeli resident company which was incorporated in Israel, of which 90% or more of its income in any tax year, other than income from certain government loans, is derived from an “Industrial Enterprise” owned by it and located in Israel or in the “Area,” in accordance with the definition in the section 3A of the Israeli Income Tax Ordinance (New Version) 1961 (the “Ordinance”). An “Industrial Enterprise” is defined as an enterprise, which is held by an Industrial Company, whose principal activity in a given tax year is industrial production.
 
The following tax benefits, among others, are available to Industrial Companies:
 

o
amortization of the cost of purchased know-how, patents and rights to use a patent and know-how which are used for the development or promotion of the Industrial Enterprise, over an eight-year period commencing on the year in which such rights were first exercised;
 

o
under limited conditions, an election to file consolidated tax returns together with Israeli Industrial Companies controlled by it; and
 

o
expenses related to a public offering of shares in a stock exchange are deductible in equal amounts over three years commencing on the year of offering.
 
Eligibility for benefits under the Industry Encouragement Law is not contingent upon the approval of any governmental authority. We believe that we generally qualify as an Industrial Company within the meaning of the Industry Encouragement Law. The Israel Tax Authority may determine that we do not qualify as an Industrial Company, which could entail our loss of the benefits that relate to this status. There can be no assurance that we will continue to qualify as an Industrial Company or that the benefits described above will be available in the future.
 
Law for the Encouragement of Capital Investments, 5719-1959
 
The Law for the Encouragement of Capital Investments, 5719-1959, generally referred to as the Investment Law, provides certain incentives for capital investments in production facilities (or other eligible assets) by “Industrial Enterprises” (as defined under the Investment Law).
 
The Investment Law was significantly amended effective April 1, 2005 (the “2005 Amendment”), further amended as of January 1, 2011 (the “2011 Amendment”), and further amended as of January 1, 2017 (the “2017 Amendment”). Pursuant to the 2005 Amendment, tax benefits granted in accordance with the provisions of the Investment Law prior to its revision by the 2005 Amendment remain in force, but any benefits granted subsequently are subject to the provisions of the 2005 Amendment. Similarly, the 2011 Amendment introduced new benefits to replace those granted in accordance with the provisions of the Investment Law in effect prior to the 2011 Amendment. However, companies entitled to benefits under the Investment Law as in effect prior to January 1, 2011 were entitled to choose to continue to enjoy such benefits, provided that certain conditions are met, or elect instead, irrevocably, to forego such benefits and have the benefits of the 2011 Amendment apply. The 2017 Amendment introduced new benefits for Technological Enterprises that meet certain conditions, alongside the existing tax benefits.

60


Tax Benefits Prior to the 2005 Amendment
 
An investment program that is implemented in accordance with the provisions of the Investment Law prior to the 2005 Amendment, referred to as an “Approved Enterprise,” is entitled to certain benefits. A company that wished to receive benefits as an Approved Enterprise must have received approval from the Israeli Authority for Investments and Development of the Industry and Economy (the “Investment Center”). Each certificate of approval for an Approved Enterprise relates to a specific investment program, delineated both by the financial scope of the investment, including sources of funds, and by the physical characteristics of the facility or other assets.
 
The tax benefits available under any certificate of approval relate only to taxable income attributable to the specific program and are contingent upon meeting the criteria set out in such certificate. Income derived from activity that is not integral to the activity of the Approved Enterprise will not enjoy tax benefits.
 
The tax benefits under the alternative benefits track include an exemption from corporate tax on undistributed income which was generated from an Approved Enterprise for between two and 10 years from the first year of taxable income, depending on the geographic location of the Approved Enterprise facility within Israel, and the taxation of income generated from an Approved Enterprise at a reduced corporate tax rate of between 10% to 25% for the remainder of the benefits period, depending on the level of foreign investment in the company in each year, as detailed below.
 
In addition, a company that has an Approved Enterprise program is eligible for further tax benefits if it qualifies as a Foreign Investors’ Company (FIC), which is a company with a level of foreign investment, as defined in the Investment Law, of more than 25%.
 
If a company elects the alternative benefits track and subsequently distributes a dividend out of income derived by its Approved Enterprise during the tax exemption period it will be subject to corporate tax in respect of the amount of the distributed dividend (grossed-up to reflect the pre-tax income that it would have had to earn in order to distribute the dividend) at the corporate tax rate which would have been otherwise applicable if such income had not been tax-exempted under the alternative benefits track. This rate generally ranges from 10% to 25%, depending on the level of foreign investment in the company in each year, as mentioned above. In addition, dividends paid out to Israeli shareholders of income attributed to an Approved Enterprise (or out of dividends received from a company whose income is attributed to an Approved Enterprise) are generally subject to withholding tax at source at the rate of 15% (in the case of non-Israeli shareholders, subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate, 15% or at a lower rate as provided under an applicable tax treaty). The 15% tax rate is limited to dividends and distributions out of income derived during the benefits period and actually paid at any time up to 12 years thereafter. After this period, the withholding tax is applied at a rate of up to 30%, or at the lower rate under an applicable tax treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). In the case of a FIC, the 12-year limitation on reduced withholding tax on dividends does not apply.
 
The benefits available to an Approved Enterprise are subject to the continued fulfillment of conditions stipulated in the Investment Law and its regulations and the criteria in the specific certificate of approval, as described above. If a company does not meet these conditions, it would be required to refund the amount of tax benefits, adjusted to the Israeli consumer price index, and interest, or other monetary penalties.
 
Tax Benefits Subsequent to the 2005 Amendment
 
The 2005 Amendment applies to new investment programs commencing after 2004, but does not apply to investment programs approved prior to April 1, 2005. The 2005 Amendment provides that terms and benefits included in any certificate of approval that was granted before the 2005 Amendment became effective (April 1, 2005) will remain subject to the provisions of the Investment Law as in effect on the date of such approval. Pursuant to the 2005 Amendment, the Investment Center will continue to grant Approved Enterprise status to qualifying investments. The 2005 Amendment, however, limits the scope of enterprises that may be approved by the Investment Center by setting criteria for the approval of a facility as an Approved Enterprise, such as provisions generally requiring that at least 25% of the Approved Enterprise’s income be derived from exports.
 
Tax benefits are available under the 2005 Amendment to production facilities (or other eligible facilities) which are generally required to derive more than 25% of their business income from export to specific markets with a population of at least 14 million in 2012 (such export criteria will further be increased in the future by 1.4% per annum).
 
A company qualifying for tax benefits under the 2005 Amendment which pays a dividend out of income derived by its Benefited Enterprise during the tax exemption period will be subject to corporate tax in respect of the amount of the dividend distributed (grossed-up to reflect the pre-tax income that it would have had to earn in order to distribute the dividend) at the corporate tax rate which would have otherwise been applicable. Dividends paid out of income attributed to a Benefited Enterprise (or out of dividends received from a company whose income is attributed to a Benefited Enterprise) are generally subject to withholding tax at source at the rate of 15% or at a lower rate as may be provided in an applicable tax treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). The reduced rate of 15% is limited to dividends and distributions out of income attributed to a Beneficiary Enterprise during the benefits period and actually paid at any time up to 12 years thereafter except with respect to a FIC, in which case the 12-year limit does not apply.

61

 
The benefits available to a Benefited Enterprise are subject to the continued fulfillment of conditions stipulated in the Investment Law and its regulations. If a company does not meet these conditions, it would be required to refund the amount of tax benefits, adjusted to the Israeli consumer price index, and interest, or other monetary penalties.
 
On November 15, 2021, the Investment Law was amended to provide, on a temporary basis, a reduced corporate income tax upon the distribution or release, within a year from such amendment, of tax-exempt profits derived by Approved or Benefited Enterprises. The reduced tax rate was determined based on a formula, providing for an up to 60% reduction, as long as the corporate income tax rate was not less than 6%. In order to qualify for the reduction, the taxpayer would also have to invest certain amounts in productive assets and research and development in Israel. The Company did not elect to apply for the aforementioned temporary order.
 
In addition to the temporary amendment, the Investment Law was also amended to reduce the ability of companies to retain the tax-exempt profits while distributing dividends from previously taxed profits. Accordingly, effective August 15, 2021, dividend distributions are deemed made on a pro-rata basis from all types of earnings, including exempt profits, thus triggering additional corporate income tax. As of August 15, 2021, the Company did not distribute any dividends and does not intend to do so in the near future.
 
As of December 31, 2023, approximately $14.0 million was derived from tax exempt profits earned under the "Approved Enterprises" and "Beneficiary Enterprise." If the retained tax-exempt income is distributed, the income would be taxed at the applicable corporate tax rate as if it had not elected the alternative tax benefits under the Investment Law and an income tax liability of up to $3.4 million would be incurred as of December 31, 2023.
 
Tax Benefits under the 2011 Amendment
 
The 2011 Amendment introduced new benefits for income generated by a “Preferred Company” through its “Preferred Enterprise” (as such terms are defined in the Investment Law) as of January 1, 2011. The definition of a Preferred Company includes a company incorporated in Israel that is not wholly owned by a governmental entity, and that has, among other things, Preferred Enterprise status and is controlled and managed from Israel. Pursuant to the 2011 Amendment, a Preferred Company was entitled to a reduced corporate tax rate of 15% with respect to its preferred income derived by its Preferred Enterprise in 2011 and 2012, unless the Preferred Enterprise is located in a development zone A, in which case the rate was 10%. Such corporate tax rate was reduced from 15% and 10%, respectively, to 12.5% and 7%, respectively, in 2013, and then increased to 16% and 9%, respectively, in 2014 until 2016. Pursuant to the 2017 Amendment, in 2017 and thereafter, the corporate tax rate for Preferred Enterprise which is located in development zone A was decreased to 7.5%, while the reduced corporate tax rate for other development zones remains 16%. Income derived by a Preferred Company from a ‘Special Preferred Enterprise’ (as such term is defined in the Investment Law) could be entitled, under certain conditions and limitations, to further reduced tax rates.
 
Dividends paid to Israeli shareholders out of preferred income attributed to a Preferred Enterprise are generally subject to withholding tax at the rate of 20%, and in case of non-Israeli shareholders, such lower rate as may be provided in an applicable tax treaty (each subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). However, if such dividends are paid to an Israeli company, no tax is required to be withheld (although, if such dividends are subsequently distributed to individuals or a non-Israeli company, withholding tax at a rate of 20% or such lower rate as may be provided in an applicable tax treaty will apply).
 
The 2011 Amendment also provided transitional provisions to address companies already enjoying existing tax benefits under the Investment Law. These transitional provisions provide, among other things, that unless an irrevocable request is made to apply the provisions of the Investment Law as amended in 2011 with respect to income to be derived as of January 1, 2011: (i) the terms and benefits included in any certificate of approval that was granted to an Approved Enterprise which chose to receive grants before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as in effect on the date of such approval, and subject to certain other conditions; (ii) the terms and benefits included in any certificate of approval that was granted to an Approved Enterprise which had participated in an alternative benefits track before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as in effect on the date of such approval, provided that certain conditions are met; and (iii) a Benefited Enterprise can elect to continue to benefit from the benefits provided to it before the 2011 Amendment became effective, provided that certain conditions are met.

62

 
From time to time, the Israeli Government has discussed reducing the benefits available to companies under the Investment Law. The termination or substantial reduction of any of the benefits available under the Investment Law could materially increase our tax liabilities.
 
We applied the new benefits under the 2011 Amendment instead of the benefits provided to our Approved Enterprise and Benefited Enterprise as of 2013 tax year onwards through 2016 tax year.
 
Tax Benefits under the 2017 Amendment
 
The 2017 Amendment was enacted as part of the Economic Efficiency Law that was published on December 29, 2016, and is effective as of January 1, 2017. The 2017 Amendment provides new tax benefits for two types of “Technology Enterprises,” as described below, and is in addition to the other existing tax beneficial programs under the Investment Law.
 
The 2017 Amendment provides that a technology company satisfying certain conditions will qualify as a “Preferred Technology Enterprise” (PTE) and will thereby enjoy a reduced corporate tax rate of 12% on income that qualifies as PTE which is generally generated by “Benefited Intangible Assets,” as defined in the Investment Law. The tax rate is further reduced to 7.5% for a PTE and/or for its segment located in development Zone A. In addition, a PTE will enjoy a reduced corporate tax rate of 12% on capital gain derived from the sale of certain “Benefitted Intangible Assets” (as defined in the Investment Law) to a related foreign company if the Benefitted Intangible Assets were acquired from a foreign company on or after January 1, 2017 for at least NIS 200 million, and the sale receives prior approval from the National Authority for Technological Innovation (NATI).
 
The 2017 Amendment further provides that a technology company satisfying certain conditions will qualify as a “Special Preferred Technology Enterprise” and will thereby enjoy a reduced corporate tax rate of 6% on “Preferred Technology Income” regardless of the company’s geographic location within Israel. In addition, a Special Preferred Technology Enterprise will enjoy a reduced corporate tax rate of 6% on capital gain derived from the sale of certain “Benefitted Intangible Assets” to a related foreign company if the Benefitted Intangible Assets were either developed by the Special Preferred Technology Enterprise or acquired from a foreign company on or after January 1, 2017, and the sale received prior approval from NATI. A Special Preferred Technology Enterprise that acquires Benefitted Intangible Assets from a foreign company for more than NIS 500 million will be eligible for these benefits for at least 10 years, subject to certain approvals as specified in the Investment Law.
 
Dividends distributed to Israeli shareholders by a PTE or a Special Preferred Technology Enterprise, paid out of Preferred Technology Income, are generally subject to withholding tax at source at the rate of 20%, and in the case of non-Israeli shareholders, such lower rate as may be provided in an applicable tax treaty (each subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for such reduced tax rate). However, if such dividends are paid to an Israeli company, no tax is required to be withheld. If such dividends are distributed to a foreign company that holds alone or together with other foreign companies 90% or more in the Israeli company and other conditions are met, the withholding tax rate will be 4%.
 
We have obtained a comprehensive tax ruling confirming, among others, that we generally qualify as a PTE since 2017 onwards and this status was acknowledged by the Israeli Tax Authority in corporate tax audit assessment agreements reached in 2021 and in 2022.
 
Recently Adopted and Issued Accounting Pronouncements
See Note 2(ac) and Note 2(ad) to our consolidated financial statements included elsewhere in this annual report for information regarding recent accounting standards adopted and issued.
 
63

 
ITEM 6.               DIRECTORS, SENIOR MANAGEMENT AND EMPLOYEES
 

A.
Directors and Senior Management
 
The following table sets forth the name, age and position of each member of our senior management as of March 13, 2024:
                                                                    
Name       Age
Position
Senior Management
   
Ehud (Udi) Mokady (4)          
55
Executive Chairman of the Board and Founder
Matthew Cohen          
48
Chief Executive Officer and Director
Joshua Siegel          
60
Chief Financial Officer
Eduarda Camacho
52
Chief Operating Officer
Donna Rahav          
45
Chief Legal Officer
Omer Grossman          
44
Chief Information Officer
Peretz Regev          
45
Chief Product Officer
     
Directors
   
Gadi Tirosh (1)(3)(4)(5)          
57
Lead Independent Director
Ron Gutler (1)(2)(4)(5)          
66
Director
Kim Perdikou (1)(2)(3)(4)(5)
66
Director
Amnon Shoshani (3)(5)          
60
Director
François Auque (2)(5)          
67
Director
Avril England (4)(5)
55
Director
Mary Yang (5)
55
Director
 
(1)
Member of our compensation committee.
 
(2)
Member of our audit committee.
 
(3)
Member of our nominating, environmental, sustainability and governance committee.
 
(4)
Member of our strategy committee.
 
(5)
Independent director under the rules of Nasdaq.
 
64


Senior Management
 
Ehud (Udi) Mokady is one of our founders and has served as our chairman of the board since June 2016 and became Executive Chairman of the board in April 2023. He has also served as a member of our board since November 2004. Mr. Mokady previously served as our Chief Executive Officer from 2005 to April 2023, President from 2005 to 2016 and as our Chief Operating Officer from 1999 to 2005. Mr. Mokady has served as a member of the Board of Directors of SQream Technologies Ltd since April 2023 and of Cheq AI Technologies since December 2023. He has served as a member of the Board of Advisors of Brandeis International Business School since September 2019. Mr. Mokady served as a member of the board of directors of Demisto, Inc. commencing in January 2018 until its acquisition by Palo Alto Networks, Inc. in March 2019. From 1997 to 1999, Mr. Mokady served as general counsel at Tadiran Spectralink Ltd., a producer of secure wireless communication systems. From 1986 to 1989, Mr. Mokady served in a military intelligence unit in the Israel Defense Forces. Mr. Mokady was honored by a panel of independent judges with the New England EY Entrepreneur of The Year™ 2014 Award in the Technology Security category. Mr. Mokady holds a Bachelor of Laws (LL.B.) from Hebrew University in Jerusalem, Israel and a Master of Science Management (MSM) from Boston University in Massachusetts.
 
Matthew Cohen has served as our Chief Executive Officer since April 2023. He previously served as our Chief Operating Officer since December 2020 after he served as our Chief Revenue Officer since December 2019. Prior to joining CyberArk, Mr. Cohen held several leadership positions in PTC Inc. (Nasdaq: PTC). His most recent position was Executive Vice President of Field Operations, from February 2018 to November 2019, where he led the GTM strategy and all Sales, Commercial Marketing, Customer Success, Services, and Partner functions. Prior to that he was Executive Vice President, Customer Success and Partners from July 2016 to February 2018, Executive Vice President, Global Services from April 2014 through July 2016, and Divisional Vice President, Global Services from October 2013 to March 2014. Before that, Mr. Cohen held various positions in the company’s Global Services group. Mr. Cohen holds a Bachelor of Arts in Psychology from Harvard University.
 
Joshua Siegel has served as our Chief Financial Officer since May 2011. Prior to joining CyberArk, Mr. Siegel served as Chief Financial Officer for Voltaire Ltd., a provider of InfiniBand and Ethernet connectivity solutions, from December 2005 to February 2011, and as Director of Finance and then Vice President of Finance from April 2002 to December 2005. Voltaire completed an initial public offering and listing on Nasdaq in 2007 and was acquired by Mellanox Technologies, Ltd. in 2011. From 2000 to 2002, he was Vice President of Finance at KereniX Networks Ltd., a terabit routing and transport system company. From 1995 to 2000, Mr. Siegel served in various positions at Lucent Technologies Networks Ltd. (formerly Lannet Ltd.). From 1990 to 1995, he served in various positions at SLM Corporation (Sallie Mae—Student Loan Marketing Association). Mr. Siegel holds a Bachelor of Arts in economics and an MBA with a concentration in finance from the University of Michigan in Ann Arbor.
 
Donna Rahav has served as our Chief Legal Officer since December 2021. She previously served as our General Counsel and Compliance Officer since March 2014 and as Corporate Secretary from April 2014 until December 2019. Prior to joining CyberArk, Ms. Rahav served as Deputy General Counsel at Allot Communications Ltd. (Nasdaq and TASE: ALLT) from 2011 to 2014 and as legal counsel at Alvarion Ltd. (Nasdaq and TASE: ALVR) 2009 to 2011 and MediaMind Technologies, Inc. (formerly Eyeblaster, Inc.; Nasdaq: MDMD) from 2008 to 2009. Prior to that, from 2005 to 2006 she was an associate at an Israeli law firm specializing in technology transactions. Ms. Rahav holds a Bachelor of Laws (LL.B.) from Tel Aviv University in Israel, and a Master of Laws (LL.M.) from Tel Aviv University in collaboration with University of California, Berkeley, an executive program focused on corporate and commercial law.
 
Peretz Regev has served as our Chief Product Officer since September 2022. Prior to joining CyberArk, Mr. Regev served as Vice President of Global Data Science and Engineering at PayPal Holdings Inc. (Nasdaq: PYPL) from January 2015 to September 2022 and served as the General Manager of PayPal Israel from May 2017 to September 2022. Mr. Regev also held several leadership positions at Hewlett-Packard Company (now HP Inc.) (NYSE: HPQ), from January 2005 to December 2014, guiding the SaaS products and Big Data Analytics teams. Before that, Mr. Regev served in various positions at Mercury Interactive, an Israeli software company that was acquired by Hewlett Packard. Mr. Regev holds a BSc in Computer Sciences from Reichman University in Israel and MBA from the College of Management Academic Studies in Israel.
 
Omer Grossman has served as our Chief Information Officer since December 2022. Prior to joining CyberArk, Mr. Grossman served as the Head of the Israel Defense Forces’ (IDF) Cyber Defense Operations Center between July 2022 and July 2023, and as Head of the Center for Computing and Information Systems (Mamram), the central Cloud Service Provider of the IDF between June 2018 and June 2020. Mr. Grossman holds a Bachelor of Science degree in physics and electrical engineering from Tel Aviv University and a Master of Science in Government Information Leadership from the National Defense University, College of Information and Cyberspace in Washington D.C.
 
Eduarda Camacho has served as our Chief Operating Officer since January 2024. Prior to joining CyberArk, Ms. Camacho served as Chief Customer Officer at BMC Software from August 2021 to January 2024 and as Senior Vice President of Customer Success from August 2021 to December 2023. Before that Ms. Camacho served in various leadership positions in PTC Inc. (Nasdaq: PTC), including Executive Vice President and Chief Customer Officer from December 2019 to July 2021, Divisional Vice President, Customer Success from April 2018 to November 2019, Senior Vice President, Customer Success from December 2017 to March 2018, and Senior Vice President, Global Services from July 2016 to November 2017. Ms. Camacho holds a certificate from Harvard Business School Executive Education and attended Communication Science at Universidade Nova de Lisboa.

65

 
Directors
 
Gadi Tirosh has served as a member of our board of directors since June 2011, as chairman of the board between July 2013 and June 2016 and as lead independent director since June 2016. Since 2020, Mr. Tirosh has served as Venture Partner at DisruptiveAI, an Israeli venture capital firm that focuses on innovative artificial intelligence companies. From 2018 to 2020, Mr. Tirosh served as Venture Partner at Jerusalem Venture Partners, an Israeli venture capital firm that focuses, among other things, on cybersecurity companies and operates the JVP Cyber Labs incubator. From 2005 to 2018, he served as Managing Partner at Jerusalem Venture Partners. From 1999 to 2005, he served as Corporate Vice President of Product Marketing and as a member of the executive committee for NDS Group Ltd. (Nasdaq: NNDS), later acquired by Cisco Systems, Inc. a provider of end-to-end software solutions to the pay-television industry, including content protection and video security. Mr. Tirosh holds a Bachelor of Science in computer science and mathematics and an Executive MBA from the Hebrew University in Jerusalem, Israel.
 
Ron Gutler has served as a member of our board of directors since July 2014 and served as an external director under the Companies Law between July 2014 and May 2016. Mr. Gutler is currently a director of Wix.com Ltd. (Nasdaq: WIX), Fiverr International Ltd. (NYSE: FVRR) and WalkMe Ltd. (Nasdaq: WKME). Between November 2009 and December 2020. Mr. Gutler served as a director of Psagot Investment House and between November 2007 and December 2020, he served as a director of Psagot Securities. Between June 2018 and November 2019, Mr. Gutler served as the Chairman of the Board of Psagot Market Making. Between 2014 and 2019 Mr. Gutler served as a director of Hapoalim Securities USA (HSU). Between August 2012 and January 2018, Mr. Gutler served as chairman of the board of the College of Management Academic Studies in Israel. Between May 2002 and February 2013, Mr. Gutler served as the Chairman of NICE Systems Ltd., a public company specializing in voice recording, data security, and surveillance. Between 2000 and 2011, Mr. Gutler served as the Chairman of G.J.E. 121 Promoting Investments Ltd., a real estate company. Between 2000 and 2002, Mr. Gutler managed the Blue Border Horizon Fund, a global macro fund. Mr. Gutler is a former Managing Director and a Partner of Bankers Trust Company, which is currently part of Deutsche Bank. He also established and headed the Israeli office of Bankers Trust Company. Mr. Gutler holds a Bachelor of Arts in economics and international relations and an MBA, both from the Hebrew University in Jerusalem, Israel.
 
Kim Perdikou has served as a member of our board of directors since July 2014 and served as an external director under the Companies Law between July 2014 and May 2016. Ms. Perdikou has served as Chairman of The AtSignCompany, a private startup Internet Protocol company, from December 2019. Ms. Perdikou serves on the Supervisory Board of Alter Domus, a Financial Services Company based in Luxembourg, since January 2021. Ms. Perdikou serves on the board of directors, of Nasuni Corporation, a private hybrid cloud file storage company since December 2022. From 2010 to August 2013, Ms. Perdikou served as the Executive Vice President for the Office of the Chief Executive Officer at Juniper Networks, Inc. Before that she served as the Executive Vice President and General Manager of Infrastructure Products Group and as Chief Information Officer at Juniper Networks, Inc. from 2006 to 2010 and from August 2000 to January 2006, respectively. Ms. Perdikou served in leadership positions at Women.com, Readers Digest, Knight Ridder, and Dun & Bradstreet. Ms. Perdikou holds a Bachelor of Science degree in computing science with operational research from Paisley University (now the West of Scotland University) in Paisley, Scotland, a Post-Graduate degree in education from Jordanhill College in Glasgow, Scotland and a Master of Science in information systems from Pace University in New York, United States.
 
66


Amnon Shoshani has served as a member of our board of directors since November 2009. Since February 1995, Mr. Shoshani has served as the Founder and Managing Partner of Cabaret Holdings Ltd. and, since March 1999, he has also served as Managing Partner of Cabaret Security Ltd., CyberArk’s founding investor and Cabaret and ArbaOne Inc. ventures activities where he had a lead role in managing the group’s portfolio companies. Since 2018, Mr. Shoshani has served as the President and Chairman of the Board of Smartech, a portfolio company of Cabaret and ArbaOne, that provides game changing technologies to the industrial world. Between 2005 and 2018, he served as CEO and Chairman of the Board of Smartech. From 1994 to April 2005, Mr. Shoshani owned a Tel Aviv boutique law firm engaged in entrepreneurship, traditional industries and high tech, which he founded. Mr. Shoshani holds a Bachelor of Law (LL.B.) from Tel Aviv University in Israel.
 
François Auque has served as a member of our board of directors since February 2019. Mr. Auque serves as the deputy chairman of the board of directors and chairman of the Audit and Risk Committee of Rexel SA from May 2019, after being an observer on the board from October 2018. Mr. Auque is a partner at InfraVia Capital Partners, a Private Equity firm based in Paris. Mr. Auque served as the General Partner and Chairman of the Investment Committee of Airbus Ventures, the venture capital arm of Airbus between 2016 and 2018. From 2000 to 2016, Mr. Auque headed the Airbus space division as a member of Airbus Group’s Executive Committee. Between 1991 and 2000, Mr. Auque served as Chief Financial Officer of Aerospatiale (then Aerospatiale-Matra), one of the three founding firms of the European Aeronautic Defense and Space Company (EADS), Europe’s largest aerospace company (currently Airbus). Mr. Auque holds a Master’s in Finance from Ecole des Hautes Etudes Commercials in Paris, France, a Bachelor of Arts in Public Administration from the Paris Institute of Political Studies in Paris, France, and is a graduate in economics from Ecole Nationale d’Administration in Paris, France.
 
Avril England has served as a member of our board of directors since March 2021. Since September 2013, Ms. England has served as part of the product leadership of Veeva Systems Inc. (NYSE: VEEV), as the General Manager of Veeva Vault, a fast-growing cloud software platform and suite of applications. Ms. England holds a Bachelor of Commerce degree from Queen’s University in Ontario, Canada, and has received numerous professional and academic awards.
 
Mary Yang has served as a member of our board of directors since November 2023. Ms. Yang serves as a director and audit committee member of Sunnova Energy International Inc. (NYSE:NOVA) since October 2021. Ms. Yang served as Senior Vice President and Chief Strategy Officer of Ciena Corporation (NYSE:CIEN) between 2020 and 2022. Between 2016 and 2020, she served as Vice President, Business and Corporate Development for NIO Inc. (NYSE: NIO). She served as Vice President, Corporate Development and Strategic Alliances for Fortinet Inc. (Nasdaq: FTNT) between 2014 and 2016, and as Global Head of Security Corporate Development for Cisco Systems Inc. (Nasdaq: CSCO) between 2011 and 2014 and as Global Business Development between 2008-2011. Ms. Yang holds a Juris Doctorate from Stanford Law School and several academic degrees from Stanford University, including a Master of Business Administration, a Master of Science in Management Science and Engineering and a Bachelor of Arts in Quantitative Economics.
 

B.
Compensation
 
Compensation of Directors and Senior Management
 
The aggregate compensation expensed, including share-based compensation and other compensation expensed by us and our subsidiaries, with respect to the year ended December 31, 2023, to our directors and senior management that served at any time during the year ended December 31, 2023 was $31.8 million. This amount includes approximately $0.9 million set aside or accrued to provide pension, severance, retirement, or similar benefits.

67

 
During the year ended December 31, 2023, our directors and senior management were granted 184,500 restricted share units, some of which were subject to performance criteria, under our 2014 Share Incentive Plan.
 
The table below sets forth the compensation earned by our five most highly compensated office holders (as defined in the Companies Law and described under “Board Practices— Disclosure of Compensation of Senior Management” below) during or with respect to the year ended December 31, 2023. We refer to the five individuals for whom disclosure is provided herein as our “Covered Executives.” For purposes of the table and the summary below, “compensation” includes base salary, bonuses, equity-based compensation, retirement or termination payments, and any benefits or perquisites such as car, phone and social benefits, as well as any undertaking to provide such compensation in the future.
 
Summary Compensation Table

   
Information Regarding the Covered Executive (1)
 
Name and Principal Position (2)
 
Base
Salary
   
Benefits and
Perquisites
(3)
   
Variable
Compensation
(4)
   
Equity-Based
Compensation
(5)
 
       
Ehud (Udi) Mokady, Executive Chairman of the Board and Founder          
 
$
311,500
   
$
373,322
   
$
271,005
   
$
8,656,640
 
Matthew Cohen, Chief Executive Officer          
   
445,000
     
127,702
     
387,150
     
6,954,122
 
Joshua Siegel, Chief Financial Officer          
   
380,933
     
84,635
     
261,000
     
5,261,586
 
Chen Bitan, Chief Cyber Transformation Officer and General Manager Israel          
   
333,086
     
-
     
121,800
     
2,406,501
 
Clarence Hinton, Chief Strategy Officer          
   
355,000
     
71,416
     
165,300
     
2,106,166
 
 
(1)
In accordance with Israeli law, all amounts reported in the table are in terms of cost to our Company, as recorded in our financial statements for the year ended December 31, 2023.
 
(2)
Other than our Executive Chairman of the Board, all current officers listed in the table are full-time employees. Cash compensation amounts denominated in currencies other than the U.S. dollar were converted into U.S. dollars at the average conversion rate for the year ended December 31, 2023.
 
(3)
Amounts reported in this column include benefits and perquisites, including those mandated by applicable law. Such benefits and perquisites may include, to the extent applicable to each executive, payments, contributions and/or allocations for savings funds, pension, severance, vacation, car or car allowance, medical insurances and benefits, risk insurances (such as life, disability and accident insurances), convalescence pay, payments for Medicare and social security, tax gross-up payments and other benefits and perquisites consistent with our guidelines, regardless of whether such amounts have actually been paid to the executive.
 
(4)
Amounts reported in this column refer to Variable Compensation, such as incentives and earned or paid bonuses as recorded in our financial statements for the year ended December 31, 2023.
 
(5)
Amounts reported in this column represent the expense recorded in our financial statements for the year ended December 31, 2023 with respect to equity-based compensation, reflecting also equity awards made in previous years which have vested during the current year. Assumptions and key variables used in the calculation of such amounts are described in Note 12 to our audited consolidated financial statements, which are included in this annual report.
 
68


CEO Equity Plan
 
In June 2023, the Company’s shareholders approved a multi-year CEO Equity Plan, which included an equity grant to the CEO in respect of 2023 and authorized the compensation committee and Board to approve CEO equity grants between 2024 and 2027 under the terms of such plan.

Accordingly, the CEO was awarded the following equity grants:

   
RSUs
Business PSUs
Relative TSR PSUs
2023
Percentage
50%
30%
20%
Amount
29,100
17,460
11,640
2024
Percentage
50%
30%
20%
Amount
24,000
14,400
9,600
 
The performance targets for the 2024 business PSUs are annual recurring revenue and non-GAAP operating income margin, both of which are viewed as key factors in our long-term success.
 
2023 Executive Chairman Equity Grant
 
In June 2023, the Company’s shareholders approved an equity grant to the Executive Chairman of the Board in respect of 2023. Accordingly, he was awarded the following equity grants:

 
RSUs
Business PSUs
Relative TSR PSUs
Percentage
50%
30%
20%
Amount
21,300
12,780
8,520
 
Executive Chairman of the Board and CEO PSU performance
 
In February 2024, the compensation committee certified the Company’s performance of our 2023 business PSUs performance criteria and the applicable number of PSUs earned, demonstrating our track record of paying for performance and linking the executives’ achievement rate of the performance criteria as follows:
 
Year of Grant
Performance Targets
Performance Criteria Achievement Rate (Weighted Average)
Earning Rate
2023 Business PSUs
•    Annual recurring revenue
•    Operating Margin
181.3%
159%
 
Business PSUs are earned based on a one-year performance period and are subject to further time-based vesting.
 
In 2021, the Executive Chairman of the Board and the CEO (in their capacity as CEO and Chief Operating Officer (“COO”), respectively), were awarded relative total shareholder return PSUs (“rTSR PSUs”) that are earned based on our total shareholder return relative to the S&P Software & Services Select Industry index over a three-year period. In February 2024, the compensation committee certified the Company’s performance of the 2021 rTSR PSUs performance criteria, as follows:
 
Year of Grant
Percentile Rate
Earning Rate
2021
89.74%
200.0%
 
The compensation committee have further certified the earning of the underlying 2023 and 2021 PSUs, as follows:
 
   
Number of PSUs Granted
(on Target)
Number of PSUs Earned
2023 Business PSUs
Executive Chairman
12,780
20,370
CEO
17,460
27,820
2021 rTSR PSUs
Executive Chairman
12,650
25,300
CEO
2,540
5,080
 
The Executive Chairman of the Board and the CEO were also awarded rTSR PSUs in 2022 and 2023 in their previous capacity as the CEO and COO, respectively, that have not been earned to date, as their performance periods have not yet been completed.

69

 
Employment Agreements with Executive Officers
 
We have entered into written employment agreements with all our executive officers. Most of these agreements contain provisions regarding non-competition and all these agreements contain provisions regarding confidentiality of information and ownership of inventions. The non-competition provision applies for a period that is generally 12 months following termination of employment, subject to applicable law. The enforceability of covenants not to compete in Israel and the United States is subject to limitations. In addition, we are required to provide two to six months’ notice prior to terminating the employment of our executive officers, other than in the case of a termination for cause.
 
Directors’ Service Contracts
 
Other than with respect to Ehud (Udi) Mokady, our Executive Chairman of the Board and Matthew Cohen, our Chief Executive Officer, there are no arrangements or understandings between us, on the one hand, and any of our directors, on the other hand, providing for benefits upon termination of their service as directors of our Company, except that directors are permitted to exercise vested options for one year following the termination of their service. Each of our non-executive directors is entitled to a fixed annual fee and predetermined dollar values of initial and recurring annual equity grants of RSUs.

Equity Incentive Plans
 
2014 Share Incentive Plan
The 2014 Share Incentive Plan (the “2014 SIP”) was adopted by our board of directors and became effective on June 10, 2014. The 2014 SIP was approved by our shareholders on July 10, 2014. The 2014 SIP provides for the grant of options, restricted shares, restricted share units and other share-based awards to our employees, directors, officers, consultants, advisors and any other person providing services to us or our affiliates, under varying tax regimes. The maximum aggregate number of shares that may be issued pursuant to awards under this 2014 SIP is the sum of (a) 422,000 shares plus (b) an increase of 1,220,054 shares as of January 1, 2015 plus (c) on January 1 of each calendar year commencing in 2016, a number of shares equal to the lesser of: (i) an amount determined by our board of directors, if so determined prior to the January 1 of the calendar year in which the increase will occur, (ii) 4% of the total number of shares outstanding on December 31 of the immediately preceding calendar year, and (iii) 4,000,000 shares. Additionally, any share underlying an award that is cancelled or terminated or forfeited for any reason without having been exercised will automatically be available for grant under the 2014 SIP. As of December 31, 2023, 2,884,124 ordinary shares underlying share-based awards were outstanding under the 2014 SIP and 1,261,627 ordinary shares were reserved for future grant under the 2014 SIP. On January 1, 2024, the aggregate number of ordinary shares reserved for issuance under the 2014 SIP was increased by 1,480,000 shares. Either our board, or a committee established by our board, administers the 2014 SIP, and the board may, at any time, suspend, terminate, modify, or amend the 2014 SIP retroactively or prospectively.

The board or the committee may grant awards intended to qualify as an incentive stock option, non-qualified stock option, Israeli Income Tax Ordinance Section 102 award, Section 3(9) award, or other designations under other regimes. Other than with respect to incentive stock options, governed by the specific exercise price provisions of the 2014 SIP, the exercise price of any award will be determined by the committee or the board (as applicable). Unless otherwise stated in the applicable award agreement, option awards under the 2014 SIP expire 10 years after their grant date. Upon termination of the employment or service of a grantee, any unvested awards will be forfeited on the termination date. Upon termination by reason of death, disability, or retirement, all of the grantee’s vested awards may be exercised at any time within one year after such death or disability or within three months following retirement. Upon termination for “cause” (as defined in the 2014 SIP), all awards granted to such grantee (whether vested or not) will be forfeited on the termination date. Upon termination for any other reason all vested and exercisable awards at the time of termination may, unless earlier terminated in accordance with their terms, be exercised within up to three months after the termination date (or such different period as the committee will prescribe).
 
The committee and the board may grant restricted shares under the 2014 SIP. If a grantee’s employment or service to the Company or any affiliate thereof terminates for any reason prior to the vesting of such grantee’s restricted shares, any unvested shares will be forfeited by such grantee. The committee and the board may also grant restricted share units, performance share units, and other awards under the 2014 SIP, including shares, cash, cash and shares, other share units, and share appreciation rights.

70

 
In order to comply with the provisions of Section 102, all awards to Israeli grantees must be held in trust for the benefit of the relevant grantee for the requisite period prescribed by the Ordinance.
 
Upon a “Change in Control” event (as defined in the 2014 SIP), any award then outstanding will be assumed or substituted by us or the successor corporation or by any affiliate thereof, as determined by the committee. Regardless of whether or not awards are assumed or substituted, the committee may: (1) provide for grantees to have the right to exercise their awards or otherwise for the accelerated vesting of the unvested underlying shares, under such terms as the committee will determine, including the cancellation of all unexercised awards (whether vested or unvested) upon or immediately prior to the closing of the Change in Control; and/or (2) provide for the cancellation of each outstanding and unexercised award at or immediately prior to the closing of the Change in Control, and payment to the grantees of an amount in cash or in shares of the acquirer or of a corporation or other business entity which is a party to the Change in Control, or in other property, as determined by the committee to be fair in the circumstances, and subject to such terms and conditions as determined by the committee.

Awards under the 2014 SIP are not transferable other than by will or by the laws of descent and distribution or to a grantee’s designated beneficiary, unless, in the case of awards other than incentive stock options, otherwise determined by our committee or under the 2014 SIP. Awards may be granted from time to time pursuant to the 2014 SIP, within a period of 10 years from the effective date of the 2014 SIP, which period may be extended by our board.

2011 Share Incentive Plan
 
The 2011 Share Incentive Plan (the “2011 SIP”), was adopted by our board of directors and became effective on July 14, 2011. The 2011 SIP was approved by our shareholders on December 20, 2011. Any share underlying an award that is cancelled or terminated or forfeited for any reason without having been exercised will automatically be available for grant under the 2014 SIP. As of December 31, 2023, 650 options to purchase ordinary shares remained outstanding under the 2011 SIP. No new awards may be granted under the 2011 SIP.
 
The 2011 SIP is administered by our board or a committee established by our board. Option awards to purchase our ordinary shares that were granted under the 2011 SIP are designated in the applicable award agreement as an incentive stock option, non-qualified stock option, Section 102 award (with such designation to include the relevant tax track), Section 3(i) award, or other designations under other regimes. All awards granted under the 2011 SIP have vested. Upon termination by reason of death, disability or retirement, all of the grantee’s vested options may be exercised at any time within one year after such death or disability or within three months following retirement. Upon termination for cause (as defined in the 2011 SIP), all options granted to such grantee are forfeited on the termination date. Upon termination for any other reason all vested and exercisable options at the time of termination may, unless earlier terminated in accordance with their terms, be exercised within up to 90 days after the termination date.
 
In the event of certain merger or sale events (as specified in the 2011 SIP), any award then outstanding will be assumed or an equivalent award will be substituted by such successor corporation under substantially the same terms as such award. If such awards are not assumed or substituted by an equivalent award, then the committee may (i) provide for grantees to have the right to exercise their awards under such terms and conditions as the committee will determine; and/or (ii) provide for the cancellation of each outstanding award at the closing of such transaction, and payment to the grantees of an amount in cash as determined by the committee to be fair in the circumstances, and subject to such terms and conditions as determined by the committee.
 
Awards under the 2011 SIP are not transferable other than by will or by the laws of descent and distribution, unless otherwise determined by the board or under the 2011 SIP, and generally expire 10 years following the grant date. The 2011 SIP will terminate on the tenth anniversary of the effective date, other than with respect to those awards outstanding under the 2011 SIP at the time of termination.
 
2020 Employee Share Purchase Plan
 
On January 1, 2021, our ESPP, became effective. The ESPP enables our eligible employees and eligible employees of our designated subsidiaries to elect to have payroll deductions made during the offering period in an amount not exceeding 15% of the gross base compensation which the employees receive. The aggregate number of ordinary shares reserved for issuance under the ESPP, as of January 1, was 125,000 shares (the “ESPP Share Pool”). On January 1 of each year between 2022 and 2026 the ESPP Share Pool will be increased by a number of ordinary shares equal to the lowest of (i) 1,000,000 shares, (ii) 1% of our outstanding shares on December 31 of the immediately preceding calendar year, and (iii) a lesser number of shares determined by our board of directors. As of December 31, 2023, 88,002 ordinary shares were reserved for issuance under the ESPP. On January 1, 2024, the aggregate number of ordinary shares reserved for issuance under the ESPP was increased by 150,000 shares.

71

 
The ESPP is administered by our board of directors or by a committee designated by the board of directors. Subject to those rights which are reserved to the board of directors, or which require shareholder approval under Israeli law, our board of directors has designated the compensation committee to administer the ESPP. Eligible employees become participants in the ESPP by enrolling and authorizing payroll deductions by the deadline established by the plan administrator prior to the relevant enrollment date. We expect that on the first trading day of each purchase period, each participant will automatically be granted an option to purchase our ordinary shares on the exercise date of such purchase period. The applicable purchase price will be no less than 85% of the lesser of the fair market value of our ordinary shares on the first day or the last day of the purchase period. The maximum number of ordinary shares that may be purchased under the ESPP in any offer period, per participant, is 10,000. Participant payroll deductions will be used to purchase shares on the last day of each purchase period. The plan administrator may amend, suspend or terminate the ESPP at any time. However, shareholder approval must be obtained for any amendment to the ESPP that increases the aggregate number of shares, changes the type of shares that may be sold pursuant to rights under the ESPP or changes the corporations or classes of corporations whose employees are eligible to participate in the ESPP.
 

C.
Board Practices
 
Board of Directors
 
Under the Companies Law, our business and affairs are managed under the direction of our board of directors. Our board of directors may exercise all powers and may take all actions that are not specifically granted to our shareholders or to management. Our executive officers are responsible for our day-to-day management and have individual responsibilities established by our board of directors. Our Chief Executive Officer is appointed by, and serves at the discretion of, our board of directors, subject to the employment agreement that we have entered into with him. All other executive officers are also appointed by our board of directors and are subject to the terms of any applicable employment agreements that we may enter into with them.
 
We comply with the Nasdaq rule that requires a majority of our directors to be independent as defined under Nasdaq corporate governance rules. Our board of directors has determined that all of our directors, other than our Executive Chairman of the Board and our Chief Executive Officer, are independent under such rules. Under our articles of association, our directors serve for a period of three years pursuant to the staggered board provisions of our articles of association. Under our articles of association, our board of directors must consist of at least four and not more than nine directors. Our board of directors currently consists of nine directors.
 
Pursuant to our articles of association, our directors are divided into three classes with staggered three-year terms. Each class of directors consists, as nearly as possible, of one-third of the total number of directors constituting the entire board of directors. At each annual general meeting of our shareholders, the election or re-election of directors following the expiration of the term of office of the directors of that class of directors is for a term of office that expires on the third annual general meeting following such election or re-election, such that at each annual general meeting, the term of office of only one class of directors will expire. Each director will hold office until the annual general meeting of our shareholders in which his or her term expires, unless he or she is removed by a vote of 65% of the total voting power of our shareholders at a general meeting of our shareholders or upon the occurrence of certain events, in accordance with the Companies Law and our articles of association.
 
As of the date hereof, our directors are divided among the three classes as follows:
 
(i) the Class I directors are Matthew Cohen, Mary Yang and François Auque, and their term expires at the annual general meeting of shareholders to be held in 2024 at the time their successors are elected and qualified;
 
(ii) the Class II directors are Gadi Tirosh, Amnon Shoshani and Avril England, and their term expires at the annual general meeting of shareholders to be held in 2025 at the time their successors are elected and qualified; and
 
(iii) the Class III directors are Ehud (Udi) Mokady, Ron Gutler and Kim Perdikou, and their term expires at the annual general meeting of shareholders to be held in 2026 at the time their successors are elected and qualified.

72

 
In addition, our articles of association allow our board of directors to appoint directors, create new directorships, or fill vacancies on our board of directors up to the maximum number of directors permitted under our articles of association. In case of an appointment by our board of directors to fill a vacancy on our board of directors due to a director no longer serving, the term of office shall be equal to the remaining period of the term of office of the director(s) whose office(s) have been vacated, and in the case of a new appointment where the number of directors serving is less than the maximum number stated in our articles of association, our board of directors shall determine at the time of appointment the class to which the new director shall be assigned.
 
Under the Companies Law and our articles of association, nominations for directors may be made by any shareholder(s) holding together at least 1% of our outstanding voting power. However, any such shareholder may make such a nomination only if a written notice of such shareholder’s intent to make such nomination has been timely and duly given to our Secretary (or, if we have no Secretary, our Chief Executive Officer), as set forth in our articles of association. Any such notice must include certain information regarding the proposing shareholder and the proposed director nominee, the consent of the proposed director nominee(s) to serve as our director(s) if elected, and a declaration signed by the proposed director nominee(s) as required by the Companies Law and that all of the information that is required to be provided to us in connection with such election under the Companies Law and under our articles of association has been provided.
 
Under the Companies Law, our board of directors must determine the minimum number of directors who are required to have accounting and financial expertise. A director with accounting and financial expertise is a director who, due to education, experience and skills, possesses an expertise in, and an understanding of, financial and accounting matters and financial statements, such that he or she is able to understand the financial statements of the company and initiate a discussion about the presentation of financial data.
 
In determining the number of directors required to have such expertise, a board of directors must consider, among other things, the type and size of the company and the scope and complexity of its operations. Our board of directors has determined that the minimum number of directors of our Company who are required to have accounting and financial expertise is one.
 
External Directors
 
Under the Companies Law, companies incorporated under the laws of the State of Israel that are public companies, including companies with shares listed on Nasdaq, are required to appoint at least two external directors.
 
Pursuant to regulations enacted under the Companies Law, the board of directors of a public company whose shares are listed on certain non-Israeli stock exchanges, including Nasdaq, that do not have a controlling shareholder (as such term is defined in the Companies Law), may, subject to certain conditions, elect to “opt-out” of the requirements of the Companies Law regarding the election of external directors and to the composition of the audit committee and compensation committee, provided that the company complies with the requirements as to director independence and audit committee and compensation committee composition applicable to companies that are incorporated in the jurisdiction in which its stock exchange is located. In May 2016, our board of directors elected to opt-out of the Companies Law requirements to appoint external directors and related Companies Law rules concerning the composition of the audit committee and compensation committee.
 
The foregoing exemptions will continue to be available to us so long as: (i) we do not have a “controlling shareholder” (as such term is defined under the Companies Law), (ii) our shares are traded on a U.S. stock exchange, including Nasdaq, and (iii) we comply with Nasdaq listing rules applicable to domestic U.S. companies. If, in the future, we were to have a controlling shareholder, we would again be required to comply with the requirements relating to external directors and composition of the audit committee and compensation committee.
 
Under the Securities Law 1968-5728 (the “Securities Law”) and the Companies Law, the term “controlling shareholder” means a shareholder with the ability to direct the activities of the company, other than by virtue of being an office holder. A shareholder is presumed to be a controlling shareholder if the shareholder holds 50% or more of the voting rights in a company or has the right to appoint the majority of the directors of the company or its general manager. For the purpose of approving transactions with controlling shareholders, the term “controlling shareholder” also includes any shareholder that holds 25% or more of the voting rights of the company if no other shareholder holds more than 50% of the voting rights in the company.

73

 
Lead Independent Director
 
Mr. Mokady, our founder, who served as our CEO from 2005 until April 2023, has been on the Board since the Company’s inception and has served as chairman of our Board since June 2016. When the roles of CEO and chairman of the Board were combined, our Board appointed a lead independent director. In April 2023, we separated the roles of CEO and chairman of the Board. Mr. Mokady assumed the role of Executive Chairman of the Board, and Matthew Cohen was appointed as CEO and joined the Board. Even though the roles of CEO and chairman of the Board are not currently combined, Mr. Mokady continues to be employed by the Company and, as such, he does not qualify as “independent.” Accordingly, in order to facilitate strong, independent Board leadership and ensure effective independent oversight, the Board believes it is in the Company’s best interest to maintain the Lead Independent Director role.
 
Our Lead Independent Director is selected by our non-executive board members from among the independent directors of the Board, who has served a minimum of one year as a director. If, at any meeting of the Board the Lead Independent Director is not present, for the purpose and duration of such meeting, the Chairman of the Audit Committee, Chairman of the Compensation Committee, or an independent member of the Board appointed by a majority of the independent members of the Board present will act as the Lead Independent Director, in the order listed above. Mr. Tirosh has been our Lead Independent Director since June 2016.
 
The authorities and responsibilities of the Lead Independent Director include, but are not limited to, the following:
 

providing leadership to the Board if circumstances arise in which the role of the Executive Chairman of the Board may be, or may be perceived to be, in conflict with the interests of the Company, and responding to any reported conflicts of interest, or potential conflicts of interest, arising for any director;
 

presiding as chairman of meetings of the Board at which the Executive Chairman of the Board is not present, including executive sessions of the independent members of the Board;
 

serving as a liaison between the CEO and the independent members of the Board;
 

providing feedback on Board meeting agendas, information and ongoing training provided to the Board, and requiring changes to the same;
 

approving meeting schedules to ensure there is sufficient time for discussion of all agenda items;
 

having the authority to call meetings of the independent members of the Board;
 

being available for consultation and direct communication with shareholders, as appropriate;
 

recommending that the Board retain consultants or advisers that report directly to the Board;
 

conferring with the Executive Chairman of the Board or CEO on important Board matters and key issues and tasks facing the Company, and ensuring the Board focuses on the same;
 

presiding over the Board’s annual self-assessment process and the independent directors’ evaluation of the effectiveness of the Executive Chairman of the Board, CEO, and management; and
 

performing such other duties as the Board may, from time to time, delegate to assist the Board in the fulfillment of its duties.
 
Audit Committee
 
Under the Companies Law, the board of directors of a public company must appoint an audit committee. Our audit committee consists of three independent directors, Ron Gutler (Chairperson), Kim Perdikou, and François Auque.

74

 
Audit Committee Composition
 
Under Nasdaq corporate governance rules, we are required to maintain an audit committee consisting of at least three independent directors, each of whom is financially literate and one of whom has accounting or related financial management expertise.
 
All members of our audit committee meet the requirements for financial literacy under the applicable rules and regulations of the SEC and Nasdaq corporate governance rules. Our board of directors has determined that each of Ron Gutler, Kim Perdikou, and François Auque is an audit committee financial expert, as defined by SEC rules, and each has the requisite financial experience as defined by Nasdaq corporate governance rules.
 
Each of the members of the audit committee is “independent” as such term is defined in Rule 10A-3(b)(1) under the Exchange Act, which is different from the general test for independence of board members and members of other committees.
 
Audit Committee Role
 
Our board of directors has an audit committee charter that sets forth the responsibilities of the audit committee consistent with the rules of the SEC and the listing requirements of Nasdaq, as well as the requirements for such committee under the Companies Law. The responsibilities of the audit committee under the audit committee charter include, among others, the following: