Company Quick10K Filing
CyberArk Software
20-F 2020-12-31 Filed 2021-03-11
20-F 2019-12-31 Filed 2020-03-05
20-F 2018-12-31 Filed 2019-03-14
20-F 2017-12-31 Filed 2018-03-15
20-F 2016-12-31 Filed 2017-03-16
20-F 2015-12-31 Filed 2016-03-10
20-F 2014-12-31 Filed 2015-02-27

CYBR 20F Annual Report

Item 17 ☐ Item 18 ☐
Part I
Item 1.Identity of Directors, Senior Management and Advisers
Item 2.Offer Statistics and Expected Timetable
Item 3.Key Information
Item 4.Information on The Company
Item 4A.Unresolved Staff Comments
Item 5.Operating and Financial Review and Prospects
Item 6.Directors, Senior Management and Employees
Item 7.Major Shareholders and Related Party Transactions
Item 8.Financial Information
Item 9.The Offer and Listing
Item 10.Additional Information
Item 11.Quantitative and Qualitative Disclosures About Market Risk
Item 12.Description of Securities Other Than Equity Securities
Part II
Item 13.Defaults, Dividend Arrearages and Delinquencies
Item 14.Material Modifications To The Rights of Security Holders and Use of Proceeds
Item 15.Controls and Procedures
Item 16A.Audit Committee Financial Expert
Item 16B.Code of Ethics
Item 16C.Principal Accountant Fees and Services
Item 16D.Exemptions From The Listing Standards for Audit Committees
Item 16E.Purchases of Equity Securities By The Issuer and Affiliated Purchasers
Item 16F.Change in Registrant’S Certifying Accountant
Item 16G.Corporate Governance
Item 16H.Mine Safety Disclosure
Part III
Item 17.Financial Statements
Item 18.Financial Statements
Item 19.Exhibits
Note 1: - General
Note 2: - Significant Accounting Policies
Note 3: - Marketable Securities
Note 4: - Prepaid Expenses and Other Current Assets
Note 5: - Property and Equipment, Net
Note 6: - Goodwill and Other Intangible Assets, Net
Note 7: - Accrued Expenses and Other Current Liabilities
Note 8: - Commitments and Contingent Liabilities
Note 9: - Leases
Note 10: - Fair Value Measurements
Note 11: - Convertible Senior Notes, Net
Note 12: - Shareholders&Apos; Equity
Note 13: - Income Taxes
Note 14: - Financial Income (Expense), Net
Note 15: - Basic and Diluted Net Income (Loss) per Share
Note 16: - Segments, Customers and Geographic Information
EX-8 exhibit_8-1.htm
EX-12.1 exhibit_12-1.htm
EX-12.2 exhibit_12-2.htm
EX-13.1 exhibit_13-1.htm
EX-13.2 exhibit_13-2.htm
EX-15.1 exhibit_15-1.htm

CyberArk Software Earnings 2020-12-31

Balance SheetIncome StatementCash Flow

CYBERARK SOFTWARE LTD.
IL 0001598110 --12-31 2020 FY false P2Y P1Y P3Y P3Y P5Y 0001598110 2019-01-01 2019-12-31 iso4217:USD 0001598110 2018-01-01 2018-12-31 0001598110 us-gaap:RetainedEarningsMember 2018-01-01 2018-12-31 0001598110 us-gaap:RetainedEarningsMember 2019-01-01 2019-12-31 0001598110 2020-01-01 2020-12-31 0001598110 us-gaap:RetainedEarningsMember 2020-01-01 2020-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2018-01-01 2018-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2019-01-01 2019-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2020-01-01 2020-12-31 0001598110 us-gaap:CommonStockMember 2017-12-31 i:shares 0001598110 us-gaap:CommonStockMember 2018-12-31 0001598110 us-gaap:CommonStockMember 2019-12-31 0001598110 us-gaap:CommonStockMember 2020-12-31 0001598110 2017-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2017-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2017-12-31 0001598110 us-gaap:RetainedEarningsMember 2017-12-31 0001598110 2018-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2018-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2018-12-31 0001598110 us-gaap:RetainedEarningsMember 2018-12-31 0001598110 2019-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2019-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2019-12-31 0001598110 us-gaap:RetainedEarningsMember 2019-12-31 0001598110 2020-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2020-12-31 0001598110 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2020-12-31 0001598110 us-gaap:RetainedEarningsMember 2020-12-31 0001598110 us-gaap:CommonStockMember 2018-01-01 2018-12-31 0001598110 us-gaap:CommonStockMember 2019-01-01 2019-12-31 0001598110 us-gaap:CommonStockMember 2020-01-01 2020-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2018-01-01 2018-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2019-01-01 2019-12-31 0001598110 us-gaap:AdditionalPaidInCapitalMember 2020-01-01 2020-12-31 0001598110 us-gaap:CostOfSalesMember 2020-01-01 2020-12-31 0001598110 us-gaap:ResearchAndDevelopmentExpenseMember 2020-01-01 2020-12-31 0001598110 us-gaap:SellingAndMarketingExpenseMember 2020-01-01 2020-12-31 0001598110 us-gaap:GeneralAndAdministrativeExpenseMember 2020-01-01 2020-12-31 0001598110 us-gaap:CostOfSalesMember 2018-01-01 2018-12-31 0001598110 us-gaap:ResearchAndDevelopmentExpenseMember 2018-01-01 2018-12-31 0001598110 us-gaap:SellingAndMarketingExpenseMember 2018-01-01 2018-12-31 0001598110 us-gaap:GeneralAndAdministrativeExpenseMember 2018-01-01 2018-12-31 0001598110 us-gaap:CostOfSalesMember 2019-01-01 2019-12-31 0001598110 us-gaap:ResearchAndDevelopmentExpenseMember 2019-01-01 2019-12-31 0001598110 us-gaap:SellingAndMarketingExpenseMember 2019-01-01 2019-12-31 0001598110 us-gaap:GeneralAndAdministrativeExpenseMember 2019-01-01 2019-12-31 iso4217:ILS i:shares 0001598110 us-gaap:ConvertibleNotesPayableMember 2019-11-30 0001598110 cybr:VaultiveMember 2018-12-31 0001598110 cybr:IdaptiveMember 2020-12-31 0001598110 cybr:VaultiveMember 2018-01-01 2018-03-31 0001598110 cybr:IdaptiveMember 2020-05-01 2020-05-31 0001598110 srt:MinimumMember us-gaap:ComputerEquipmentMember 2020-01-01 2020-12-31 i:pure 0001598110 srt:MaximumMember us-gaap:ComputerEquipmentMember 2020-01-01 2020-12-31 0001598110 srt:MinimumMember cybr:OfficeFurnitureAndEquipmentMember 2020-01-01 2020-12-31 0001598110 srt:MaximumMember cybr:OfficeFurnitureAndEquipmentMember 2020-01-01 2020-12-31 0001598110 us-gaap:TechnologyBasedIntangibleAssetsMember 2020-12-31 0001598110 us-gaap:CustomerRelationshipsMember 2020-12-31 0001598110 us-gaap:OtherIntangibleAssetsMember 2020-12-31 0001598110 us-gaap:TechnologyBasedIntangibleAssetsMember 2019-12-31 0001598110 us-gaap:CustomerRelationshipsMember 2019-12-31 0001598110 us-gaap:OtherIntangibleAssetsMember 2019-12-31 0001598110 us-gaap:MoneyMarketFundsMember us-gaap:FairValueInputsLevel1Member 2019-12-31 0001598110 us-gaap:MoneyMarketFundsMember 2019-12-31 0001598110 us-gaap:USGovernmentDebtSecuritiesMember us-gaap:FairValueInputsLevel2Member 2019-12-31 0001598110 us-gaap:MoneyMarketFundsMember us-gaap:FairValueInputsLevel2Member 2019-12-31 0001598110 us-gaap:USGovernmentAgenciesDebtSecuritiesMember us-gaap:FairValueInputsLevel1Member 2019-12-31 0001598110 us-gaap:MoneyMarketFundsMember us-gaap:FairValueInputsLevel1Member 2020-12-31 0001598110 us-gaap:MoneyMarketFundsMember us-gaap:FairValueInputsLevel2Member 2020-12-31 0001598110 us-gaap:MoneyMarketFundsMember 2020-12-31 0001598110 us-gaap:USGovernmentAgenciesDebtSecuritiesMember us-gaap:FairValueInputsLevel1Member 2020-12-31 0001598110 us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001598110 us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2020-12-31 0001598110 us-gaap:CommercialPaperMember us-gaap:FairValueInputsLevel1Member 2020-12-31 0001598110 us-gaap:CommercialPaperMember us-gaap:FairValueInputsLevel1Member 2019-12-31 0001598110 us-gaap:CommercialPaperMember us-gaap:FairValueInputsLevel2Member 2020-12-31 0001598110 us-gaap:CommercialPaperMember 2020-12-31 0001598110 us-gaap:CommercialPaperMember 2019-12-31 0001598110 us-gaap:CommercialPaperMember us-gaap:FairValueInputsLevel2Member 2019-12-31 0001598110 us-gaap:USGovernmentAgenciesDebtSecuritiesMember us-gaap:FairValueInputsLevel2Member 2020-12-31 0001598110 cybr:CorporateDebtSecuritiesAndCommercialPaperMember 2019-12-31 0001598110 cybr:CorporateDebtSecuritiesAndCommercialPaperMember 2020-12-31 0001598110 cybr:GovernmentDebenturesMember 2020-12-31 0001598110 us-gaap:FairValueInputsLevel1Member 2019-12-31 0001598110 us-gaap:FairValueInputsLevel2Member 2019-12-31 0001598110 us-gaap:FairValueInputsLevel1Member 2020-12-31 0001598110 us-gaap:FairValueInputsLevel2Member 2020-12-31 0001598110 cybr:CorporateDebtSecuritiesAndCommercialPaperMember us-gaap:FairValueInputsLevel2Member 2019-12-31 0001598110 cybr:CorporateDebtSecuritiesAndCommercialPaperMember us-gaap:FairValueInputsLevel1Member 2019-12-31 0001598110 cybr:CorporateDebtSecuritiesAndCommercialPaperMember us-gaap:FairValueInputsLevel1Member 2020-12-31 0001598110 cybr:CorporateDebtSecuritiesAndCommercialPaperMember us-gaap:FairValueInputsLevel2Member 2020-12-31 0001598110 us-gaap:USGovernmentDebtSecuritiesMember us-gaap:FairValueInputsLevel2Member 2020-12-31 0001598110 us-gaap:USGovernmentDebtSecuritiesMember 2019-12-31 0001598110 us-gaap:USGovernmentDebtSecuritiesMember 2020-12-31 0001598110 us-gaap:USGovernmentDebtSecuritiesMember us-gaap:FairValueInputsLevel1Member 2020-12-31 0001598110 country:US 2020-01-01 2020-12-31 0001598110 country:IL 2020-01-01 2020-12-31 0001598110 country:GB 2020-01-01 2020-12-31 0001598110 us-gaap:EMEAMember 2020-01-01 2020-12-31 0001598110 cybr:OtherCountryMember 2020-01-01 2020-12-31 0001598110 country:US 2018-01-01 2018-12-31 0001598110 country:IL 2018-01-01 2018-12-31 0001598110 country:GB 2018-01-01 2018-12-31 0001598110 us-gaap:EMEAMember 2018-01-01 2018-12-31 0001598110 cybr:OtherCountryMember 2018-01-01 2018-12-31 0001598110 country:US 2019-01-01 2019-12-31 0001598110 country:IL 2019-01-01 2019-12-31 0001598110 country:GB 2019-01-01 2019-12-31 0001598110 us-gaap:EMEAMember 2019-01-01 2019-12-31 0001598110 cybr:OtherCountryMember 2019-01-01 2019-12-31 0001598110 us-gaap:LicenseMember 2020-01-01 2020-12-31 0001598110 us-gaap:LicenseMember 2019-01-01 2019-12-31 0001598110 us-gaap:MaintenanceMember 2020-01-01 2020-12-31 0001598110 us-gaap:MaintenanceMember 2019-01-01 2019-12-31 0001598110 cybr:ProfessionalServicesMember 2020-01-01 2020-12-31 0001598110 cybr:ProfessionalServicesMember 2019-01-01 2019-12-31 0001598110 us-gaap:LicenseMember 2018-01-01 2018-12-31 0001598110 us-gaap:MaintenanceMember 2018-01-01 2018-12-31 0001598110 cybr:ProfessionalServicesMember 2018-01-01 2018-12-31 0001598110 us-gaap:DeferredProjectCostsMember 2020-12-31 0001598110 us-gaap:DeferredProjectCostsMember 2019-12-31 iso4217:USD i:shares 0001598110 dei:BusinessContactMember 2020-01-01 2020-12-31 0001598110 cybr:AccruedExpensesAndOtherCurrentLiabilitiesMember 2020-12-31 0001598110 cybr:AccruedExpensesAndOtherCurrentLiabilitiesMember 2019-12-31 0001598110 us-gaap:ConvertibleNotesPayableMember 2019-11-01 2019-11-30 0001598110 us-gaap:OtherNoncurrentLiabilitiesMember 2020-12-31 0001598110 us-gaap:OtherNoncurrentLiabilitiesMember 2019-12-31 0001598110 us-gaap:ConvertibleNotesPayableMember 2019-12-31 0001598110 us-gaap:ConvertibleNotesPayableMember 2020-12-31 0001598110 us-gaap:ComputerEquipmentMember 2020-12-31 0001598110 us-gaap:LeaseholdImprovementsMember 2020-12-31 0001598110 cybr:OfficeFurnitureAndEquipmentMember 2020-12-31 0001598110 us-gaap:ComputerEquipmentMember 2019-12-31 0001598110 us-gaap:LeaseholdImprovementsMember 2019-12-31 0001598110 cybr:OfficeFurnitureAndEquipmentMember 2019-12-31 0001598110 us-gaap:ComputerEquipmentMember 2020-01-01 2020-12-31 0001598110 us-gaap:ComputerEquipmentMember 2019-01-01 2019-12-31 0001598110 us-gaap:SeniorNotesMember 2020-12-31 0001598110 srt:MinimumMember 2020-01-01 2020-12-31 0001598110 srt:MaximumMember 2020-01-01 2020-12-31 0001598110 us-gaap:ForeignExchangeOptionMember 2019-12-31 0001598110 us-gaap:ForeignExchangeOptionMember 2020-12-31 0001598110 us-gaap:ForeignExchangeOptionMember 2020-01-01 2020-12-31 0001598110 us-gaap:ForeignExchangeOptionMember 2019-01-01 2019-12-31 0001598110 us-gaap:ForeignExchangeForwardMember us-gaap:OtherLiabilitiesMember 2020-12-31 0001598110 us-gaap:ForeignExchangeForwardMember us-gaap:OtherAssetsMember 2020-12-31 0001598110 us-gaap:ForeignExchangeForwardMember us-gaap:OtherAssetsMember 2019-12-31 0001598110 us-gaap:ForeignExchangeOptionMember us-gaap:OtherLiabilitiesMember 2020-12-31 0001598110 us-gaap:ForeignExchangeOptionMember us-gaap:OtherLiabilitiesMember 2019-12-31 0001598110 us-gaap:ForeignExchangeForwardMember 2020-01-01 2020-12-31 0001598110 us-gaap:ForeignExchangeForwardMember 2018-01-01 2018-12-31 0001598110 us-gaap:ForeignExchangeForwardMember 2019-01-01 2019-12-31 0001598110 cybr:NextTwoPercentContributionMember 2020-01-01 2020-12-31 0001598110 cybr:EmployeesOverFiftyYearsMember 2020-01-01 2020-12-31 0001598110 cybr:FirstThreePercentPayContributionMember 2020-01-01 2020-12-31 0001598110 cybr:RangeOneMember 2020-12-31 0001598110 cybr:RangeTwoMember 2020-12-31 0001598110 cybr:RangeThreeMember 2020-12-31 0001598110 cybr:RangeFourMember 2020-12-31 0001598110 cybr:RangeFiveMember 2020-12-31 0001598110 cybr:RangeOneMember 2020-01-01 2020-12-31 0001598110 cybr:RangeTwoMember 2020-01-01 2020-12-31 0001598110 cybr:RangeThreeMember 2020-01-01 2020-12-31 0001598110 cybr:RangeFourMember 2020-01-01 2020-12-31 0001598110 cybr:RangeFiveMember 2020-01-01 2020-12-31 0001598110 srt:MinimumMember 2018-01-01 2018-12-31 0001598110 srt:MaximumMember 2018-01-01 2018-12-31 0001598110 srt:MinimumMember 2019-01-01 2019-12-31 0001598110 srt:MaximumMember 2019-01-01 2019-12-31 0001598110 us-gaap:DomesticCountryMember 2020-01-01 2020-12-31 0001598110 cybr:TCJAMember srt:MaximumMember 2020-01-01 2020-12-31 0001598110 cybr:TCJAMember srt:MinimumMember 2020-01-01 2020-12-31 0001598110 us-gaap:ForeignCountryMember 2020-12-31 0001598110 cybr:ForeignCountrySubsidiaryMember 2020-12-31 0001598110 us-gaap:ForeignCountryMember 2020-01-01 2020-12-31 iso4217:ILS 0001598110 2017-01-01 2017-12-31 0001598110 us-gaap:SalesRevenueNetMember cybr:SingleCustomerMember 2018-01-01 2018-12-31 0001598110 us-gaap:SalesRevenueNetMember cybr:SingleCustomerMember 2019-01-01 2019-12-31 0001598110 us-gaap:SalesRevenueNetMember cybr:SingleCustomerMember 2020-01-01 2020-12-31 0001598110 us-gaap:DevelopedTechnologyRightsMember 2020-01-01 2020-12-31 0001598110 us-gaap:CustomerRelationshipsMember 2020-01-01 2020-12-31 0001598110 cybr:LiabilitiesMember 2020-12-31 0001598110 country:US 2020-12-31 0001598110 country:IL 2020-12-31 0001598110 country:GB 2020-12-31 0001598110 us-gaap:EMEAMember 2020-12-31 0001598110 cybr:OtherCountryMember 2020-12-31 0001598110 country:US 2019-12-31 0001598110 country:IL 2019-12-31 0001598110 country:GB 2019-12-31 0001598110 us-gaap:EMEAMember 2019-12-31 0001598110 cybr:OtherCountryMember 2019-12-31


UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

WASHINGTON, D.C. 20549

FORM 20-F

REGISTRATION STATEMENT PURSUANT TO SECTION 12(b) OR (g) OF THE SECURITIES EXCHANGE ACT OF 1934

 

OR

 

ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

For the fiscal year ended December 31, 2020

 

OR

 

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

OR

 

SHELL COMPANY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

Commission file number 001-36625

image provided by client

CYBERARK SOFTWARE LTD.

(Exact name of Registrant as specified in its charter)

ISRAEL

(Jurisdiction of incorporation or organization)

9 Hapsagot St.

Park Ofer B, P.O. BOX 3143

Petach-Tikva 4951040, Israel

(Address of principal executive offices)

Donna Rahav

General Counsel and Compliance Officer

Telephone: +972 (3)918-0000

CyberArk Software Ltd.

9 Hapsagot St.

Park Ofer B, P.O. BOX 3143

Petach-Tikva  4951040, Israel

(Name, telephone, e-mail and/or facsimile number and address of company contact person)

Securities registered or to be registered pursuant to Section 12(b) of the Act:

Title of each class

Trading Symbol(s)

Name of each exchange on which registered

Ordinary shares, par value NIS 0.01 per share

CYBR

The Nasdaq Stock Market LLC

Securities registered or to be registered pursuant to Section 12(g) of the Act: None.

Securities for which there is a reporting obligation pursuant to Section 15(d) of the Act: None.


Indicate the number of outstanding shares of each of the issuer’s classes of capital or common stock as of the close of the period covered by the annual report: As of December 31, 2020, the registrant had outstanding 39,034,759 ordinary shares, par value NIS 0.01 per share.

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.

Yes ☒  No ☐

If this report is an annual or transition report, indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934.

Yes ☐  No

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.

Yes ☒  No ☐

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).

Yes ☒  No ☐

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.

Large accelerated filer

Accelerated filer ☐

Non-accelerated filer ☐

Emerging growth company

If an emerging growth company that prepares its financial statements in accordance with U.S. GAAP, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.

Indicate by check mark which basis of accounting the registrant has used to prepare the financial statements included in this filing:

U.S. GAAP

International Financial Reporting Standards as issued by the

Other ☐

International Accounting Standards Board ☐

If “Other” has been checked in response to the previous question, indicate by check mark which financial statement item the registrant has elected to follow.

Item 17 ☐ Item 18 ☐

If this is an annual report, indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).

Yes   No ☒


CYBERARK SOFTWARE LTD.

FORM 20-F

ANNUAL REPORT FOR THE FISCAL YEAR ENDED DECEMBER 31, 2020

TABLE OF CONTENTS

Introduction

1

Special Note Regarding Forward-Looking Statements

1

PART I

Item 1.Identity of Directors, Senior Management and Advisers

2

Item 2.Offer Statistics and Expected Timetable

2

Item 3.Key Information

2

Item 4.Information on the Company

27

Item 4A.Unresolved Staff Comments

38

Item 5.Operating and Financial Review and Prospects

38

Item 6.Directors, Senior Management and Employees

59

Item 7.Major Shareholders and Related Party Transactions

78

Item 8.Financial Information

80

Item 9.The Offer and Listing

81

Item 10.Additional Information

81

Item 11.Quantitative and Qualitative Disclosures About Market Risk

89

Item 12.Description of Securities Other Than Equity Securities

90

PART II

Item 13.Defaults, Dividend Arrearages and Delinquencies

91

Item 14.Material Modifications to the Rights of Security Holders and Use of Proceeds

91

Item 15.Controls and Procedures

91

Item 16A.Audit Committee Financial Expert

92

Item 16B.Code of Ethics

92

Item 16C.Principal Accountant Fees and Services

92

Item 16D.Exemptions from the Listing Standards for Audit Committees

93

Item 16E.Purchases of Equity Securities by the Issuer and Affiliated Purchasers

93

Item 16F.Change in Registrant’s Certifying Accountant

93

Item 16G.Corporate Governance

93

Item 16H.Mine Safety Disclosure

93

PART III

Item 17.Financial Statements

93

Item 18.Financial Statements

93

Item 19.Exhibits

94


INTRODUCTION

In this annual report, the terms “CyberArk,” “we,” “us,” “our” and “the company” refer to CyberArk Software Ltd. and its subsidiaries.

This annual report includes statistical, market and industry data and forecasts, that we obtained from publicly available information and independent industry publications and reports that we believe to be reliable sources. These publicly available industry publications and reports generally state that they obtain their information from sources that they believe to be reliable, but they do not guarantee the accuracy or completeness of the information. Although we believe that these sources are reliable, we have not independently verified the information contained in such publications. Certain estimates and forecasts involve uncertainties and risks and are subject to change based on various factors, including those discussed under the headings “Special Note Regarding Forward-Looking Statements” and “Item 3.D. Risk Factors” in this annual report.

Throughout this annual report, we refer to various trademarks, service marks and trade names that we use in our business. The “CyberArk” design logo is the property of CyberArk Software Ltd. CyberArk® is our registered trademark in the United States and many other countries. We have several other trademarks, service marks and pending applications relating to our solutions. In particular, although we have omitted the “®” and “™” trademark designations in this annual report from each reference to our Privileged Access Security Solution, Enterprise Password Vault, Privileged Session Manager, Privileged Threat Analytics, CyberArk Privilege Cloud, Application Access Manager, Conjur, Endpoint Privilege Manager, On-Demand Privileges Manager, Secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine, CyberArk DNA, Alero, Idaptive, Cloud Entitlements Manager and C3 Alliance, all rights to such names and trademarks are nevertheless reserved. Other trademarks and service marks appearing in this annual report are the property of their respective holders.

SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS

In addition to historical facts, this annual report contains forward-looking statements within the meaning of Section 27A of the U.S. Securities Act of 1933, as amended, or the Securities Act, Section 21E of the U.S. Securities Exchange Act of 1934, as amended, or the Exchange Act, and the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to risks and uncertainties, and include information about possible or assumed future results of our business, financial condition, results of operations, liquidity, plans and objectives. In some cases, you can identify forward-looking statements by terminology such as “believe,” “may,” “estimate,” “continue,” “anticipate,” “intend,” “should,” “plan,” “expect,” “predict,” “potential,” or the negative of these terms or other similar expressions. The forward-looking statements are based on our beliefs, assumptions and expectations of future performance. There are important factors that could cause our actual results, levels of activity, performance or achievements to differ materially from the results, levels of activity, performance or achievements expressed or implied by the forward-looking statements, including, but not limited to:

changes to the drivers of our growth and our ability to adapt our solutions to IT security market demands;

our plan to begin actively transitioning our business to a recurring revenue model in 2021 and our ability to complete the transition in the time frame expected;

our sales cycles and multiple pricing and delivery models may cause results to fluctuate;

difficulties predicting future financial results, including due to impacts from the COVID-19 pandemic;

unanticipated product vulnerabilities or cybersecurity breaches of our or our customers’ systems;

our ability to sell into existing and new customers and industry verticals;

the ability of our research and development efforts to successfully enhance and develop existing and new products and services;

the duration and scope of the COVID-19 pandemic and its impact on global and regional economies and the resulting effect on the demand for our solutions and on our expected revenue growth rates and costs;

our ability to hire, retain and motivate qualified personnel;

our ability to find, complete, fully integrate or achieve the expected benefits of additional strategic acquisitions;

our ability to expand our sales and marketing efforts and expand our channel partnerships across existing and new geographies;

1


risks associated with our global sales and operations, such as changes in regulatory requirements or fluctuations in currency exchange rates;

our ability to adjust our operations in response to impacts from the COVID-19 pandemic;

additional capital expenditures beyond what we currently expect; and

any failure to retain our “foreign private issuer” status or the risk that we may be classified, for U.S. federal income tax purposes, as a “passive foreign investment company.”

In addition, you should consider the risks provided under “Item 3.D. Risk Factors” in this annual report.

You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that future results, levels of activity, performance and events and circumstances reflected in the forward-looking statements will be achieved or will occur. Except as required by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this annual report, to conform these statements to actual results or to changes in our expectations.

PART I

ITEM 1.IDENTITY OF DIRECTORS, SENIOR MANAGEMENT AND ADVISERS

Not applicable.

ITEM 2.OFFER STATISTICS AND EXPECTED TIMETABLE

Not applicable.

ITEM 3.KEY INFORMATION

A.Selected Financial Data

Not applicable.

B.Capitalization and Indebtedness

Not applicable.

C.Reasons for the Offer and Use of Proceeds

Not applicable.

D.Risk Factors

Risks Related to Our Business and Our Industry

The IT security market is rapidly evolving within the increasingly challenging cyber threat landscape. If our solutions fail to adapt to market changes and demands, sales may not continue to grow or may decline.

We offer identity security solutions that safeguard privileged accounts’ credentials and secrets, secure access across both human and non-human identities, and manage entitlements to cloud environments. We operate in a rapidly evolving industry, focused on securing and providing access to organizations’ IT systems and sensitive data.

Accelerated adoption of cloud and Software-as-a-Service (SaaS) and the expansion of remote workforce has led to a proliferation of privileged access in recent years. Breaches of privileged accounts and access have become ubiquitous, yet overall IT security spending is spread across a wide variety of solutions and strategies, including, for example, endpoint, network and cloud security, vulnerability management and identity and access management. Organizations continually evaluate their security priorities and investments and may allocate their IT security budgets to other solutions and strategies and may not adopt or expand use of our solutions. Organizations are also moving portions of their IT systems to be managed by third parties, primarily infrastructure, platform and application service providers, and may rely on such providers’ internal security measures. If customers do not recognize the benefit of our solutions as a critical layer of an effective security strategy, our revenues may decline, which could cause our share price to decrease in value.

2


Security solutions such as ours, which aim to disrupt cyberattacks by insiders and external perpetrators that have penetrated an organization’s IT environment, represent a security layer designed to respond to advanced threats and more rigorous compliance standards and audit requirements. However, advanced cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive data and technology assets, including those of IT and cybersecurity providers, as demonstrated by the 2020 SolarWinds SUNBURST attack. We expect our customers, and thereby our solutions, to face new and increasingly sophisticated methods of attack, particularly given the increasing complexity of IT and the proliferation of privileged access across identities. We face significant challenges in ensuring that our solutions effectively identify and respond to sophisticated attacks while avoiding disruption to our customers’ IT systems ongoing performance. As a result, we must continually modify and improve our products and services in response to market and technology trends to ensure we are meeting market needs and continue providing valuable solutions that can be deployed in a variety of IT environments, including cloud and hybrid.

We cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to develop or acquire product enhancements or new products or services to meet such needs or opportunities in a timely manner or at all. Even if we are able to anticipate, develop and commercially introduce new products, such as our Cloud Entitlements Manager and our Identity Security offerings, and ongoing enhancements to our existing products, there can be no assurance that such enhancements or new solutions will achieve widespread market acceptance. Delays in developing, completing or delivering new or enhanced solutions could cause our offerings to be less competitive, impair customer acceptance of our solutions and result in delayed or reduced revenue and share price decline.

We are actively transitioning our business to a recurring revenue model. If we fail to successfully manage our licensing and business model transition, including not maintaining existing customers or sufficient renewal rates for maintenance and support and subscriptions, our operating results and share price may be adversely affected.

We began actively transitioning our business to a recurring revenue model in January 2021. Our transition strategy addresses and leverages the significant shifts in the global technology market in 2020, as well as recent years’ changes in IT environments such as the acceleration in the adoption of cloud environments, SaaS applications, software automation tools and DevOps methodologies. Our transition aims at shifting our sales from perpetual licenses to subscriptions, for both SaaS and on-premises offerings. Our strategy requires considerable investments in our go to market and research and development organizations and activities as well as in our systems and adjustments in our operations, reporting and financial resources. We have no assurance that our investments and changes to our operations will result in the desired growth in our subscription revenue. As we execute our strategy, we expect our perpetual license revenue and our operating margin to significantly decline in the near term – before we are able to fully transition into a subscription model – and our maintenance service revenue to gradually decline over the coming years. While we expect the majority of our existing customers to expand their deployment leveraging subscription offerings (whether on-premises or SaaS), and new customers to purchase subscriptions at an increased rate, certain customers may still desire perpetual licenses and our transition may not occur within our planned timeline.

With our transition to a recurring revenue model, we will become significantly more dependent on renewals to meet our total revenue and profitability targets. Our renewal rate for maintenance contracts associated with perpetual license sales in each of the years ending December 31, 2019 and 2020 was approximately 90%. We believe that our maintenance contracts related to our perpetual license business will continue to have strong renewal rates; however, customers may choose to change licensing models from perpetual to subscription and while we expect to generate the same if not higher recurring revenue under a subscription there is a risk that the customer lowers their annual contract value.

Customer subscription renewal rates may decline or fluctuate due to a number of factors, including offering pricing, implementation and adoption rate of our solutions, reductions in customer spending levels or customer activity due to economic downturns or other market uncertainty, competitive offerings and customer satisfaction. In addition, we, along with our service providers or channel partners, may not be able provide adequate services that are responsive, satisfy our customers’ expectations and resolve issues that they encounter with our solutions. Even with adequate support, our customers are ultimately responsible for effectively using our solutions and ensuring that their IT staff and other relevant users are properly trained in the use of our products and complementary security products, methodologies and processes. As a result, customers may become dissatisfied with our products and decide not to renew, which may have a material and adverse effect on our business and results of operations.

3


We may face additional complications or risks in connection with our transition to a recurring revenue model, including the following:

our revenues may fluctuate as a result of variations in our booking mix from the different licensing and delivery models and the corresponding timing of revenue recognition – ratably for SaaS subscriptions and the maintenance portion of on-premises subscriptions and upon delivery for perpetual licenses and the license portion of on-premises subscriptions. For example, if our customers prefer to buy our solutions as a subscription at a greater rate than we anticipate, our recognized revenues may lag our expectations and guidance;

our operating profitability, net income and cash flow from operating activities are expected to decline during the transition period as more revenues are recognized ratably and due to an increase in annual invoicing. In addition, we continue to make significant short-term investments in our business and operations to drive long-term growth;

our revenues and earnings may decline if our customers do not renew, or reduce the scope of, their subscriptions;

the introduction of new product offerings and solutions may result in longer sales cycles, lost opportunities or less predictable revenues if our new or existing customers, prospects and partners are less receptive of such advancements (including a transition to SaaS in order to receive certain functionalities) or require a longer period to assess and select the solutions appropriate to them;

the introduction of more SaaS offerings may require extended presale processes due to, among others, comprehensive product and security reviews and requirements by customers, extensive contract negotiations and more stringent compliance and operational obligations (such as those related to data protection);

our research and development teams may find it difficult to deliver functionality and drive innovation across multiple code bases on a timely basis; and

our sales force may struggle with selling multiple pricing, licensing and delivery models to customers, prospects and partners, which may extend sales cycles, reduce the likelihood of sales closing, or lead to increased turnover rates and lower headcount.

Our quarterly results of operations may fluctuate for a variety of reasons. We may, as a result, fail to meet publicly announced financial guidance or other expectations about our business, which could cause our ordinary shares to decline in value.

We offer new and existing customers multiple software pricing and delivery models and have begun actively transitioning our business to a recurring revenue model in January 2021. It may be difficult to predict the mix of the perpetual and subscription bookings in any given quarter, which could impact our financial results and cause us to fail to meet publicly announced financial guidance or other expectations. We recognize revenue differently based on the composition of the selected offering. Specifically, we recognize revenue from perpetual licenses upon their delivery and the license portion of on-premises subscriptions upon the commencement of the subscription period. We recognize revenue from SaaS subscriptions and from maintenance services for perpetual licenses or on-premises subscription ratably over the period of the subscription or maintenance contract. This may cause trends in revenue recognition to lag those in sales, potentially causing us to fall short of investor expectations for revenue even while meeting or exceeding periodic sales targets. Our active transition to a recurring revenue model, starting in 2021, could reduce our overall revenue growth rates, operating margins and cash flow in the short term due to the ratable revenue recognition.

A meaningful portion of our quarterly revenues is generated through transactions of significant size, and purchases of our products and services often occur at the end of each quarter. We also experience quarterly and annual seasonality in our sales, demonstrated by increased sales in the third month of each quarter relative to the first two months and increased sales in the fourth quarter of each year. The timing in which SaaS deals close may further exacerbate the seasonality impact on reported revenues due to the ratable recognition. In addition, our sales cycle can be intensively competitive and last several quarters from proof of concept to the actual sale and initial delivery of our solutions to our customers. This sales cycle can be even longer, less predictable and more resource-intensive for larger sales, or with customers implementing complex digital transformation strategies or facing a complex set of compliance and user requirements. Customers may also require additional internal committee or executive approvals, extensive security reviews, longer product trial periods and prolonged contract negotiation before making a final purchase, all of which may be exacerbated with the increased volume of SaaS transactions. A failure to close a large transaction in a particular quarter may adversely impact our revenues in that quarter. Closing of an exceptionally large transaction in a certain quarter may disproportionately increase our revenues in that quarter, which may make it more difficult for us to meet growth rate expectations of our investors in subsequent quarters. Furthermore, even if we close a sale during a given quarter, we may be unable to recognize the revenues derived from such sale during the same period due to our revenue recognition policy and our transition to a recurring revenue model. As a result of the foregoing factors, the timing of closing sales cycles and the resulting revenue from such sales can be difficult to predict. In some cases, sales have occurred in a quarter that was either earlier than, or subsequent to, the anticipated quarter, and in some cases, sale opportunities expected to close did not close at all.

4


All of these factors impact our quarterly results and our ability to accurately predict them and may result in us missing our guidance or falling short of market expectations regarding our results. If our financial results for a particular period do not meet our guidance or if we reduce our guidance for future periods or refrain from providing guidance, the market price of our ordinary shares may decline.

In addition to fluctuations related to our transition to a recurring revenue model and sales cycles described above, our results of operations may continue to vary as a result of a number of other factors, many of which may be outside of our control or difficult to predict, including:

our ability to attract new customers;

our ability to retain existing customers by and through renewals of maintenance services and subscriptions;

the amount and timing of our operating costs and cash collection, which may vary also as a result of fluctuations in foreign currency exchange rates or changes in taxes or other applicable regulations (see “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations”);

the rate our customers fully deploy their purchased licenses or subscriptions, and our ability to sell additional products and services to current customers;

effects from the COVID-19 pandemic or other public health crises, and the global economic changes caused by it (see “—The COVID-19 pandemic, measures globally taken in response to it and the resulting economic environment have adversely affected, and may continue to adversely affect, our business, financial condition, and results of operations”);

the ability of our support, service and customer success operations to keep pace with sales to new and existing customers and the expansion of our solution portfolio and to satisfy customer demands for consultancy and professional services;

our ability to successfully expand our business globally;

the timing and success of new product and service introductions by us or our competitors or any other change in the competitive landscape of the information security market, including consolidation among our competitors;

introduction of new accounting pronouncements or changes in our accounting policies or practices;

changes in our pricing policies or those of our competitors;

changes in the growth rate of the information security market; and

the size and discretionary nature of our prospective and existing customers’ IT budgets.

Any of these factors, individually or in the aggregate, may result in significant fluctuations in our financial and other operating results from period to period. These fluctuations could result in our failure to meet our operating plan or the expectations of investors or analysts for any given period. Such failures may cause the market price of our ordinary shares to substantially decrease.

5


Our reputation and business could be harmed due to real or perceived vulnerabilities in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, resulting in loss of customers, enforcement actions, lawsuits or financial losses.

Security products, solutions and services such as our own are complex in design and deployment and may contain errors that are potentially incapable of being remediated or detected until after their deployment, if at all. Any errors, defects, or misconfigurations could cause our products or services to not meet specifications, be vulnerable to security attacks or fail to secure networks, which could negatively impact customer operations and harm our business and reputation. In particular, we may suffer significant liability as a result of litigation or regulatory enforcement, indemnity claims, adverse publicity and reputational harm, including a downgrade in our industry leadership position by industry analysts, if our solutions or services are associated, or are believed to be associated with, or fail to reasonably protect against, a significant breach or a breach at a high-profile customer, managed service provider network, or third-party system utilized by us as part of our cloud-based security solution.

Several of our solutions are made available to our customers as SaaS. Delivering software as a service involves storage and transmission of customers’ proprietary information, including personal data, related to their assets, employees and users. Security breaches, improper configuration or product defects in our SaaS solutions, production and development environments (including those embedded in third-party technology used by our customers) could result in loss or alteration of this data, unauthorized access to multiple customers’ data and compromise of our networks or our customers’ networks secured by our SaaS solutions. Any such incident, whether or not caused by us, could result in significant liability for us and negative business repercussions.

False detection of threats (referred to as “false positives”), while typical in our industry, may reduce perception of the reliability of our solutions and may therefore adversely impact market acceptance. Our customers’ businesses could be harmed if our solutions restrict legitimate privileged access by authorized personnel to IT systems and applications by falsely identifying those users as attackers or otherwise unauthorized, resulting in significant liability for us and negative business implications. False positives may also reduce perception of the reliability of our solutions and our company’s reputation and may therefore adversely impact our market acceptance and leadership position.

Our solutions not only reinforce but also rely on the common security concept of placing multiple layers of security controls throughout an IT system. The failure of our customers, channel partners, managed service providers or subcontractors to correctly implement or effectively manage and maintain our solutions and the environments in which they are utilized, or to consistently implement and utilize generally accepted and comprehensive, multi-layered security measures and processes in customer networks, may lessen the efficacy of our solutions. Our customers or our channel partners may also independently develop or change existing application programming interfaces (APIs) that we provide to them for interfacing purposes in an incorrect or insecure manner. Such failures or actions may lead to security breaches and data loss, which could result in a perception that our solutions or services failed and associated negative business implications. Further, our failure to provide our customers and channel partners with adequate services or accurate product documentation related to the use, implementation and maintenance of our solutions, could lead to claims against us.

Similarly, and as demonstrated by the 2020 SolarWinds SUNBURST attack, our failure to effectively deploy and maintain multiple layers of security controls and processes to detect threats within our own resources and networks, such as development or customer-serving production environments, could lead to a breach or exploitation of our products or services by threat actors. As a result, such threat actors may gain access to and breach our customers’ deployments and environments (see “— If our internal IT network system, or those of third party service providers associated with us, is compromised by cyber attacks or other data breaches, or by a critical system failure, our reputation, financial condition and operating results could be materially adversely affected.”).

An actual or perceived cyber attack, other security breach or theft of our customers’ data, regardless of whether the breach or theft is actually attributable to the failure of our products, SaaS solutions or the services we provided in relation thereto, could adversely affect the market’s perception of the efficacy of our solutions and our industry standing. Such circumstances could cause current or potential customers to look to our competitors for alternatives to our solutions and subject us to negative media attention, lawsuits, regulatory investigations and other government inquiries, indemnity claims and financial losses, as well as the expenditure of significant financial resources to, among other actions, analyze, correct or eliminate any vulnerabilities. Provisions in our agreements that attempt to limit our liabilities towards our customers, channel partners and relevant third parties may not withstand legal challenges, and certain liabilities may not be limited or capped. Additionally, any insurance coverage we have may not adequately cover all claims asserted against us or may cover only a portion of such claims. An actual or perceived cyber attack could also cause us to suffer reputational harm, lose existing customers, or deter new and existing customers from purchasing or implementing our products.

6


We face intense competition from a wide variety of IT security vendors operating in different market segments and across diverse IT environments, which may challenge our ability to maintain or improve our competitive position or to meet our planned growth rates.

The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.

Our current competitors in the Privileged Access Management market include BeyondTrust Corporation, NortonLifeLock, Inc. (acquired by Broadcom Inc.), One Identity LLC and Thycotic Software Ltd., some of which may offer solutions at lower price points. Further, we may face competition due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, such as the provision of Privileged Access Management functionalities as part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. With the acquisition of Idaptive and our strategy to provide customers with a comprehensive identity security portfolio, and our DevOps security solution, some of the functionality offered in our products may compete with certain solutions in the market such as solutions from Okta Inc., Microsoft Corporation or HashiCorp, Inc. In addition, Limited IT budgets may also result in competition with providers of other advanced threat protection solutions such as Palo Alto Networks, CrowdStrike Holdings, Inc. and NortonLifeLock, Inc.

We also may compete, to a certain extent, with vendors that offer products or services in adjacent or complementary markets to Privileged Access Management, including identity management vendors and cloud platform providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure. As the identity and access and Privileged Access Management markets have matured significantly over recent years the entry barrier is now lower, and it is easier for competitors to compete in the market. Some of our competitors are large companies and have wider technical and financial resources and broader customer bases used to bring competitive solutions to the market. These companies may already have existing relationships as an established vendor for other product offerings, and certain customers may prefer one single IT vendor for product security procurement than purchasing solely based on product performance. Such companies may use these advantages to offer products and services that are perceived to be as effective as ours at a lower price or for free as part of a larger product package or solely in consideration for maintenance and services fees, which could result in increased market pressure to offer our solutions and services at lower prices. They may also develop different products to compete with our current solutions and respond more quickly and effectively than we do to new or changing opportunities, technologies, standards or client requirements or enjoy stronger sales and service capabilities in certain regions. Additionally, niche vendors are developing and marketing lower cost solutions with limited Privileged Access Management functionality that may impact our ability to maintain premium market pricing.

Our competitors may enjoy potential competitive advantages over us, such as:

greater name recognition, a longer operating history and a larger customer base;

larger sales and marketing budgets and resources;

broader distribution and established relationships with channel partners, advisory firms and customers;

increased effectiveness in protecting, detecting and responding to cyber attacks;

greater or localized resources for customer support and provision of services;

7


greater speed at which a solution can be deployed and implemented;

greater resources to make acquisitions;

larger intellectual property portfolios; and

greater financial, technical and other resources.

Our current and potential competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their resources and capabilities. Current or potential competitors have been acquired and consolidated or may be acquired by third parties with greater resources in the future. Similarly, we may also face increased competition following an acquisition of new lines of business that compete with providers of such technologies or from security vendors or other companies in adjacent markets extending their solutions into privilege access management or identity and access management (as relevant). As a result of such acquisitions, our current or potential competitors may be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. Larger competitors with more diverse product offerings may reduce the price of products that compete with ours in order to promote the sale of other products or may bundle them with other products, which would lead to increased pricing pressure on our products and could cause the average sales prices for our products to decline. We may be at a competitive disadvantage to our privately held competitors, as they may not face the same accounting, auditing and legal standards we do as a public company. Such privately held competitors may face less public scrutiny than we do and may be less risk-averse than we are, and therefore may have greater operational flexibility.

Furthermore, an increasing number of independent industry analysts and researchers regularly evaluate, compare and publish reviews regarding the functionality of IT security products, including ours. These reviews may significantly influence the market perception of our products, and our reputation and brand could be harmed from negative reviews of our products or increasingly positive reviews of our competitors’ products, or if such reviews do not view us as a market leader. In addition, other IT security technologies exist or could be developed in the future by current or future competitors, and our business could be materially and adversely affected if such technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or convince our customers and potential customers of the value of our solutions, even in light of new technologies, our business, results of operations and financial condition could be materially and adversely affected.

If we are unable to acquire new customers or sell additional products and services to our existing customers, our future revenues and operating results will be harmed.

Our success and continued growth will depend, in part, on our ability to acquire a sufficient number of new customers while maintaining and expanding our revenues from existing customers, by renewing contracts for our solutions and selling incremental or new licenses or subscriptions or solutions to existing customers. If we are unable to succeed in such efforts, we will likely be unable to fully transition into a subscription-based model or generate revenue growth at desired rates. In addition, competition in the marketplace may lead us to acquire fewer new customers or result in us providing more favorable commercial terms to new or existing customers. Macro-economic effects such as those related to COVID-19 may also affect our ability to maintain our customer base and expand it, and the pandemic and its associated global response may also make establishing relationships and new supplier expertise among potential customers more challenging. (see “-- The COVID-19 pandemic, measures globally taken in response to it and the resulting economic environment have adversely affected, and may continue to adversely affect, our business, financial condition, and results of operations). Further, the foregoing circumstances would have an even greater impact on our business and operations in relation to sales of our Privileged Access Management (PAM) solution, which generates a majority of our revenue.

As we expand our market reach to gain new business, including entering the Access Management market and securing DevOps environments, we may experience difficulties in gaining traction and raising awareness among potential customers regarding the critical role that our solutions play in securing their organizations or establishing a market leadership position and industry analyst recognition, or may face more competitive pressure in such markets. As a result, it may be difficult for us to add new customers to our customer base, retain our existing customers and generate increased growth from sales of these solutions.

8


With our transition to a recurring revenue model, our sales, research and development, support and customer success teams may have difficulties selling, supporting and maintaining multiple license models and code bases. These may lead to lower software sales, longer sales cycles, customer dissatisfaction, lower renewal rates and a reduction in our ability to sell add-on business to customers or gain new customers. Further, as part of the natural lifecycle of our solutions, we may determine that certain products will be reaching their end of development or end of life and will no longer be supported or receive updates and security patches. Failure to effectively manage our product lifecycles could lead to existing customer dissatisfaction and contractual liabilities.

Further, any changes in compliance standards or audit requirements that reduce the priority for the types of controls, security, monitoring and analysis that our solutions provide would adversely impact demand for our solutions. Additional factors that impact our ability to acquire new customers or sell additional products and services to our existing customers include the consumption of their past purchases, the perceived need for IT security, the size of our prospective and existing customers’ IT budgets, the utility and efficacy of our existing and new offerings, whether proven or perceived, changes in our pricing or licensing models that may impact the size of new business transactions, a downgrade of our recognized industry leadership position by industry analysts and general economic conditions. These factors may have a material negative impact on future revenues and operating results.

If our internal IT network system, or those of third party service providers associated with us, is compromised by cyber attacks or other data breaches, or by a critical system failure, our reputation, financial condition and operating results could be materially adversely affected.

As we provide privileged account and identity security products, we are likely an attractive target for cyber attackers or other data thieves since a breach of our system could provide information regarding not only us, but potentially regarding the customers that our solutions protect. Given the shift to the remote working environment due to COVID-19, we and our customers are exposed to an expanded attack surface. Further, we may be targeted by cyber terrorists, sophisticated criminal groups, or nation-state affiliated and supported actors because we are an Israeli company as well as a prominent security company.

From time to time we encounter intrusion incidents and attempts against our internal network systems, none of which to date has resulted in any material adverse impact to our business or operations. Any such future attacks could materially adversely affect our business or results of operations. In addition, as our market position continues to grow, specifically in the security industry, an increasing number of cyber attackers may focus on finding ways to penetrate our network systems, which might eventually affect our products and services. For example, third parties may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our internal networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data. Such attacks could result in significant damage to our market position and lead to costly indemnity claims, litigation or regulatory action.

We may also be subject to information technology system failures or network disruptions caused by natural disasters, accidents, power disruptions, telecommunications failures, acts of terrorism, security breaches, wars, computer viruses, or other events or disruptions. System redundancy and other continuity measures may be ineffective or inadequate, and our business continuity and disaster recovery planning may not be sufficient for all eventualities. These events could adversely affect our operations, reputation, financial condition and operating results.

Additionally, cyber attacks against our company may also be caused by breaches by our contractors, business partners, supply chain network, vendors and other third parties associated with us, or due to human error by those acting on our behalf. We rely on third parties to operate critical functions of our business, including hosting our SaaS products and supporting our customer relationship management and financial operation services (provided by our Enterprise Resource Planning system). If these services are breached or become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms, our ability to manage our operations could be interrupted, our ability to provide maintenance and support services to our customers could be impacted, our expenses could increase and our processes for managing sales of our products and services be impaired until equivalent services, if available, are identified, obtained and integrated; all of which could materially harm our business.

9


Because we are in the information security industry, an actual or perceived vulnerability, failure, disruption, or breach of our network or privileged account security in our systems also could adversely affect the market perception of our products and services, or of our expertise in this field, as well as perception of us among new and existing customers. Additionally, a significant security breach could subject us to potential liability, litigation and regulatory or other government action (see “—The dynamic legal and regulatory environment around privacy, data protection, cross-border data flows, and cloud computing may limit the offering, use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers and support our current customers, or we could be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with the regulatory requirements thus harming our operating results and adversely affecting our business.”). We are unable to ensure that any limitations of liability provisions in our contracts with respect to our information security operations or our product liability would be enforceable or adequate or would otherwise protect us from any liabilities or damages with respect to any particular claim, or that we would be able to adequately recover damages from third parties associated with us, who were involved in a security incident. Additionally, any insurance coverage we may have may not adequately cover any of these claims asserted against us or any related damage, or may cover only a portion of such damages. If any of the foregoing were to occur, our business may suffer and our share price may be negatively impacted.

Our research and development efforts may not produce successful products or enhancements to our solutions that result in significant revenue or other benefits in the near future, if at all.

We expect to continue to dedicate significant financial and other resources to our research and development efforts in order to maintain our competitive position. For example, in 2020, we increased our dedicated research and development personnel by 33% compared to 2019. However, investing in research and development personnel, developing new products and enhancing existing products is expensive and time consuming. There is no assurance that such activities will successfully result in significant new marketable products or enhancements to our products, including SaaS solutions, design improvements, cost savings, revenues or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, we may not be able to compete effectively, and our business and results of operations may be materially and adversely affected.

Our investment in product enhancements or new products could fail to attain sufficient market acceptance for many reasons, including:

delays in releasing product enhancements or new products;

failure to accurately predict market demand and to supply products that meet this demand in a timely fashion;

inability to interoperate effectively with the existing or newly introduced technologies, systems or applications of our existing and prospective customers;

defects in our products, errors or failures of our solutions to secure and protect privileged accounts against existing and new types of attacks;

negative publicity about the performance or effectiveness of our products;

introduction or anticipated introduction of competing products by our competitors;

installation, configuration or usage errors by our customers; and

easing or changing of regulatory requirements related to security.

If we fail to anticipate market requirements or fail to develop and introduce product enhancements or new products to meet those needs in a timely manner, it could cause us to lose existing customers and prevent us from gaining new customers, which would significantly harm our business, financial condition and results of operations.

10


The dynamic legal and regulatory environment around privacy, data protection, cross-border data flows, and cloud computing may limit the offering, use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers and support our current customers, or we could be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with the regulatory requirements thus harming our operating results and adversely affecting our business.

The legal and regulatory environment relating to the provision of services on the internet, including services such as ours, is increasing, as federal, state and foreign governments continue to adopt, enact, and enforce new laws and regulations addressing cybersecurity, privacy, data protection and the collection, processing, storage and use of personal information.

We are subject to diverse laws and regulations relating to data privacy, including but not limited to the EU General Data Protection Regulation 2016/679 (“GDPR”), the California Consumer Privacy Act (“CCPA”), the U.K. Data Protection Act 2018, national privacy laws of EU Member States and other laws relating to privacy, data protection, and cloud computing. These laws are evolving rapidly, as exemplified by the recent passage by ballot initiative of the California Privacy Rights Act in November 2020 (“CPRA”) and the prospect of a new European “ePrivacy Regulation” (to replace the existing “ePrivacy Directive,” Directive 2002/58 on Privacy and Electronic Communications). Compliance with these laws, as well as efforts required to understand and interpret new legal requirements, require us to expend significant capital and other resources. We could be found to not be in compliance with obligations, or suffer from adverse interpretations of such legal requirements either as directly relating to our business or in the context of legal developments impacting our customers or other businesses, which could impact our ability to offer our products or services, impact operating results, or reduce demand for our products or services.

Compliance with privacy and data protection laws and contractual obligations may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms that are not subject these laws and regulations. For example, GDPR imposes several stringent requirements for controllers and processors of personal data and increases our obligations including, for example, requiring robust disclosures to individuals, establishing an individual data rights regime, setting timelines for data breach notifications, requiring detailed internal policies and procedures and limiting retention periods. Ongoing compliance with these and other legal and contractual requirements may necessitate changes in services and business practices, which may lead to the diversion of engineering resources from other projects.

As a company that focuses on identity security with a foundation in privilege access management, our customers may rely on our products and services as part of their efforts comply with obligations under GDPR and other laws to implement and demonstrate their own security controls around access to personal and confidential data. If our products or services are found insufficient to meet these standards in the context of an investigation into us or our customers, or we are unable to engineer products that meet these standards, we could experience reduced demand for our products or services. There is also increased international scrutiny, including by the EU, of cross-border transfers of data, including personal data between the EU and countries like the United States. Our work could be impacted if legal mechanisms that permit such cross-border data transfers are challenged or restricted, or if cross-border data transfers are restricted between jurisdictions entirely.

In addition, following the U.K.’s departure from the EU and the expiry of the Brexit transition period, the U.K. will cease to operate as an EU member state, and data flows from the EU to the U.K. (and vice versa) may need additional safeguards, which could affect our operations in the U.K. and in EU countries. These and other regulatory requirements around the privacy or cross-border transfer of personal data could restrict our ability to store and process data as part of our solutions, or, in some cases, impact our ability to offer our solutions or services in certain jurisdictions.

The passage of the CPRA in November 2020 could result in additional uncertainty and additional measures on our behalf to come into compliance or demonstrate compliance to our customers. Enactment of further privacy laws in the U.S., at the state or federal level, may require us to expend considerable resources to comply, and could carry the potential for significant financial or reputational exposure to our business.

Claims that we or our service providers have breached our contractual obligations or failed to comply with applicable privacy and data protection laws, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business. In addition to litigation, we could face regulatory investigations, negative market perception, potential loss of business, enforcement notices and/or fines (which, for example, under GDPR can be up to four percent of global turnover for the preceding financial year or €20 million, whichever is higher).

11


The COVID-19 pandemic, measures globally taken in response to it and the resulting economic environment have adversely affected, and may continue to adversely affect, our business, financial condition, and results of operations.

The COVID-19 pandemic, its continuing effects, and the diverse measures taken in response by governments and businesses worldwide to contain its spread, have placed constraints on the operations of businesses, decreased consumer mobility and activity, and caused significant global economic volatility. In light of the uncertain and evolving nature of the pandemic and the economic environment, we have taken precautionary measures intended to reduce the risk of virus infection to our employees and our customers and to address the uncertainty in our ability to execute on our operating plans. Such circumstances and uncertainties have adversely affected and are likely to continue to adversely affect our business, workforce and results of operations, as well as that of our customers, suppliers and partners globally. Our business has been affected in various ways, including our ability to engage with customers, hire new employees, a decrease in the size of our perpetual license deals, lower revenue from new customers, and changes to customer purchase patterns and to our sales and marketing operations.

There is considerable uncertainty regarding the duration, scope and severity of the pandemic or its effects on us and our customers, channel partners, managed service providers or subcontractors, which can result in extended customer sales cycles, reduced demand for our solutions, lower renewal rates, delayed spending on our solutions, smaller deal sizes, lower revenue from new customers, impairment of our ability to collect accounts receivable, reduced payment frequencies, and affect our employee productivity or availability. Any of the foregoing may have a material adverse impact on our business and results of operation.

If we are unable to hire, retain and motivate qualified personnel, our business will suffer.

Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. Our inability to attract or retain qualified personnel or delays in hiring required personnel may seriously harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for highly skilled personnel, specifically engineers for research and development positions, is often intense and results in increasing wages, especially in Israel, where we are headquartered and most of our research and development positions are located, and where several large multinational corporations have entered the market. We may struggle to retain employees, and due to our profile and market position, competitors actively seek to hire skilled personnel away from us. Furthermore, from time to time, we have been subject to allegations that employees we have hired from competitors may have been improperly solicited or divulged proprietary or other confidential information which could subject us to potential liability and litigation.

Prolonged economic uncertainties or downturns in certain regions or industries could materially adversely affect our business.

Our business depends on our current and prospective customers’ ability and willingness to invest money in IT security, which in turn is dependent upon their overall economic health. Negative economic conditions in the global economy or certain regions, including conditions resulting from financial and credit market fluctuations, could cause a decrease in corporate spending on information security software. Other matters that influence consumer confidence and spending, including COVID-19 and its reverberating economic consequences, could also negatively affect our customers’ spending on our products and services. In 2020, we generated 53% of our revenues from the United States, 31% of our revenues from Europe, the Middle East and Africa and 16% from the rest of the world, which includes countries from the Asia Pacific and Japan region, the Latin America region and Canada.

In addition, a significant portion of our revenue is generated from customers in the financial services industry, including banking and insurance. Negative economic conditions may cause customers generally, and in that industry in particular, to reduce their IT spending. Customers may delay or cancel IT projects perceived to be discretionary, choose to focus on in-house development efforts or seek to lower their costs by renegotiating subscription renewals or maintenance and support agreements. Additionally, customers or channel partners may be more likely to make late payments in worsening economic conditions, which could lead to increased collection efforts and require us to incur additional associated costs to collect expected revenues. If the economic conditions of the general economy or industries in which we operate worsen from present levels, our results of operation could be adversely affected.

12


We may fail to fully execute, integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.

As part of our business strategy and in order to remain competitive, we continue to evaluate acquiring or making investments in complementary companies, products or technologies. We may not be able to find suitable acquisition candidates or complete such acquisitions on favorable terms. We may incur significant expenses, divert employee and management time and attention from other business-related tasks and our organic strategy and incur other unanticipated complications while engaging with potential target companies where no transaction is eventually completed. If we do complete acquisitions, we may not ultimately strengthen our competitive position or achieve our goals or expected growth, and any acquisitions we complete could be viewed negatively by our customers, analysts and investors. In addition, if we are unsuccessful at integrating our acquisitions, for example our May 2020 acquisition of Idaptive, including the technologies associated with such acquisitions, or fail to fully attain the expected benefits of these acquisitions, our revenues and results of operations could be adversely affected. Any integration process may require significant time and resources, and we may not be able to manage the process successfully and may experience a decline in our profitability as we incur expenses prior to fully realizing the benefits of the acquisition. We could expend significant cash and incur acquisition related costs and other unanticipated liabilities associated with the acquisition. We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast the financial impact of an acquisition transaction, including accounting charges and tax liabilities. Further, the issuance of equity or securities convertible to equity to finance any such acquisitions could result in dilution to our shareholders and the issuance of debt could subject us to covenants or other restrictions that would impede our ability to manage our operations. We could become subject to legal claims following an acquisition or fail to accurately forecast the potential impact of any claims. Any of these issues could have a material adverse impact on our business and results of operations.

If we do not effectively expand, train and retain our sales and marketing personnel, we may be unable to achieve our transition to subscription model, acquire new customers or sell additional products and services to existing customers, and our business will suffer.

We depend significantly on our sales force to attract new customers and expand sales to existing customers. We generate approximately 35% of our revenues from direct sales and the remaining balance from indirect sales. As a result, our ability to grow our revenues depends in part on our success in recruiting, training and retaining sufficient numbers of sales personnel to support our growth. The number of our sales and marketing personnel increased from 656 as of December 31, 2019 to 772 as of December 31, 2020. We expect to continue to expand our sales and marketing personnel significantly and face a number of challenges in achieving our hiring and integration goals. There is intense competition for individuals with sales training and experience. In addition, the training and integration of a large number of sales and marketing personnel in a short time requires the allocation of significant internal resources. While we have been selling subscriptions for a number of years, as we shift our sales from perpetual licenses to increasingly sell more SaaS and on-premises subscriptions, all of our sales and marketing personnel will need to be extensively trained. We invest significant time and resources in training new sales force personnel to understand our solutions, pricing and delivery models and growth strategy. Based on our past experience, it takes an average of approximately six to nine months before a new sales force member operates at target performance levels. However, we may not be able to recruit at our anticipated rate or achieve or maintain our target performance levels with large numbers of new sales personnel as quickly as we have done in the past. Our failure to timely hire the sufficient number of qualified sales force members and train them to operate at target performance levels may materially and adversely impact our projected growth rate.

13


We rely on channel partners to generate a significant portion of our revenue, market our solutions and provide necessary services to our customers. If we fail to maintain successful relationships with our channel partners, or if our channel partners fail to perform, our ability to market, sell and distribute our solutions will be limited, and our business, financial condition and results of operations will be harmed.

In addition to our direct sales force, we rely on our channel partners to market, sell, support and implement our solutions, particularly in Europe and the Asia Pacific and Japan regions. We expect that sales through our channel partners will continue to account for a significant percentage of our revenue. In the year ended December 31, 2020, we generated approximately 65% of our revenues from sales to channel partners such as distributors, systems integrators, value-added resellers and managed security service providers, and we expect that channel partners will represent a substantial portion of our revenues for the foreseeable future. Further, we cooperate with advisory firms in marketing our solutions and providing implementation services to our customers, in both direct and indirect sales. Our agreements with channel partners are non-exclusive, meaning our partners may offer customers IT security products from other companies, including products that compete with our solutions. If our channel partners do not effectively market and sell our solutions or choose to use greater efforts to market and sell their own products and services or the products and services of our competitors, our ability to grow our business will be adversely affected. Our channel partners may cease or de-emphasize the marketing of our solutions with limited or no notice and with little or no penalty. Further, new channel partners require training and may take several months or more to achieve productivity. The loss of key channel partners, the inability to replace them or the failure to recruit additional channel partners could materially and adversely affect our results of operations. Our reliance on channel partners could also subject us to lawsuits or reputational harm if, for example, a channel partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our solutions or violates applicable laws, and may further result in termination of such partner’s agreement and potentially curb future revenues associated with this channel partner. Our ability to grow revenues in the future will depend in part on our success in maintaining successful relationships with our channel partners and training our channel partners to independently sell and install our solutions. If we are unable to maintain our relationships with channel partners or otherwise develop and expand our indirect sales channel, or if our channel partners fail to perform, our business, financial condition and results of operations could be adversely affected.

A portion of our revenues is generated by sales to government entities, which are subject to a number of challenges and risks, such as increased competitive pressures, administrative delays and additional approval requirements.

A portion of our revenues is generated by sales to U.S. and foreign federal, state and local governmental agency customers, and we may in the future increase sales to government entities. Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will complete a sale, or imposing terms of sale which are less favorable than the prevailing market terms. Government demand and payment for our products and services may be impacted by public sector budgetary cycles and funding authorizations, funding reductions, government shutdowns or delays, adversely affecting public sector demand for our products. The foregoing may be enhanced due to the effects of COVID-19. Additionally, for purchases by the U.S. government, the government may require certain products to be manufactured or developed in the United States and other high cost locations, and we may not manufacture or develop all products in locations that meet the requirements of the U.S. government. Finally, some government entities require products such as ours to be certified by industry-approved security agencies as a pre-condition of purchasing them, such as the international Common Criteria certification by the National Information Association Partnership (NIAP), which we have maintained since 2019. We have also initiated the process, and have begun incurring costs, to obtain authorization from the Federal Risk and Authorization Management Program, or FedRAMP, for certain SaaS products. The grant of such certifications depends on the then-current requirements of the certifying agency. We cannot be certain that any certificate will be granted or renewed or that we will be able to satisfy the technological and other requirements to maintain certifications. The loss of any of our product certificates, or the failure to obtain new ones, could cause us to suffer reputational harm, lose existing customers, or deter new and existing customers from purchasing our solutions, additional products or our services.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Our functional and reporting currency is the U.S. dollar. In 2020, the majority of our revenues were denominated in U.S. dollars and the remainder primarily in euros and British pounds sterling. In 2020, the majority of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in euros and British pounds sterling. Our foreign currency-denominated expenses consist primarily of personnel, marketing programs, rent and other overhead costs. Since the portion of our expenses generated in NIS and British pounds sterling is greater than our revenues in NIS and British pounds sterling, respectively, any appreciation of the NIS or the British pounds sterling relative to the U.S. dollar could adversely impact our operating income. In addition, since the portion of our revenues generated in euros is greater than our expenses incurred in euros, any depreciation of the euro relative to the U.S. dollar would adversely impact our operating income. We estimate that a 10% strengthening or weakening in the value of the NIS against the U.S. dollar would have decreased or increased, respectively, our operating income by approximately $9.2 million in 2020. We estimate that a 10% strengthening or weakening in the value of the euro against the U.S. dollar would have increased or decreased, respectively, our operating income by approximately $3.2 million in 2020. We estimate that a 10% strengthening or weakening in the value of the British pounds sterling against the U.S. dollar would have decreased or increased, respectively, our operating income by approximately $0.4 million in 2020. These estimates of the impact of fluctuations in currency exchange rates on our historic results of operations may be different from the impact of fluctuations in exchange rates on our future results of operations since the mix of currencies comprising our revenues and expenses may change. We evaluate periodically the various currencies to which we are exposed and take hedging measures to reduce the potential adverse impact from the appreciation or the depreciation of our non U.S. dollar-denominated operations, as appropriate. We expect that the majority of our revenues will continue to be generated in U.S. dollars with the balance primarily in euros and British pounds sterling for the foreseeable future and that a significant portion of our expenses will continue to be denominated in NIS, U.S. dollars, British pounds sterling and in euros. We cannot provide any assurances that our hedging activities will be successful in protecting us from adverse impacts from currency exchange rate fluctuations. In addition, we have monetary assets and liabilities that are denominated in non-U.S. dollar currencies. For example, starting January 1, 2019, in accordance with a new lease accounting standard, we are required to present a significant NIS linked liability related to our operational leases in Israel. As a result, significant exchange rate fluctuations could have a negative effect on our net income. See “Item 11—Quantitative and Qualitative Disclosures About Market Risk—Foreign Currency Risk.”

14


If our products fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and results of operations could be materially and adversely affected.

We generate a substantial portion of our revenues from our products and services that enable our customers to achieve and maintain compliance with certain government regulations and industry standards, and we expect that to continue for the foreseeable future. Governments and other customers may require our products to comply with certain privacy, security or other certifications and standards with respect to those solutions utilized by them as a control demonstrating compliance with government regulations and industry standards. We have maintained the international Common Criteria certification by the National Information Association Partnership (NIAP) since 2019, and a SOC 2 certification for multiple products. Additionally, we have maintained the ISO 27001 annual certification since April 2017. We have also initiated the process, and have begun incurring costs, to obtain authorization from the Federal Risk and Authorization Management Program (FedRAMP), for certain SaaS products. However, we are unable to guarantee that we will achieve FedRAMP authorization in a timely manner, or at all, for any of our SaaS products. In the future, if our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.

Additionally, these industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses, including, without limitation, updates to the Common Criteria for Information Technology Security Evaluation (CC). In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, some of which may conflict with each other. This could impact whether our solutions enable our customers to maintain compliance with such laws or regulations. If we are unable to adapt our solutions to changing government regulations and industry standards in a timely manner, or if our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors. In addition, if government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses and may be less willing to purchase our products and services. In either case, our sales and financial results would suffer.

We are subject to a number of regulatory and geopolitical risks, associated with global sales and operations, which could materially affect our business.

We are a global company subject to varied and complex laws, regulations and customs. The application of these laws and regulations to our business is often unclear, subject to interpretation and may at times conflict. Compliance with these laws and regulations may involve significant costs or require changes in our business practices that result in reduced revenue and profitability. Furthermore, business practices in the global markets that we serve may differ from those in the United States and may require us to include non-standard terms in customer contracts, such as extended payment or warranty terms. To the extent that we enter into customer contracts that include non-standard terms related to payment, warranties, or performance obligations, our results of operations may be adversely impacted. Further, there may be higher costs of doing business globally, including costs incurred in maintaining office space, securing adequate staffing and localizing our contracts.

15


Additionally, our global sales and operations are subject to a number of risks, including the following:

failure to fully comply with various, global data privacy laws (see “—The dynamic legal and regulatory environment around privacy, data protection, cross-border data flows, and cloud computing may limit the offering, use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers and support our current customers, or we could be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with the regulatory requirements thus harming our operating results and adversely affecting our business.”);

uncertainty of the economic, financial, regulatory, trade, tax and legal implications of the withdrawal of the U.K. from the European Union, or Brexit, and how this could affect our business, both globally and specifically in Europe. Our U.K. subsidiary is the main entity for sales into Europe. In 2020, the revenues generated by our U.K. subsidiary from the European Union countries (excluding the U.K.) accounted for 21% of our total global revenue. Our London office is also our European headquarters and third largest office globally. In particular, the withdrawal from the European Union by the U.K. could, among other potential outcomes, disrupt the free movement of goods, services and people between the U.K. and the European Union, create recruiting and retention risks for us, and disrupt trade between the U.K. and the European Union and other countries, including by imposing greater costs, restrictions and regulatory complexities on imports and exports between the U.K. and the European Union. In the event this disruption is particularly severe, we may in the long-term be required to modify our corporate structure for sales into the European Union which may result in increased operational and legal costs;

fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business (see “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations”);

social, economic and political instability, terrorist attacks and security concerns in general, and any wide-spread viruses or epidemics, such as the recent novel coronavirus outbreak;

greater difficulty in enforcing contracts and managing collections, as well as longer collection periods;

compliance with anti-bribery laws, including, without limitation, compliance with the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act 2010;

heightened risk of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements by us or by our channel partners or service providers that may impact financial results and result in restatements of, or irregularities in, financial statements;

Certain of our activities and products are subject to U.S., Israeli, and possibly other export and trade control and economic sanctions laws and regulations, which may prohibit or restrict our ability to engage in business with certain countries and customers. If the applicable requirements related to export and trade controls change or expand, if we change the encryption functionality in our products, or if we develop other products or export products from additional jurisdictions, we may need to satisfy additional requirements or obtain specific licenses in order to continue to export our products in the same global scope. Various countries also regulate the import or export of certain encryption products and other technologies and services and have enacted laws that could limit our ability to distribute or implement our products in those countries. In addition, applicable export control and sanctions laws and regulations may impact our ability to sell our products, directly or indirectly, to countries or territories that are the target of comprehensive sanctions, or to prohibited parties. Despite our diligence and the contractual undertakings contained in our agreement with partners and customers, any prohibited export could result in legal exposure, including penalties and/or government investigations, as well as reputational harm to us;

16


greater risk of unexpected changes in regulatory practices and foreign legal requirements, including uncertain tax obligations and effective tax rates, which may result in recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, changes in foreign currency exchange rates, or changes in the valuation of our deferred tax assets and liabilities;

compliance with, and the uncertainty of, laws and regulations that apply to our areas of business, including corporate governance, anti-trust and competition, local and regional employment (including cross-border travel), employee and third-party complaints, limitation of liability, conflicts of interest, securities regulations and other regulatory requirements affecting trade, local tariffs, product localization and investment;

reduced or uncertain protection of intellectual property rights in some countries; and

management communication and integration problems resulting from cultural and geographic dispersion.

These and other factors could harm our ability to generate future global revenues and, consequently, materially impact our business, results of operations and financial condition. Non-compliance could also result in fines, damages, or criminal sanctions against us, our officers or our employees, prohibitions on the conduct of our business, and damage to our reputation.

We increasingly rely on third-party providers of cloud infrastructure services to deliver our SaaS Solutions to customers, and any disruption of or interference with our use of these services could adversely affect our business.

Our SaaS solutions are hosted by third-party providers of cloud infrastructure services, or Cloud Service Providers, primarily Amazon Web Services (AWS). We do not have control over the operations or the facilities of Cloud Service Providers that we use and Cloud Service Providers have also in the past experienced and may in the future experience cyber attacks. If any of the services provided by the Cloud Service Providers fail or become unavailable due to extended outages, cyber attacks interruptions or because they are no longer available on commercially reasonable terms or prices, we may be unable to deliver our committed uptime under our service level agreements, our revenues could be reduced, our reputation could be damaged, we could be exposed to legal liability and incur additional expenses, our ability to manage our finances could be interrupted and our processes for managing sales of our offerings and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and implemented, all of which could adversely affect our business, financial results and the usage of our offerings. If we are unable to renew our agreements with our Cloud Service Providers on commercially reasonable terms, or an agreement is prematurely terminated, or we need to add new Cloud Services Providers to increase capacity and uptime, we could experience interruptions, downtime, delays, and additional expenses related to transferring to and providing support for these new platforms. Any of the above circumstances or events may harm our reputation and brand, reduce the availability or usage of our platform and impair our ability to attract new users, any of which could adversely affect our business, financial condition and results of operations.

Intellectual property claims may increase our costs or require us to cease selling certain products, which could adversely affect our financial condition and results of operations.

The IT security industry is characterized by the existence of a large number of relevant patents and frequent claims and litigations regarding patent and other intellectual property rights. Leading companies in the IT security industry have extensive patent portfolios. From time to time, third parties have asserted, and in the future may assert, their patent, copyright, trademark and other intellectual property rights against us, our channel partners or our customers. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property rights pursuant to our agreements with our customers and channel partners. Such indemnification provisions are customary for our industry. Any claims of intellectual property infringement or misappropriation brought against us, our partners or our customers, even those without merit, could be expensive and time-consuming to defend, may affect multiple parties, and divert management’s attention. We cannot ensure that we will have the resources to defend against all such claims. Successful claims of infringement or misappropriation by a third party against us or a third party that we indemnify could prevent us from distributing certain products or performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others, to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology, to enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify our customers and channel partners (and parties associated with them). The failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected. Defending against claims of infringement or being deemed to be infringing the intellectual property rights of others could harm our reputation, impair our ability to innovate, develop, distribute and sell our current and planned products and services. If we were to violate the intellectual property rights of others, our business, financial condition and results of operations may be adversely affected.

17


If our products do not effectively interoperate with our customers’ existing or future IT infrastructures, implementations could be delayed or cancelled, which could harm our business.

Our products must effectively interoperate with our customers’ existing or future IT infrastructures, which often have different specifications, utilize multiple protocol standards, deploy products from multiple vendors and contain multiple generations of products that have been added over time. If we find errors in the existing software or defects in the hardware used in our customers’ infrastructure or problematic network configurations or settings, we may have to modify our software so that our products will interoperate with our customers’ infrastructure and business processes. In addition, to stay competitive within certain markets, we may be required to make software modifications in future releases to comply with new statutory or regulatory requirements. These issues could result in longer sales cycles for our products and order cancellations, either of which could adversely affect our business, results of operations and financial condition.

If we are unable to adequately protect our proprietary technology and intellectual property rights, our business could suffer substantial harm.

The success of our business depends on our ability to protect our proprietary technology, brands and other intellectual property and to enforce our rights in that intellectual property. We attempt to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.

As of December 31, 2020, we had 84 issued patents in the United States, and 59 pending U.S. patent applications. We also had 37 issued patents and 25 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.

The process of obtaining patent protection is expensive and time-consuming, and we may not be able to complete all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not be approved, that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. Finally, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property), but we cannot be certain that we have adequately protected our rights in every such agreement or that we have executed an agreement with every such party. Finally, in order to benefit from the protection of patents and other intellectual property rights, we must monitor and detect infringement and pursue infringement claims in certain circumstances in relevant jurisdictions. Litigating claims related to the enforcement of intellectual property rights is very expensive and can be burdensome in terms of management time and resources. Any litigation related to intellectual rights or claims against us could result in loss or compromise of our intellectual property rights or could subject us to significant liabilities. As a result, we may not be able to obtain adequate protection or to effectively enforce our issued patents or other intellectual property rights.

18


In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented proprietary intellectual property and technology. Unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners, subcontractors and customers, and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot be certain that the steps taken by us will prevent misappropriation of our intellectual property or technology or infringement of our intellectual property rights. In addition, the laws of some foreign countries where we sell our products do not protect intellectual property rights and technology to the same extent as the laws of the United States, and these countries may not enforce these laws as diligently as government agencies and private parties in the United States. If we are unable to protect our intellectual property, we may find ourselves at a competitive disadvantage to others who do not incur the additional expense, time and effort to create the innovative products nevertheless benefiting from such innovation due to misappropriation.

Our use of open source software, third-party software and other intellectual property may expose us to risks.

We integrate certain open source software components from third parties into our software, and we expect to continue to use open source software in the future. Some open source software licenses require, among other things, that users who distribute or make available as a service, open source software with their own software products, add appropriate copyright notices and disclaimers, publicly disclose all or part of the source code of the users’ developed software or make available any derivative works of the open source code under open source license terms or at no cost. Our efforts to use the open source software in a manner consistent with the relevant license terms that would not require us to disclose our proprietary code or license our proprietary software at no cost may not be successful. We may face claims by third parties seeking to enforce the license terms applicable to such open source software, including by demanding the release of our proprietary source code, or we may face termination of such licenses if the owner of the open source software asserts we are in breach of its license terms. In addition, if the license terms for the open source code change or the license is terminated, we may be forced to re-engineer our software or incur additional costs. In addition, open source software typically comes without warranties or indemnities from the owner, whereas we are expected to offer our customers both. Accordingly, if there were technical problems with open source software that we used in our products, or if such open source software infringed third-party intellectual property rights, we could have a warranty obligation or infringement indemnity obligation to our customer without a corresponding warranty or indemnification obligation from the owner of the open source software. While we scan the open source software that we use in our products and patch any discovered vulnerabilities, we have no assurance that they will be free from vulnerabilities or malicious code.

Further, some of our products and services include other software or intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties for our own business operations. This exposes us to risks over which we may have little or no control. For example, a licensor may have difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licenses to us. There can be no assurance that the licenses we use will be available on acceptable terms, if at all. In addition, a third party may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages from us, or both. Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation regarding these matters, could result in delays in releases of new products, and could otherwise disrupt our business, until equivalent technology can be identified, licensed or developed.

19


Risks Related to Our Ordinary Shares

Our share price may be volatile, and our shareholders may lose all or part of their investment.

From January 2018 through January 2021, our ordinary shares have traded on the Nasdaq Global Select Market, or Nasdaq, at a price per share between a range of $40.63 and $167.34. In addition, the market price of our ordinary shares could be highly volatile and may fluctuate substantially as a result of many factors, some of which are beyond our control, including, but not limited to:

actual or anticipated fluctuations in our results of operations and the results of other similar companies;

variance in our financial performance from the expectations of market analysts;

announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions or expansion plans;

changes in the prices of our products and services or in our pricing models;

our involvement in litigation;

our sale of ordinary shares or other securities in the future;

market conditions in our industry;

changes in key personnel;

speculation in the press or the investment community;

the trading volume of our ordinary shares;

changes in the estimation of the future size and growth rate of our markets;

any merger and acquisition activities; and

general economic and market conditions.

The price of our ordinary shares could also be affected by possible sales of our ordinary shares by investors who view our Convertible Notes as a more attractive means of equity participation in our company, and by hedging and arbitrage trading activity that such investors may engage in.

In addition, the stock markets have experienced price and volume fluctuations. Broad market and industry factors may materially harm the market price of our ordinary shares, regardless of our operating performance. In the past, following periods of volatility in the market price of a company’s securities, securities class action litigation has often been instituted against that company. If we were involved in any similar litigation, we could incur substantial costs and our management’s attention and resources could be diverted, which could materially adversely affect our business.

If securities or industry analysts cease to publish research or publish inaccurate or unfavorable research reports about our business, our share price and trading volume could decline.

The trading price for our ordinary shares is affected by any research or reports that securities or industry analysts publish about us, our business or our industry. If any of the analysts who cover us or our business publish inaccurate or unfavorable research reports about us or our business, and in particular, if they downgrade their evaluations of our ordinary shares, the price of our ordinary shares would likely decline. If these analysts cease coverage of our company, we could lose visibility in the market for our ordinary shares, which in turn could cause our share price to decline. In addition, industry analysts often provide reviews of our offerings, as well as those of our competitors, and perception of our offerings in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and professional services or compared to prior reviews of our offerings, our brand may be adversely affected.

Our business could be negatively affected as a result of the actions of activist shareholders, and such activism could impact the trading value of our securities.

In recent years, U.S. and non-U.S. companies listed on securities exchanges in the United States have been faced with governance-related demands from activist shareholders, unsolicited tender offers and proxy contests. Although as a foreign private issuer we are not subject to U.S. proxy rules, responding to any action of this type by activist shareholders could be costly and time-consuming, disrupting our operations and diverting the attention of management and our employees. Such activities could interfere with our ability to execute our strategic plans. In addition, a proxy contest for the election of directors at our annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and our board of directors. The perceived uncertainties due to such actions of activist shareholders also could affect the market price of our securities.

20


As a foreign private issuer whose ordinary shares are listed on Nasdaq, we may follow certain home country corporate governance practices instead of otherwise applicable SEC and Nasdaq requirements such as Regulation FD or U.S. proxy rules and exemption from filing certain Exchange Act reports. This may result in less protection than is accorded to investors under rules applicable to domestic U.S. issuers or limit the information available to our shareholders.

As a foreign private issuer whose ordinary shares are listed on Nasdaq, we are permitted to follow certain home country corporate governance practices instead of certain rules of Nasdaq. We currently follow Israeli home country practices with regard to the quorum requirement for shareholder meetings and the requirements relating to distribution of our annual report to shareholders. As permitted under the Israeli Companies Law, 5759-1999, or the Companies Law, our articles of association provide that the quorum for any meeting of shareholders shall be at least two shareholders present in person or by proxy who hold at least 25% of the voting power of our shares instead of 33 1/3% of our issued share capital (as prescribed by Nasdaq’s rules). Further, as permitted by the Companies Law and in accordance with the generally accepted business practice in Israel, we do not distribute our annual report to shareholders but make it available through our public website. We may in the future elect to follow Israeli home country practices with regard to other matters such as director nomination procedures, separate executive sessions of independent directors and the requirement to obtain shareholder approval for certain dilutive events (such as for the establishment or amendment of certain equity-based compensation plans, issuances that will result in a change of control of the company, certain transactions other than a public offering involving issuances of a 20% or more interest in the company and certain acquisitions of the stock or assets of another company). Accordingly, our shareholders may not be afforded the same protection as provided under Nasdaq corporate governance rules. Following our home country governance practices as opposed to the requirements that would otherwise apply to a U.S. company listed on Nasdaq may provide less protection than is accorded to shareholders of domestic issuers. See “Item 16.G. Corporate Governance.”

As a foreign private issuer, we are exempt from a number of requirements under U.S. securities laws that apply to public companies that are not foreign private issuers. In particular, we are exempt from the rules and regulations under the Exchange Act related to the furnishing and content of proxy statements, and our officers, directors and principal shareholders are exempt from the reporting and short-swing profit recovery provisions contained in Section 16 of the Exchange Act. In addition, we are not required under the Exchange Act to file annual, quarterly and current reports and financial statements with the SEC, as frequently or as promptly as domestic companies whose securities are registered under the Exchange Act. We are also exempt from the provisions of Regulation FD, which prohibits issuers from making selective disclosure of material nonpublic information. Even though we intend to comply voluntarily with Regulation FD, these exemptions and leniencies will reduce the frequency and scope of information and protections to which our shareholders are entitled as investors. For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules applicable to U.S. domestic companies, although pursuant to the Companies Law, we disclose the annual compensation of our five most highly compensated office holders (as defined under the Companies Law) on an individual basis, including in this annual report. Because of these exemptions for foreign private issuers, our shareholders do not have the same information generally available to investors holding shares in public companies that are not foreign private issuers.

Our Convertible Notes may impact our financial results, result in the dilution of existing shareholders, create downward pressure on the price of our ordinary shares, and restrict our ability to take advantage of future opportunities.

In November 2019, we issued $575.0 million aggregate principal amount of 0.00% Convertible Senior Notes due 2024, or the Convertible Notes. The sale of the Convertible Notes may affect our earnings per share figures, as accounting procedures may require that we include in our calculation of earnings per share the number of ordinary shares into which the Convertible Notes are convertible. The Convertible Notes may be converted, under the conditions and at the premium specified in the Convertible Notes, into cash and our ordinary shares, if any (subject to our right to pay cash in lieu of all or a portion of such shares). If our ordinary shares are issued to the holders of the Convertible Notes upon conversion, there will be dilution to our shareholders’ equity and the market price of our ordinary shares may decrease due to the additional selling pressure in the market. Any downward pressure on the price of our ordinary shares caused by the sale or potential sale of ordinary shares issuable upon conversion of the Convertible Notes could also encourage short sales by third parties, creating additional downward pressure on our share price.

21


In addition, in connection with the pricing of the Convertible Notes, we entered into privately negotiated capped call transactions, or the Capped Call Transactions, with certain of the purchasers of the Convertible Notes. The Capped Call Transactions cover, collectively, the number of our ordinary shares underlying the Convertible Notes, subject to anti-dilution adjustments substantially similar to those applicable to the Convertible Notes. The cost of the Capped Call Transactions was approximately $53.6 million. The Capped Call Transactions are expected generally to reduce the potential dilution to the ordinary shares upon any conversion of the Convertible Notes and/or offset any cash payments we are required to make in excess of the principal amount upon conversion of the Convertible Notes under certain events described in the Capped Call Transactions. We are subject to the risk that one or more of the counterparties to the Capped Call Transactions may default, or otherwise fail to perform, or may exercise certain rights to terminate, their obligations under the Capped Call Transactions. Our exposure will depend on many factors but, generally, our exposure will increase if the market price or the volatility of our common stock increases. Upon a default, a failure to perform or a termination of obligations by a counterparty to the Capped Call Transactions, we may suffer adverse tax consequences or experience more dilution than we currently anticipate with respect to our ordinary shares.

Furthermore, the indenture for the Convertible Notes will prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the Convertible Notes. These and other provisions in the indenture could deter or prevent a third party from acquiring us even when the acquisition may be favorable.

We currently anticipate that we will be able to rely on and to implement certain clarifications from the applicable Tax Authorities, with respect to the administration of our Israeli withholding tax obligations in relation to considerations to be paid to the holders of the Convertible Notes upon their future conversion and settlement. Unexpected failure to ultimately obtain such anticipated clarifications from the Israeli Tax Authorities could potentially result in increased Israeli withholding tax gross-up costs.

We may not have the ability to raise the funds necessary to settle conversions of the Convertible Notes, repurchase the Convertible Notes upon a fundamental change or repay the Convertible Notes in cash at their maturity, and our future debt may contain limitations on our ability to pay cash upon conversion or repurchase of the Convertible Notes.

Holders of the Convertible Notes will have the right under the indenture governing the Convertible Notes to require us to repurchase all or a portion of their Convertible Notes upon the occurrence of a fundamental change before the applicable maturity date, at a repurchase price equal to 100% of the principal amount of such Convertible Notes to be repurchased, plus accrued and unpaid interest, excluding the applicable fundamental change repurchase date, if any. Moreover, we will be required to repay the Convertible Notes in cash at their maturity, unless earlier converted, repurchased or redeemed. We may not have enough available cash or be able to obtain financing at the time we are required to make such repurchases of the Convertible Notes and/or repay the Convertible Notes upon maturity.

In addition, we have the right to elect to settle conversions of the Convertible Notes in cash. Although we entered into the Capped Call Transactions which are expected generally to offset any cash payments we are required to make in excess of the principal amount upon conversion of the Convertible Notes (subject to a cap), we may not ultimately receive such cash payments from the counterparties to the Capped Call Transactions in case of a default, a failure to perform or a termination of obligations by a relevant counterparty.

Our ability to repurchase or to pay cash upon conversion of Convertible Notes may be limited by law, regulatory authority or agreements governing our future indebtedness. Our failure to repurchase the Convertible Notes at a time when the repurchase is required by the indenture or to pay cash upon conversion of the Convertible Notes or at maturity as required by the indenture would constitute a default under the indenture. A default under the indenture or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the payment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Convertible Notes or to pay cash upon conversion of the Convertible Notes or at maturity.

22


We may lose our foreign private issuer status, which would then require us to comply with the rules and regulations applicable to U.S. domestic issuers and cause us to incur significant legal, accounting and other expenses.

Since a majority of our voting securities are either directly or indirectly owned of record by residents of the United States, we would lose our foreign private issuer status if any of the following were to occur: (i) the majority of our executive officers or directors were U.S. citizens or residents, (ii) more than 50 percent of our assets were located in the United States, or (iii) our business was administered principally in the United States. Similarly, if we were to acquire a U.S. company in the future, it could put us at heighted risk of losing our foreign private issuer status. Although we have elected to comply with certain U.S. regulatory provisions, our loss of foreign private issuer status would make such provisions mandatory. In addition, we would lose our ability to rely on Nasdaq exemptions from certain corporate governance requirements that are available to foreign private issuers. The regulatory and compliance costs to us under U.S. securities laws as a U.S. domestic issuer may be significantly higher.

If we sell our ordinary shares in future financings, ordinary shareholders could experience immediate dilution and, as a result, the market price of our ordinary shares may decline.

We may from time to time issue additional ordinary shares at a discount from the current trading price of our ordinary shares. As a result, our ordinary shareholders would experience immediate dilution upon our issuance of any ordinary shares at such discount. In addition, as opportunities present themselves, we may enter into equity or debt financings or similar arrangements in the future, including the issuance of additional convertible debt securities, preferred shares or ordinary shares. If we issue ordinary shares or securities convertible into ordinary shares, holders of our ordinary shares could experience dilution.

If we are unable to satisfy the requirements of Sections 404(a) and 404(b) of the Sarbanes-Oxley Act of 2002 or if our internal control over financial reporting is not effective, investors may lose confidence in the accuracy and the completeness of our financial reports and the trading price of our ordinary shares may be negatively affected.

Pursuant to Section 404(a) of the Sarbanes-Oxley Act of 2002, or Sarbanes-Oxley Act, we are required to furnish a report by management on the effectiveness of our internal control over financial reporting. Additionally, pursuant to Section 404(b) of the Sarbanes-Oxley Act, we must include an auditor attestation on our internal control over financial reporting.

Our business transition into recurring revenue model will affect our internal control over financial reporting, and requires us to enhance existing, and implement new, financial reporting and management systems, procedures and controls in order to address new risks raised from our business transition to recurring revenue module and to manage our business effectively and support our growth in the future. If we identify material weaknesses in our internal control over financial reporting, if we are unable to comply with the requirements of Section 404(a) or 404(b) in a timely manner or to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion or issues an adverse opinion in its attestation as to the effectiveness of our internal control over financial reporting required by Section 404(b), investors may lose confidence in the accuracy and completeness of our financial reports and the trading price of our ordinary shares could be negatively affected. We could also become subject to investigations by Nasdaq, the SEC or other regulatory authorities, which could require additional financial and management resources.

Our U.S. shareholders may suffer adverse tax consequences if we are classified as a “passive foreign investment company.”

Generally, if for any taxable year, after the application of certain look-through rules, 75% or more of our gross income is passive income, or at least 50% of the average quarterly value of our assets (which may be measured in part by the market value of our ordinary shares, which is subject to change) are held for the production of, or produce, passive income (as defined in the relevant provisions of the Internal Revenue Code of 1986, as amended, or the Code), we would be characterized as a “passive foreign investment company,” or PFIC, for U.S. federal income tax purposes under the Code. Based on our market capitalization and the nature of our income, assets and business, we believe that we should not be classified as a PFIC for the taxable year that ended December 31, 2020. However, PFIC status is determined annually and requires a factual determination that depends on, among other things, the composition of our income, assets and activities in each taxable year, and can only be made annually after the close of each taxable year. Furthermore, because the value of our gross assets is likely to be determined in part by reference to our market capitalization, a decline in the value of our ordinary shares may result in our becoming a PFIC. Accordingly, there can be no assurance that we will not be considered a PFIC for any taxable year. If we are a PFIC for any taxable year during which a U.S. Holder (as defined in “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences”) holds our ordinary shares, certain adverse U.S. federal income tax consequences could apply to such U.S. Holder. Prospective U.S. Holders should consult their tax advisors regarding the potential application of the PFIC rules to them. See “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences—Passive Foreign Investment Company Considerations.”

23


If a United States person is treated as owning at least 10% of our ordinary shares, such holder may be subject to adverse U.S. federal income tax consequences.

If a U.S. person is treated as owning (directly, indirectly or constructively) at least 10% of the value or voting power of our ordinary shares, such person may be treated as a “U.S. shareholder” with respect to each controlled foreign corporation, or CFC, in our group (if any). If our group includes one or more U.S. subsidiaries (as has been the case for 2020), certain of our non-U.S. subsidiaries will be treated as CFCs regardless of whether or not we are treated as a CFC. A U.S. shareholder of a CFC may be required to report annually and include in its U.S. taxable income its pro rata share of such CFC’s “Subpart F income,” “global intangible low taxed income” and investments in U.S. property by CFCs, regardless of whether we make any distributions. An individual who is a U.S. shareholder with respect to a CFC generally would not be allowed certain tax deductions or foreign tax credits that would be allowed to a U.S. shareholder that is a U.S. corporation. Failure to comply with these reporting obligations may subject a U.S. shareholder to significant monetary penalties and may prevent the statute of limitations with respect to such U.S. shareholder’s U.S. federal income tax return for the year for which reporting was due from starting. We cannot provide any assurances that we will be able to assist holders of ordinary shares in determining whether any of our non U.S. subsidiaries is treated as a CFC or whether any holder of ordinary shares should be treated as a U.S. shareholder with respect to any such CFC or furnish to any U.S. shareholders information that may be necessary to comply with the aforementioned reporting and tax paying obligations. The United States Internal Revenue Service provided limited guidance on situations in which investors may rely on publicly available alternative information to comply with their reporting and tax paying obligations with respect to foreign controlled CFCs. U.S. investors are strongly advised to consult their own tax advisors regarding the potential application of these rules to their investment in our ordinary shares.

We do not intend to pay dividends on our ordinary shares for the foreseeable future so any returns will be limited to changes in the value of our ordinary shares.

We have never declared or paid any cash dividends on our ordinary shares. We currently anticipate that we will retain future earnings for the development, operation, and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to shareholders will therefore be limited to the increase, if any, of our share price, which may or may not occur.

Risks Relating to Our Incorporation and Location in Israel

Our principal executive offices, substantially all of our research and development activities and other significant operations are located in Israel, and therefore, our results may be adversely affected by political, economic and military instability in Israel.

Our principal executive offices and research and development facilities are located in Israel and therefore may be influenced by regional instability and extreme security tension. Accordingly, political, economic and security conditions in Israel and the surrounding region could directly affect our business. Any political instability, terrorism, armed conflicts, cyber attacks or any other hostilities involving Israel or the interruption or curtailment of trade between Israel and its present trading partners could affect adversely our operations. Additionally, we may also be targeted by cyber terrorists specifically because we are an Israeli company. Ongoing and revived hostilities or other Israeli political or economic factors, could harm our operations and cause any future sales to decrease.

24


Our commercial insurance does not cover losses that may occur as a result of events associated with war and terrorism. Although the Israeli government currently covers the reinstatement value of direct damages that are caused by terrorist attacks or acts of war, we cannot guarantee that this government coverage will be maintained or that it will sufficiently cover our potential damages. Any losses or damages incurred by us could have a material adverse effect on our business.

Further, our operations could be disrupted by the obligations of personnel to perform military reserves service. As of December 31, 2020, approximately 35% of our personnel are based in Israel, certain of whom may be called upon to perform military reserve duty, which could materially adversely affect our business and results of operations.

Several countries restrict doing business with Israel and Israeli companies, and additional countries may impose restrictions on doing business with Israel and Israeli companies whether as a result of hostilities in the region or otherwise. In addition, there have been increased efforts by activists to cause companies and consumers to boycott Israeli goods based on Israeli government policies. Such actions, if accelerated, could adversely affect our business, financial condition and results of operations.

There is currently a level of unprecedented political instability on Israel’s domestic front. The Israeli government has been in a transitionary phase since December 2018 when the Israeli Parliament, or the Knesset, first resolved to dissolve itself and call for new general elections. Israel held general elections twice in 2019 and once again in 2020. Currently, a fourth election within a two year period is scheduled for March 23, 2021. The Knesset, for reasons related to this extended political turmoil, failed to pass a budget for the year 2020, and certain government ministries, certain of which are critical to the operation of our business, operated without necessary resources and, assuming the current political stalemate persists, may not receive sufficient funding moving forward. This political reality is further compounded by a budget deficit of NIS 160.3 billion ($50.4 billion) for the year 2020, which is roughly three times larger than in 2019 and the highest on record since Israel’s founding. Given the likelihood that the current situation will not be resolved during the next calendar year, our ability to conduct our business effectively may be adversely materially affected.

The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes.

We were granted Approved Enterprise status under the Israeli Law for the Encouragement of Capital Investments, 5719-1959, or the Investment Law. We elected the alternative benefits program, pursuant to which income derived from the Approved Enterprise program is tax-exempt for two years and enjoys a reduced tax rate of 10.0% to 25.0% for up to a total of eight years, subject to an adjustment based on the percentage of foreign investors’ ownership. We were also eligible for certain tax benefits provided to Benefited Enterprises under the Investment Law. In March 2013, we notified the Israel Tax Authority that we apply the new tax Preferred Enterprise regime under the Investment Law instead of our Approved Enterprise and Benefited Enterprise. Accordingly, we are eligible for certain tax benefits provided to Preferred Enterprises under the Investment Law. If we do not meet the conditions stipulated in the Investment Law and the regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be canceled, and we would be required to repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary penalties). Starting from 2017, we are eligible for the Technological Preferred Enterprise regime, a sub-category of the Preferred Enterprise regime, which grants enhanced tax benefits to enterprises with significant research and development activities. Further, in the future these tax benefits may be reduced or discontinued. If these tax benefits are reduced, cancelled or discontinued, our Israeli taxable income would be subject to regular Israeli corporate tax rates which would harm our financial condition and results of operation. Additionally, if we increase our activities outside of Israel through acquisitions, for example, our expanded activities might not be eligible for inclusion under future Israeli tax benefit regimes. See “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations and Government Programs—Law for the Encouragement of Capital Investments, 5719-1959.”

We may become subject to claims for remuneration or royalties for assigned service invention rights by our employees.

We enter into assignment-of-invention agreements with our employees pursuant to which such individuals agree to assign to us all rights to any inventions created in the scope of their employment or engagement with us. A significant portion of our intellectual property has been developed by our employees during the course of their employment by us. Under the Israeli Patent Law, 5727-1967, inventions conceived by an employee during the scope of his or her employment with a company are regarded as “service inventions” which belong to the employer, absent a specific agreement between the employee and employer giving the employee service invention rights. Although our employees have agreed to assign to us service invention rights, as a result of uncertainty under Israeli law with respect to service invention rights and the efficacy of related waivers, including with respect to remuneration and its extent, we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required to pay additional remuneration or royalties to our current and/or former employees, or be forced to litigate such claims, which could negatively affect our business.

25


As a public company incorporated in Israel we may become subject to further compliance obligations and market trends or restrictions, which may strain our resources and divert management’s attention.

Being an Israeli publicly traded company in the United States and being subject to both U.S. and Israeli rules and regulations may make it more expensive for us to obtain directors and officers liability insurance, and we may be required to continue incurring substantially higher costs for reduced coverage. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee, and qualified executive officers. In accordance with the provisions of the Companies Law, approval of our directors and officers insurance is limited to the terms of our duly approved compensation policy, unless otherwise approved by our shareholders.

Provisions of Israeli law and our articles of association may delay, prevent or otherwise impede a merger with or an acquisition of us, even when the terms of such a transaction are favorable to us and our shareholders.

Our articles of association contain certain provisions that may delay or prevent a change of control. These provisions include that our directors (other than external directors, if applicable) are elected on a staggered basis, and therefore a potential acquirer cannot readily replace our entire board of directors at a single annual general shareholder meeting. In addition, Israeli corporate law regulates acquisitions of shares through tender offers and mergers, requires special approvals for transactions involving directors, officers or significant shareholders and regulates other matters that may be relevant to such types of transactions. See “Item 10.B. Articles of Association—Acquisitions under Israeli Law” for additional information.

Furthermore, Israeli tax considerations may make potential transactions unappealing to us or to our shareholders whose country of residence does not have a tax treaty with Israel exempting such shareholders from Israeli tax. For example, Israeli tax law does not recognize tax-free share exchanges to the same extent as U.S. tax law. With respect to mergers involving an exchange of shares, Israeli tax law allows for tax deferral in certain circumstances but makes the deferral contingent on the fulfillment of a number of conditions, including, in some cases, a holding period of two years from the date of the transaction during which sales and dispositions of shares of the participating companies are subject to certain restrictions. Moreover, with respect to certain share swap transactions, the tax deferral is limited in time, and when such time expires, the tax becomes payable even if no disposition of the shares has occurred. These provisions of Israeli law and our articles of association could have the effect of delaying or preventing a change in control in us and may make it more difficult for a third party to acquire us, even if doing so would be beneficial to our shareholders, and may limit the price that investors may be willing to pay in the future for our ordinary shares.

It may be difficult to enforce a judgment of a U.S. court against us, our officers and directors or the Israeli auditors named in this annual report in Israel or the United States, to assert U.S. securities laws claims in Israel or to serve process on our officers and directors and these auditors.

We are incorporated in Israel. The majority of our directors and executive officers, and the Israeli auditors listed in this annual report reside outside of the United States, and most of our assets and most of the assets of these persons are located outside of the United States. Therefore, a judgment obtained against us, or any of these persons, including a judgment based on the civil liability provisions of the U.S. federal securities laws, may not be collectible in the United States and may not be enforced by an Israeli court. It also may be difficult for our shareholders to effect service of process on these persons in the United States or to assert U.S. securities law claims in original actions instituted in Israel. Israeli courts may refuse to hear a claim based on an alleged violation of U.S. securities laws reasoning that Israel is not the most appropriate forum in which to bring such a claim. In addition, even if an Israeli court agrees to hear a claim, it may determine that Israeli law and not U.S. law is applicable to the claim. If U.S. law is found to be applicable, the content of applicable U.S. law must be proven as a fact by expert witnesses, which can be a time consuming and costly process. Certain matters of the procedure will also be governed by Israeli law. There is little binding case law in Israel that addresses the matters described above. As a result of the difficulty associated with enforcing a judgment against us in Israel, our shareholders may not be able to collect any damages awarded by either a U.S. or foreign court.

26


The rights and responsibilities of our shareholders are, and will continue to be, governed by Israeli law which differs in some material respects from the rights and responsibilities of shareholders of U.S. corporations.

The rights and responsibilities of the holders of our ordinary shares are governed by our articles of association and by Israeli law. These rights and responsibilities differ in some material respects from the rights and responsibilities of shareholders in U.S. corporations. In particular, a shareholder of an Israeli company has a duty to act in good faith and in a customary manner in exercising its rights and performing its obligations towards the company and other shareholders, and to refrain from abusing its power in the company, including, among other things, in voting at a general meeting of shareholders on matters such as amendments to a company’s articles of association, increases in a company’s authorized share capital, mergers and acquisitions and related party transactions requiring shareholder approval. In addition, shareholders have a general duty to refrain from discriminating against other shareholders and a shareholder who is aware that it possesses the power to determine the outcome of a shareholder vote or to appoint or prevent the appointment of a director or chief executive officer in the company has a duty of fairness toward the company with regard to such vote or appointment. There is limited case law available to assist us in understanding the nature of this duty or the implications of these provisions. These provisions may be interpreted to impose additional obligations and liabilities on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations. See “Item 6.C. Board Practices — Approval of Related Party Transactions under Israeli Law—Fiduciary Duties of Directors and Executive Officers.”

ITEM 4.INFORMATION ON THE COMPANY

A.History and Development of the Company

Our History

CyberArk Software Ltd. was founded in 1999 with the vision of protecting high-value business data and pioneering our Digital Vault technology. That same year, we began offering our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provided a secure platform for our customers’ employees to share sensitive files. A key pillar of our strategy is innovation which began with our early vaulting technology and has enabled us to evolve into a company that provides a comprehensive solution to secure identities anchored on Privileged Access Management. In 2005, we introduced our Privileged Access Management Solution, upon which we built our leadership position in the Privileged Access Management market, providing a layer of security that protects high level and high value access across an organization. In September 2014, we listed our ordinary shares on the Nasdaq Stock Market LLC (Nasdaq). In addition to investing in organic research and development in 2015 we began to execute a merger and acquisition strategy and acquired Viewfinity, Inc., a provider of Windows least privilege management and application control software, as well as Cybertinel Ltd., a cybersecurity company specializing in cyber threat detection technology. In May 2017, we acquired Conjur Inc., a provider of DevOps security software. In March 2018, we acquired Vaultive, Ltd., a cloud security provider, and in May 2020 we acquired IDaptive Holdings, Inc., an Identity as a Service (IDaaS) provider. Based on our continued innovation, today CyberArk is the global leader in Privileged Access Management — and we are expanding our offerings to include a comprehensive and flexible set of Identity Security capabilities. We secure access for any identity – human or machine – to help organizations secure critical business assets, protect their distributed workforce and customers, and accelerate business in the cloud.

We are a company limited by shares organized under the laws of the State of Israel. We are registered with the Israeli Registrar of Companies. Our registration number is 51-229164-2. Our principal executive offices are located at 9 Hapsagot St., Park Ofer B, POB 3143, Petach-Tikva, 4951040, Israel, and our telephone number is +972 (3) 918-0000. Our website address is www.cyberark.com. Information contained on, or that can be accessed through, our website is not part of this annual report and is not incorporated by reference herein. We have included our website address in this annual report solely for informational purposes. Our SEC filings are available to you on the SEC’s website at http://www.sec.gov. This site contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC. The information on that website is not part of this annual report and is not incorporated by reference herein. Our agent for service of process in the United States is CyberArk Software, Inc., located at 60 Wells Avenue, Newton, MA 02459, and our telephone number is (617) 965-1544.

27


Principal Capital Expenditures

Our cash capital expenditures for fiscal years 2018, 2019 and 2020 amounted to $8.6 million, $7.0 million, and $7.2 million, respectively. Capital expenditures consist primarily of investments in leasehold improvements for our office space, purchases of furniture, computers, and related equipment and internal use software capitalization. We anticipate our capital expenditures in fiscal year 2021 to be approximately 2% of revenue. We anticipate our capital expenditures in 2021 will be financed with cash on hand and cash provided by operating activities.

B.Business Overview

We are the global leader in Privileged Access Management (PAM), and we are expanding our offerings to include a comprehensive and flexible set of Identity Security capabilities. We secure access for any identity – human or machine – to help organizations secure critical business assets, protect their distributed workforce and customers, and accelerate business in the cloud. Our vision is to deliver an Identity Security portfolio that contextually authenticates each identity, dynamically authorizes the least amount of privilege required, secures credentials, and thoroughly audits the entire cycle.

With CyberArk’s Identity Security portfolio, which has a foundation in Privileged Access Management, organizations can reduce risk by securing human and machine identities with access to the “keys to the kingdom.” These “keys to the kingdom” provide complete control of IT infrastructure applications, DevOps tools, and critical business data. In the hands of malicious insiders or external attackers, the consequences to businesses can be devastating. Organizations also leverage the CyberArk Identity Security access management solutions to secure the access of workforce, partner, and customer identities and deliver operational efficiencies by replacing complex, patchworked, and siloed legacy identity and access management solutions.

Securing these human and machine identities is now more important than ever. With the rapid rise in mobile workers, hybrid and multi-cloud adoption, and digitalization of the enterprise, physical and network security barriers are less relevant at securing data and assets than ever before. Compromised identities and their associated privileges represent an attack path to an organization’s most valuable assets. Because of this, we believe that identity has become the new security perimeter and is at the foundation of Zero Trust security models. Our approach is unique as CyberArk recognizes that every identity can become privileged under certain conditions and we offer the broadest range of security controls to reduce that risk while delivering a high-quality experience to the end user.

The main pillars of our strategy include innovation, whether organically or through acquisitions, developing a meaningful layer of identity security for our customers, and executing our land and expand strategy. During 2020, we continued to add new customers and cross sell to existing customers directly and through channels. As of December 31, 2020, we had approximately 6,600 customers, including more than 50% of Fortune 500 companies and more than 35% of Global 2000 companies. We define a customer to include a distinct entity, division, or business unit of a company. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology, and telecommunications, as well as government agencies.

In 2021, we began to actively shift to a subscription business model and we plan to primarily sell on-premises software subscriptions, and SaaS subscriptions through our cloud-based offerings. We are focused on acquiring and retaining our customers and increasing their engagement with us through expanding the number of users who access our platform and cross-selling additional products and services. We sell our solutions through a high touch hybrid model that includes direct sales, channel sales, managed security service providers, as well as advisory firm partners.

Through CyberArk’s C3 Alliance, our global technology partner program, we bring together enterprise software, IT, Security, and cloud providers to build on the power of Identity Security to better protect customers from cyber threats. Our CyberArk Marketplace provides a trusted platform for customers to easily find and deploy integrations from the C3 Alliance, partners, and community members.

28


Industry Background

The growth of our market has several drivers based on multi-year trends, making securing the identities and their associated privileges a main focus of organizations’ security strategies.

Digital Transformation: The digitalization of business creates a larger digital landscape full of opportunities for improved engagement with customers, vendors and employees, but also greater exposure to threats. New digital technologies require expanded privileged access for both humans and machines that must be properly secured. Hybrid and multi-cloud adoption drives the need for centralized solutions that help secure privileged access, enterprise-wide. This trend has greatly accelerated because of the COVID-19 pandemic forcing large portions of the workforce to work remotely and a much larger portion of businesses to offer online options to stay viable.

Cloud and SaaS Applications: Broad acceptance and adoption of hybrid and cloud-based infrastructure, and an increasing reliance on SaaS applications, are having a significant impact on how organizations approach security. Until a few years ago, organizations would typically prioritize protection of their most critical systems and data, with a particular focus on protecting privileged access. “Privileged users” were understood at the time to be mostly IT administrators accessing shared administrative accounts in systems and applications, whereas in today’s cloud and SaaS environment, every identity can become privileged under certain conditions.

Any of the identities operating in a modern environment (such as employees, partners, IT Admins, DevOps and developers, applications or robots, vendors, or customers) might have some level of privilege that, if improperly secured, can provide an attack path into an organization's most valuable assets. This is coupled with the rapid expansion and adoption of hybrid and cloud infrastructure, applications and application programming interfaces (APIs), mobile and remote workers, and use of third parties such as vendors. We now live in a world where the number, types, and interrelationships of identities have exploded, creating new dimensions to the threat landscape.

Zero Trust Security: A traditional security approach that relies on perimeter-based security is relatively less effective and applicable nowadays, due to the expansion of the digital transformation and the use of cloud and SaaS applications or remote access. In parallel, it is has become increasingly difficult to keep attackers out of an organization’s network altogether. The expanding of both attack surface and prevalence of threats have led to a growing application of a Zero Trust approach to security.

While traditional, perimeter-based security relies on a strategy of trying to separate legitimate users from threat actors and assumes that systems and traffic within the corporate networks and datacenters can be trusted, Zero Trust assumes that the threat actors have already established a network presence and have access to the organization’s applications and systems. In a Zero Trust security model, organizations aim to have every identity authenticated and authorized before granting it access, every time.

Zero Trust is not a single technology but an approach that ensures every user’s identity is verified, their device is validated, and their access is intelligently limited to just what they need – and taken away when they no longer need it. CyberArk’s Identity Security solutions delivers a set of technologies that are foundational to adopting a Zero Trust approach.

Governance and Compliance: Industry regulations such as Sarbanes Oxley (SOX), Payment Card Industry Data Security Standard (PCI), SWIFT Customer Security Controls Framework, Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and security frameworks such as National Institute of Standards (NIST) and the Center for Internet Security (CIS) all have stringent requirements to uphold strong Identity Security controls to maintain data privacy and sovereignty.

29


Our Solutions

Our portfolio provides a complete and flexible set of Identity Security capabilities across three main areas: Privilege, Access, and DevSecOps.

image provided by client

Privilege

CyberArk’s Privileged Access Management solutions can be used to secure, manage, and monitor privileged access. Privileged accounts can be found on endpoints, in applications, and from hybrid to multi-cloud environments.

Privileged Access Manager. CyberArk Privileged Access Manager includes risk-based credential security and session management to protect against attacks involving privileged access. CyberArk’s Privileged On-Premises solution (formerly known as Core PAS) can be deployed in an on-premises data center or in a hybrid cloud or a public cloud environment, either as a perpetual license or as a subscription, including as a subscription-based SaaS solution through CyberArk Privilege Cloud.

Vendor Privileged Access Manager. CyberArk Vendor Privileged Access Manager combines Privileged Access Manager and Remote Access (formerly known as Alero) to provide fast, easy and secure privileged access to third-party vendors who need access to critical internal systems via CyberArk, without the need to use passwords. By not requiring VPNs or agents, Vendor Privileged Access Manager removes operational overhead for administrators, makes it easier and quicker to deploy and improves organizational security.

Endpoint Privilege Manager. The CyberArk Endpoint Privilege Manager SaaS service secures privileges on the endpoint (Windows servers, Windows desktops and Mac desktops) and helps contain attacks early in their lifecycle. It enables revocation of local administrator rights, while minimizing impact on user productivity, by seamlessly elevating privileges for authorized applications or tasks. Application control, with automatic policy creation, allows organizations to prevent malicious applications from executing, and runs unknown applications in a restricted mode. This, combined with credential theft protection, helps prevent malware such as ransomware from gaining a foothold and contains attacks on the endpoint.

Cloud Entitlements Manager. Introduced in 2020, CyberArk Cloud Entitlements Manager is a SaaS solution that reduces risk that arises from excessive privileges by implementing Least Privilege across cloud environments. From a centralized dashboard, Cloud Entitlements Manager provides visibility and control of permissions across an organization’s cloud landscape. Within this single display, Cloud Entitlements Manager offers automatically deployable remediations based on the principal of Least Privilege, to help organizations strategically remove excessive permissions without disrupting cloud operations.

30


Access

Following the acquisition of Idaptive in 2020, we now deliver robust Identity and Access Management as a Service (IDaaS) which provides a comprehensive Artificial Intelligence (AI)-based and security-first approach to managing identities that is both adaptive and context-aware. Idaptive has now been rebranded to CyberArk Identity and includes capabilities to secure both workforce and customer identities.

Workforce Identity offers:

Adaptive Multi-factor Authentication (MFA). Adaptive MFA enables an enterprise to enforce risk-aware and strong identity assurance controls within the organization.

Single Sign-On (SSO). SSO is the ability to use a single secure identity to access all applications and resources within an organization. CyberArk Identity enables SSO for all types of users – workforce, partners, and consumers to all types of workstations, systems, VPNs, and applications – both in the cloud and on-premises.

Application Gateway. With the CyberArk Identity Application Gateway service, customers can enable secure remote access and expand SSO benefits to on-premises web apps — like SharePoint and SAP — without the complexity of installing and maintaining VPNs.

Identity Lifecycle Management. This module enables CyberArk Identity customers to automate the joiner, mover, and leaver processes within the organization. This automation is critical to ensure that privileges don’t accumulate, and a user’s access is turned off as soon as the individual changes roles or leaves the organization.

Directory Services. Allows customers to use identity where they control it. In other words, we do not force our customers to synchronize their on-premises identities with our cloud. Our cloud architecture can work seamlessly with any existing directory, enterprise or social or a federated directory. CyberArk Identity also provides its own highly scalable and flexible directory for customers who choose to use it.

Customer Identity offers authentication and authorization services, MFA, directory, and user management to enable organizations to provide their customers with easy and secure access to websites and applications.

In alignment with our Identity Security strategy, in January 2021, we introduced new offers that will be sold as a subscription to the market for workforce users, privileged users, and external vendors. The workforce users offering includes credential vaulting and rotation, adaptive MFA, and SSO. The privileged users offering includes full credential management, session management, and Remote Access (formerly Alero). The external vendor users offering aligns to the capabilities detailed above for Vendor PAM.

DevSecOps

Our capabilities in the area of DevSecOps are focused on securing secrets used by machine identities such as applications, scripts, containers, DevOps tools, and third-party security solutions. Secrets Manager enables organizations to avoid the need to store secrets within applications and instead easily and securely access the required credentials from the CyberArk Vault. Secrets Manager supports traditional applications with its Credential Providers and dynamic applications with Conjur.

Secrets Manager Credential Providers. Credential Providers can be used to provide and manage the credentials used by third-party solutions such as security tools, RPA, and IT management software, and also supports internally developed applications built on traditional monolithic application architectures. Credential Providers works with CyberArk’s on-premises and SaaS based solutions.

Secrets Manager Conjur. For cloud-native applications built using DevOps methodologies, Conjur Enterprise provides a secrets management solution tailored specifically to the unique requirements of these environments. We also provide an open source version to better meet the needs of the developer community.

31


Our Technology

Our portfolio provides a complete and flexible set of Identity Security capabilities that leverage the following core technologies:

Secure Digital Vault Technology. Our proprietary Digital Vault technology provides a highly secure, isolated environment, independent of other software, and is engineered with multiple layers of security. Our on-premises and SaaS PAM solutions use the highly secured Digital Vault to safely store, audit and manage passwords, privileged credentials, policy information and privileged access session data.

Privileged Session Recording and Controls. Our innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s IT systems from end-user desktops, while monitoring and auditing privileged session activities. The architecture blocks direct communication between an end-user’s desktop and a target system, thus preventing potential malware on the desktop from infiltrating the target system. This architecture further ensures that privileged credentials will remain protected and will not be exposed to the end-user or reach the desktop. CyberArk session monitoring solutions support native connectivity to Windows and other graphical platforms via native RDP tools and Linux/Unix using native SSH tools. Risk scoring can be applied to each recorded session, automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize workloads based on risk.

Secure Remote Access. The cloud-based, multifactor authentication provided with Remote Access leverages the biometric capabilities from smartphones which in turn allows authorized remote vendors simple just-in-time secure privileged access. Once authenticated, all privileged sessions are automatically recorded for full audit and monitored in real-time.

Strong Application Authentication and Credential Management. The Secrets Manager (formerly Application Access Manager) architecture allows an organization to eliminate hard-coded application credentials, such as passwords and encryption keys, from applications and scripts. Our secure, proprietary technology permits authentication of an application during run-time, based on any combination of the application’s signature, executable path or IP address, and operating system user. Following application authentication, the authenticated application uses a secure application programming interface, or API, to request privileged account credentials during run-time and, based on the application permissions in Privileged Access Manager, up-to-date credentials are provided to the application.

Strong Endpoint Security. Our endpoint agent technology provides policy-based privilege management, application control and credential theft protection capabilities. The agent detects privileged commands, and application installation or invocation on the endpoint to validate whether it is permissible in accordance with the organization’s security policy, otherwise blocking the operation or allowing it to run in a restricted mode. Having users operate in a least privilege mode together with our agent-based technology effectively reduces the attack surface that attackers or malware can exploit. The solution leverages third-party threat and reputation information to further strengthen controls and block bad or malicious applications based on such security intelligence.

Adaptive Multi-factor Authentication. Our Adaptive Multi-factor Authentication (MFA) enforces risk-aware and strong identity assurance controls within an organization. These controls include a broad range of built-in authentication factors such as passwordless authenticators like Windows Hello and Apple TouchID, high assurance authenticators like USB security keys, and our patented Zero Sign-on certificate-based authentication.

Single Sign-on. Our Single Sign-on (SSO) solution facilities the secure access to many different applications, systems, and resources while only requiring a single authentication. Our SSO solution offers a modern identity provider supporting popular SSO protocols to any system or app that supports SAML, WS-Fed, OIDC and OAuth2 as well as an extensive application catalog with out-of-the-box integration for thousands of applications.

Our Customers

As of December 31, 2020, we had approximately 6,600 customers, including more than 50% of Fortune 500 companies and more than 35% of Global 2000 companies. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies.

Our business is not dependent on any particular customer. No customer or channel partner accounted for more than 10% of our revenues in the last three years. Our diverse global footprint is evidenced by the fact that in 2020, we generated 53.1% of our revenues from customers in the United States, 30.6% from the EMEA region and 16.3% from the rest of the world, including countries in North and South America other than the United States and countries in the Asia Pacific region.

32


Go-to-Market

Marketing

Our marketing strategy is focused on building our brand strength, communicating the benefits of our solutions, developing leads, and increasing sales to existing customers. We market ourselves as the global leader in Identity Security. Centered on Privileged Access Management, we provide comprehensive security solutions for any identity – human or machine – across business applications, distributed workforces, hybrid cloud workloads, and throughout DevOps pipelines. The world’s leading organizations trust CyberArk to help secure their most critical assets. We execute our strategy by leveraging a combination of internal marketing professionals and a network of channel partners to communicate the value proposition and differentiation for our products, generating qualified leads for our sales force and channel partners. Our marketing efforts also include public relations in multiple regions and extensive content development available through our website. We are focused on ongoing thought-leadership campaigns to reinforce our positioning as the Identity Security leader.

In 2020, our marketing investments and campaigns were adjusted to match our customers’ and prospects’ “new normal” of remote work and online engagement versus in-person trade shows, regional events, and in-person meetings. For example, in June 2020 we held our 14th annual Impact User Conference entirely online. This immersive digital experience attracted more than 11,000 registered attendees and delivered over 40 keynotes, breakout, and training sessions — a record over previous years. Additional adjustments included replacing in person regional events with regional online experiences as well in increased investment and focus on digital marketing channels. We believe that just as parts of the new normal for our customers and prospects will be permanent, our investments, experience, and focus on online events and digital marketing will become a permanent focus of our marketing mix going forward.

Sales

We believe that our hybrid sales model, which combines the leverage of high touch, channel sales with the account control of direct sales, has played an important role in the growth of our customer base to date. We maintain a highly trained sales force that is responsible for developing and closing new business, the management of relationships with our channel partners and the support and expansion of relationships with existing customers. Our sales organization is organized by geographic regions, consisting of the Americas, EMEA and Asia Pacific and Japan regions. As of December 31, 2020, our global network of channel partners consisted of more than 450 resellers, distributors, and managed service providers. Our channel partners generally complement our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers and introducing new products to existing customers and offering post-sale professional services and technical support. In 2020, we generated approximately 33% of our revenues from direct sales from our field offices located throughout the world. Approximately 45% of our sales in the United States are direct while most of our sales in the EMEA and APJ regions and the rest of the world are through channel partners. We work with many global systems integration partners and several leading regional security value added resellers, such as Optiv Security Inc., Merlin International, Computacenter PLC, Netpoleon, SHI, M.Tech and Guidepoint Security. These companies were each among our top 15 channel partners in 2019 and 2020 by revenues and we have derived a meaningful amount of revenues from sales to each of them during the last two years. Further, we work with advisory firms such as Deloitte and KPMG in marketing our solutions and providing implementation services to our customers. We also have a joint business relationship contract with PricewaterhouseCoopers LLP in which we may engage in co-marketing and associated co-delivery of solutions and implementation services.

Our sales cycle varies by size of the customer, the number of products purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks for incremental sales to existing customers to several months for large deployments. We also typically experience seasonality in our sales, particularly demonstrated by increased sales in the last month of a quarter and the last quarter of the year. To support our broadly dispersed global channel and customer base, as of December 31, 2020, we had sales personnel in 38 countries. We plan to continue investing in our sales organization to support both the growth of our channel partners and our direct sales organization.

33


Services

Subscription and Software as a Service

In 2021, we plan to actively transition our business to a recurring revenue model by shifting our sales from perpetual licenses to recurring subscriptions. Our subscriptions include on-premises and SaaS subscriptions of our software solutions.

Maintenance and Support

Our maintenance and support program provides all customers who purchase maintenance and support in conjunction with their perpetual licenses, and on-premises and SaaS subscriptions, the right to software bug repairs, the latest system enhancements, and updates on an if-and-when available basis during the maintenance period, and access to our technical support services. Customers who purchase maintenance and support in conjunction with their initial perpetual license purchase typically buy for one year or, to a lesser extent, three years, and can subsequently continue to renew maintenance and support for additional one- or three-year periods. These two alternative maintenance and support periods are common in the software industry. Customers typically pay for each alternative in full at the beginning of their terms. Most of our software maintenance and support contracts sold are for a one-year term. For example, for the years 2018 through 2020, approximately 83% of the renewal contracts were for a one-year term.

Our technical support services are provided to perpetual and subscription customers via our online support center, which enables customers to submit new support queries and monitor the status of open and past queries. Our online support system also provides customers with access to our CyberArk Knowledge Base, an online user-driven information repository that provides customers the ability to address their own queries. Additionally, we offer email and telephone support during business hours to customers that purchase a standard support or subscription package and 24/7 availability to customers that purchase our 24/7 support or subscription package.

Our global customer support organization has expertise in our software and how it interacts with complex IT environments. When sales are made to customers directly, we typically also provide any necessary maintenance and support pursuant to a maintenance and support contract directly with the customer. We typically provide all levels of support directly to our customers. However, when sales are made through channels, the channel partner may provide the first and second level support, and we typically provide third level support if the issue cannot be resolved by the channel partner.

Professional Services

Our products are designed to allow for online trials, or to allow customers to download, install and deploy them on their own or with training and professional assistance. Our solutions are highly configurable, and many customers will select either one of our many trained channel partners or our CyberArk Security Services team to provide expert professional services. Our Security Services team can be contracted to assist customers in planning, installing, and configuring our solution to meet the needs of their security and IT environment, and provide technical account management services. Our Security Services team provides ongoing consulting services regarding best practices for achieving Identity Security, and recommended ways to implement our solutions to meet specific customer requirements. Additionally, they share best practices associated with Identity Security to educate customers and partners on such best practices through virtual classroom, live face-to-face, or self-paced classes.

New for 2020, we delivered the Blueprint for Privileged Access Management and will be broadening the Blueprint to Identity Security in 2021. The most comprehensive program of its kind, CyberArk Blueprint is designed to help customers take a future-proof, phased and measurable approach to reducing Identity Security risks.

Based on the experience of the CyberArk Labs and Red Team (CyberArk teams involved in cyber security research) and incident response engagements, nearly every targeted attack follows a similar pattern of identity and privileged credential compromise. These patterns influenced CyberArk Blueprint’s three guiding principles, which are foundational to the program: prevent credential theft; stop lateral and vertical movement; and limit privilege escalation and abuse.

The CyberArk Blueprint uses a simple, prescriptive approach based on these guiding principles to reduce risk across five stages of Identity Security maturity. Customers benefit from being able to prioritize quick wins, progressively address advanced Identity Security use cases, and align security controls to digital transformation efforts across hybrid environments.

34


Research and Development

Continued investment in research and development is critical to our business. Our research and development efforts are focused primarily on improving and continuing to enhance existing products and services, as well as developing new products, features and functionality to meet market needs. We believe the timely development of new products and capabilities is essential to maintaining our competitive position. We regularly release new versions of our software which incorporate new features and enhancements to existing features. We also maintain a dedicated CyberArk Labs team that researches reported cyber-attacks, the attackers’ techniques and post-exploit methods that lead to new security development initiatives for our products and provides thought-leadership on new product capabilities and targeted attack mitigation.

As of December 31, 2020, we had 464 employees focused on research and development. We conduct our research and development activities primarily in Israel, as well as in the United States, India and Ukraine. We believe this provides us with access to world class engineering talent. Our research and development expenses were $57.1 million, $72.5 million, and $95.4 million in 2018, 2019 and 2020, respectively.

Intellectual Property

We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protect our technology and the related intellectual property.

As of December 31, 2020, we had 84 issued patents in the United States, and 59 pending U.S. patent applications. We also had 37 issued patents and 25 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.

The inventions for which we have sought patent protection relate to current and future elements of our products and technology. The following list of products identifies some of those with patent-protected features, but other products may also be protected by one or more patents: Digital Vault, Discovery & Audit tool, Privileged Threat Analytics, Privileged Session Manager, Endpoint Privilege Manager, Secrets Manager and CyberArk Identity.

We generally enter into confidentiality agreements with our employees, consultants, service providers, resellers and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. These agreements and measures may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology.

Our industry is characterized by the existence of many relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. Leading companies in the security industry have extensive patent portfolios. As our market position continues to grow, we believe that competitors will be more likely to try to develop products that are like ours and that may infringe our proprietary rights. It may also be more likely that competitors or third parties will claim that our products infringe their proprietary rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners, users, or customers, whom our standard license and other agreements may obligate us to indemnify against such claims under certain circumstances. Successful claims of infringement or misappropriation by a third party could prevent us from developing, distributing, licensing, using certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements to obtain the right to use necessary technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected.

35


Competition

The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.

Our current competitors in the Privileged Access Management market include BeyondTrust Corporation, NortonLifeLock, Inc. (acquired by Broadcom Inc.), One Identity LLC and Thycotic Software Ltd., some of which may offer solutions at lower price points. Further, we may face competition due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, such as the provision of Privileged Access Management functionalities as part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. With the acquisition of Idaptive and our strategy to provide customers with a comprehensive identity security portfolio, and our DevOps security solution, some of the functionality offered in our products may compete with certain solutions in the market such as solutions from Okta Inc., Microsoft Corporation or HashiCorp, Inc. In addition, limited IT budgets may also result in competition with providers of other advanced threat protection solutions such as Palo Alto Networks, CrowdStrike Holdings, Inc. and NortonLifeLock, Inc. We also may compete, to a certain extent, with vendors that offer products or services in adjacent or complementary markets to Privileged Access Management, including identity management vendors and cloud platform providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

The principal competitive factors in our market include:

the breadth and completeness of a security solution;

reliability and effectiveness in protecting, detecting and responding to cyber attacks;

analytics and accountability at an individual user level;

ability of customers to achieve and maintain compliance with compliance standards and audit requirements;

strength of sale and marketing efforts, including advisory firms and channel partner relationships;

global reach and customer base;

scalability and ease of integration with an organization’s existing IT infrastructure and security investments;

brand awareness and reputation;

innovation and thought leadership;

quality of customer support and professional services;

speed at which a solution can be deployed and implemented; and

price of a solution and cost of maintenance and professional services.

We believe we compete favorably with our competitors based on these factors. However, some of our current competitors may enjoy potential competitive advantages, such as greater name recognition, longer operating history, larger market share, larger existing user base and greater financial, technical, and other resources.

Properties

Our corporate headquarters are in Petach Tikva, Israel in an office consisting of approximately 139,100 square feet to which we moved in September 2017. The current lease expires in June 2022 with an extension option for two successive one-year periods. Our U.S. headquarters are in Newton, Massachusetts in an office consisting of approximately 32,463 square feet. The lease expires in June 2026 with an extension option for the entire premises through 2034. We maintain additional offices in the U.K., Singapore, France, Germany, Australia, Japan, India, Italy, Netherlands, Spain, Denmark, Poland, Kiev and Turkey. We believe that our facilities are sufficient to meet our current needs and that if we require additional space to accommodate our growth, we will be able to obtain additional facilities on commercially reasonable terms.

36


Internal Cybersecurity

As we offer Identity Security solutions and services, we are sensitive to potential cyber-attacks that may result in unauthorized access to our information and potentially that of our customers. We are also aware that, being an Israeli company, we may be targeted by cyber terrorists and nation-state actors. Any actual or perceived breach of our networks, systems or data may have an adverse impact on the market perception of our solutions and services and may expose us to potential liability.

For more information regarding the risks involved with cybersecurity, see “Item 3.D. Risk Factors— Our reputation and business could be harmed due to real or perceived vulnerabilities in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, resulting in loss of customers, enforcement actions, lawsuits or financial losses.” and “—If our internal IT network system, or those of third party service providers associated with us, is compromised by cyber attacks or other data breaches, or by a critical system failure, our reputation, financial condition and operating results could be materially adversely affected.”

We are focused on continuously implementing and maintaining technologies and solutions to assist in the prevention of potential cyber-attacks, as well as protective measures and contingency plans in the event of an actual attack. We maintain cybersecurity risk management policies and procedures, including internal controls, audits and disclosure protocols for handling and responding to cybersecurity events. These policies and procedures include internal notifications and engagements and, as necessary, cooperation with law enforcement. Our controls are designed to limit and monitor access to our systems, networks, and data, prevent inappropriate or unauthorized access or modification, and monitor for threats or vulnerabilities. We conduct periodic trainings for our employees, including on phishing, malware and other cybersecurity risks and we have mechanisms in place designed to promote rapid internal reporting of potential or actual cybersecurity breaches.

We have also made significant investments in technical and organizational measures to establish and manage compliance with laws and regulations governing our data protection activities (such as GDPR), which enhance our data protection and cybersecurity. Furthermore, we monitor cybersecurity risks, certifications or assessments at our third-party cloud infrastructure providers and other IT service providers and reevaluate those contractual relationships as appropriate.

The audit committee of our board periodically reviews our cybersecurity risks and controls with senior management, keeping our board informed of key issues. We periodically review and modify our cybersecurity risk management policies and procedures to reflect changes in technology, the regulatory environment, industry and security practices and other business needs.

Government Regulations

For information regarding the material effects of government regulations, see “—Industry Background” above, “Item 3.D. Risk Factors— The dynamic legal and regulatory environment around privacy, data protection, cross-border data flows, and cloud computing may limit the offering, use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers and support our current customers, or we could be subject to investigations, litigation, or enforcement actions alleging that we fail to comply with the regulatory requirements thus harming our operating results and adversely affecting our business,” “—We are subject to a number of regulatory and geopolitical risks, associated with global sales and operations, which could materially affect our business,” and “The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes,” and “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations and Government Programs.”

Legal Proceedings

See “Item 8.A. Consolidated Statements and Other Financial Information—Legal Proceedings.”

C.Organizational Structure

The legal name of our company is CyberArk Software Ltd. and we are organized under the laws of the State of Israel.

37


The following table sets forth our key subsidiaries all of which are 100% owned directly or indirectly by CyberArk Software Ltd.:

Name of Subsidiary

Place of Incorporation

CyberArk Software, Inc.

Delaware, United States

Cyber-Ark Software (UK) Limited

United Kingdom

CyberArk Software (Singapore) PTE. LTD.

Singapore

CyberArk Software (DACH) GmbH

Germany

CyberArk Software Italy S.r.l.

Italy

CyberArk Software (France) SARL

France

CyberArk Software (Netherlands) B.V.

Netherlands

CyberArk Software (Australia) Pty Ltd.

Australia

CyberArk Software (Japan) K.K.

Japan

CyberArk Software Canada Inc.

Canada

CyberArk USA Engineering, LP

Delaware, United States

CyberArk Software (Spain), S.L.

Spain

IDaptive India Private Limited

India

IDaptive Europe Limited

United Kingdom

D.Property, Plant and Equipment

See “Item 4.B.—Business Overview—Properties” for a discussion of property, plant and equipment.

ITEM 4A.UNRESOLVED STAFF COMMENTS

Not applicable.

ITEM 5.OPERATING AND FINANCIAL REVIEW AND PROSPECTS

For a discussion related to our financial condition, changes in financial condition, and the results of operations for the year ended December 31, 2018 and comparison of the years ended December 31, 2018 and 2019, see “Item 5. Operating and Financial Review and Prospects” in our annual report on Form 20-F for the fiscal year ended December 31, 2019 filed with the SEC on March 5, 2020.

Company Overview

CyberArk is the global leader in Privileged Access Management (PAM), and we are extending our leadership in PAM to offer the most complete and flexible set of Identity Security capabilities. We secure access for any identity – human or machine – to help organizations secure critical business assets, protect their distributed workforce and customers, and accelerate business in the cloud. CyberArk’s vision is to deliver an Identity Security portfolio that contextually authenticates each identity, dynamically authorizes the least amount of privilege required, secures credentials, and thoroughly audits the entire cycle – giving organizations peace of mind to drive their businesses fearlessly forward.

With CyberArk’s Identity Security portfolio, which has a foundation in Privileged Access Management, organizations can reduce risk by securing human and machine identities with access to the “keys to the kingdom.” These “keys to the kingdom” provide complete control of IT infrastructure applications, DevOps tools, and critical business data. In the hands of malicious insiders or external attackers, the consequences to businesses can be devastating. Organizations also leverage the CyberArk Identity Security access management solutions to secure the access of workforce, partner, and customer identities and deliver operational efficiencies by replacing complex, patchworked, and siloed legacy identity and access management solutions.

Securing these human and machine identities is now more important than ever. With the rapid rise in mobile workers, hybrid and multi-cloud adoption, and digitalization of the enterprise, physical and network security barriers are less relevant at securing data and assets than ever before. Compromised identities and their associated privileges represent an attack path to an organization’s most valuable assets. Because of this, we believe that identity has become the new security perimeter and is at the foundation of Zero Trust security models. Our approach is unique since CyberArk recognizes that every identity can become privileged under certain conditions and we offer the broadest range of security controls to reduce risk while delivering a high-quality experience to the end user.

38


Prior to 2020, we primarily derived our revenues by licensing our cybersecurity software, selling maintenance and support contracts, and providing professional services to the extent requested by customers. In 2021, we began to actively transition our business to a recurring revenue model by shifting our sales from perpetual licenses to recurring subscriptions. Our subscriptions include on-premises and SaaS subscriptions of our software solutions. For the full year 2020, we increased our annual recurring revenue (ARR) by 43% to $274 million. The majority of the growth in ARR was driven by on-premises and SaaS subscriptions revenue.

We have experienced significant growth over the last several years, as evidenced by a compound annual growth rate in revenues of 16.3% from 2018 to 2020. We have also increased our number of employees and subcontractors from 1,146 as of December 31, 2018 to 1,689 as of December 31, 2020. We intend to continue to execute on our strategy of growing our business to meet the needs of our customers and to pursue opportunities in new and existing verticals, geographies, and products. We intend to continue to invest in the development of our sales and marketing teams, with a particular focus on expanding our channel partnerships, targeting new customers, creating technology partnerships and expanding our sales to existing customers.

We also plan to continue to invest in research and development in order to continue to develop technology to protect modern enterprises from Identity Security risk from hybrid to cloud-native environments. During the years ended December 31, 2018, 2019 and 2020, our revenues were $343.2 million, $433.9 million and $464.4 million, respectively, representing year-over-year growth of 26.4% and 7.0% in 2019 and 2020, respectively, and with maintenance and professional services comprising 45.2% and 51.3% of our revenues in 2019 and 2020, respectively. Our net income (loss) for the years ended December 31, 2018, 2019 and 2020 was $47.1 million, $63.1 million and $(5.8) million, respectively.

Key Performance Indicators and Recent Business Developments

As we look at our business, we continue to benefit from strong industry tailwinds around digital transformation, cloud migration and enhanced cybersecurity requirements. The COVID-19 pandemic accelerated these trends. At the same time, organizations around the world, including CyberArk, have had to respond to the global pandemic and adjust operations to a remote work environment. From a business perspective, the health and safety of our employees and community of customers and partners remain our top priority.

We responded quickly to the COVID-19 pandemic by:

Delivering strong customer support remotely while continuing to provide 24/7 service and ensuring customers and partners had the support resources required to keep their businesses up and running;

Offering at no cost our Remote Access solution, formerly known as Alero, our SaaS solution for remote access, for employees and contractors to securely access CyberArk through biometric authentication without a VPN;

Providing our entire global workforce the ability to work securely from home;

Adjusting and delivering all of our security services remotely, including Consulting, Implementation, Program Delivery, Red Teaming, Cloud and Education Services;

Increasing our level of virtual employee engagement and communication;

Transitioning our sales team to virtual engagements; and

Shifting our marketing to digital programs.

In addition, the COVID-19 pandemic did impact our new business sales process, which was transformed from in person engagements to online engagements, product demonstrations and proof of concepts. We experienced slower progression of new business deals through the pipeline and smaller initial new business deal sizes in 2020, as many customers limited their purchases to only address immediate needs given the economic uncertainty created by the COVID-19 pandemic. This trend contributed to our lower percentage of license revenue from new customers in 2020 compared with prior years. Lastly, we experienced lower travel related expenses during 2020 as the majority of our business was conducted virtually given the global lockdowns and COVID-19 related travel restrictions. We expect that over time our travel related expenses will increase as travel restrictions begin to be lifted.

39


In 2020, we also began to experience a shift in customer preferences toward more recurring subscriptions for our software solutions including on-premises and SaaS subscriptions. Revenue recognition for our subscription offerings is more ratable compared to sales of perpetual licenses, which have a higher percentage of revenue recognized upfront. This shift in the mix of our business toward more recurring revenues, or subscriptions, impacted our revenues, profitability and cash flow provided by operating activities during the full year 2020. In early 2021, we began to actively transition our business to a recurring revenue model by incentivizing our team to shift our sales from perpetual licenses to recurring subscriptions, including both SaaS and on-premises subscriptions. As part of the active transition of our business, we expect our revenues, operating income, net income (loss) and cash flow provided by operating activities to be impacted by the increase in ratable revenue recognition related to our subscription offerings. We also expect that maintenance revenues associated with perpetual license contracts will decline over the long term as we sell less perpetual licenses. In addition, we anticipate that the shift toward a recurring revenue business will result in an increase in annual payment terms for our customer contracts, which is customary in a subscription business model, and will have an impact on our cash flow provided by operating activities. Over the long term, we expect the transition to a recurring revenue model to result in higher visibility and stronger durability of our business. The subscription business model transition is also directly aligned with the broad market trends related to digital transformation and cloud migration as well as our identity security strategy.

As we move forward with the transition, we are focusing on the following metrics to evaluate the health of our business:

Year ended December 31,

2018

2019

2020

 

($ in thousands)

ARR (as of period-end)

$

143,026

$

192,047

$

273,961

 

Recurring Revenue

$

134,894

$

175,655

$

247,322

 

Total deferred revenues (as of period-end)

$

149,534

$

190,355

$

242,508

ARR. Annual recurring revenue (ARR) is a performance indicator that provides more visibility into the growth of our recurring business. ARR is defined as the annualized value of active SaaS, subscription or term-based license and maintenance contracts in effect at the end of the reported period. ARR should be viewed independently of revenue and deferred revenues as it is an operating measure and is not intended to be combined with or to replace either of those items. ARR provides management with more visibility into our revenue stream for the upcoming year. This visibility allows us to make informed decisions about our capital allocation and level of investment.

Recurring Revenue. Recurring revenue refers to the portion of our total revenue that includes our SaaS subscriptions, on-premises subscription and recurring maintenance revenues related to our perpetual license contracts. Management monitors the growth of our recurring revenue as we move through the transition to evaluate the pace of our transition to a recurring revenue model and the health of our business. Recurring revenue also provides enhanced visibility and predictability of future revenue.

Total Deferred Revenues. Our total deferred revenues consist of maintenance and support and professional services that have been invoiced and collected but that have not yet been recognized as revenues because they do not meet the applicable criteria, and of SaaS contracts, where there are unconditional rights for a consideration, that have been invoiced but have not yet been recognized. In 2020, an increasing percentage of our total deferred revenues and the substantial portion of our deferred revenues growth was related to SaaS contracts that have not been recognized. Management monitors our total deferred revenues because they represent a significant portion of revenues to be recognized in future periods. The material factors driving changes in our license revenues are discussed under “—Comparison of Period to Period Results of Operations.”

40


A.Operating Results

The following discussion and analysis should be read in conjunction with the section titled “Key Performance Indicators and Recent Business Developments” of this annual report and our consolidated financial statements and the related notes contained elsewhere in this annual report. This discussion and analysis may contain forward-looking statements based upon current expectations that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth in “Item 3.D. Risk Factors” of this annual report. Our financial statements have been prepared in accordance with U.S. GAAP.

Components of Statements of Operations

Revenues

Our revenues consist of the following:

License Revenues. License revenues include perpetual licenses, the license portion of on-premises subscription contracts as well as SaaS revenues recognized during the reported period. License revenues are generated primarily from sales of our Privileged Access Manager, Endpoint Privilege Manager, Secrets Manager and CyberArk Identity solutions. The substantial majority of our license revenues has been from sales of our Privileged Access Manager. We are seeing an increasing percentage of our business coming from our SaaS solutions, including Privilege Cloud, Endpoint Privilege Manager and CyberArk Identity, which have ratable revenue recognition, increasing our deferred revenues that will be recognized over time. We expect revenues from SaaS and on-premises subscriptions to become a larger percentage of our total revenues. Privileged Access Manager and CyberArk Identity are both licensed per user. Endpoint Privilege Manager is licensed by target system (workstations and servers). Secrets Manager has two different licensing approaches based on the types of applications being secured. The first model is licensed by agent for mission-critical and static applications and the second model is licensed by site/region for more dynamic cloud native applications and DevOps pipelines.

Maintenance and Professional Services Revenues. Maintenance revenues are generated from maintenance and support contracts purchased by our customers in order to gain access to the latest software enhancements and updates on an ‘if and when available’ basis and to telephone and email technical support. Maintenance Revenues includes the maintenance associated with both our perpetual and on premises subscription license contracts. We expect the growth rate in our maintenance revenue to decline in the near term and eventually to decline in absolute dollars over the long term as we transition towards selling more SaaS subscriptions and less perpetual licenses. We also offer professional services for consulting, deployment and training of our customers to fully leverage the use of our products.

Geographic Breakdown of Revenues

The United States is our biggest market, with the balance of our revenues generated from the EMEA region and the rest of the world, which includes Canada, Central and South America, and the Asia Pacific and Japan region. The following table sets forth the geographic breakdown of our revenues by region for the periods indicated:

Year ended December 31,

2018

2019

2020

Amount

% of

Revenues

Amount

% of

Revenues

Amount

% of

Revenues

($ in thousands)

United States

$

187,704

54.7

%

$

233,945

53.9

%

$

246,811

53.1

%

EMEA

112,086

32.7

%

129,730

29.9

%

141,866

30.6

%

Rest of World

43,409

12.6

%

70,220

16.2

%

75,754

16.3

%

 

Total revenues

$

343,199

100.0

%

$

433,895

100.0

%

$

464,431

100.0

%

41


Cost of Revenues

Our total cost of revenues consists of the following:

Cost of License Revenues. Cost of license revenues consists primarily of amortization of intangible assets, cloud infrastructure costs, personnel costs for our global cloud organization that consist primarily of salaries, benefits, bonuses and share-based compensation, depreciation of internal use software capitalization, costs incurred by third-party software vendors and shipping costs associated with delivery of our software. As we shift more of our sales to SaaS offerings, we expect the absolute cost of license revenues and the cost of revenues as a percentage of revenue to increase.

Cost of Maintenance and Professional Services Revenues. Cost of maintenance and professional services revenues primarily consists of personnel costs for our global customer support and professional services organization. Such costs consist primarily of salaries, benefits, commissions, bonuses, share-based compensation and subcontractors’ fees. We expect the absolute cost of maintenance and professional services revenues to increase as our customer base grows and as we hire additional professional services and technical support personnel.

Gross Profit and Gross Margin

Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a percentage of total revenues. Our gross margin has historically fluctuated from period to period as a result of changes in the mix of license revenues and maintenance and professional services revenues, and we expect this pattern to continue as we shift more of our sales to subscription, particularly as the mix of our business will include more SaaS based revenues.

Operating Expenses

Our operating expenses are classified into three categories: research and development, sales and marketing and general and administrative. For each category, the largest component is personnel costs, which consists primarily of salaries, employee benefits (including commissions and bonuses) and share-based compensation expense. Operating expenses also include software and related expenses and allocated overhead costs for facilities and office expenses as well as depreciation and amortization. Allocated costs for facilities and office expenses primarily consist of rent, office maintenance and utilities and office supplies. We expect personnel and all allocated costs to continue to increase in absolute dollars as we hire new employees and add facilities to continue to grow our business.

Research and Development. Research and development expenses consist primarily of personnel costs attributable to our research and development personnel and consultants as well as allocated overhead costs and software and related expenses. We continue to expect that our research and development expenses will continue to increase in absolute dollars and at least in line with our revenue growth rate as we continue to grow our research and development headcount to further strengthen our technology platform and invest in the development of both existing and new products.

Sales and Marketing. Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, including variable compensation, as well as marketing programs and business development costs, travel expenses, allocated overhead costs and depreciation and amortization of intangibles assets. We expect that sales and marketing expenses will continue to increase in absolute dollars and at least in line with our revenue growth rate as we plan to expand our sales and marketing efforts globally. We continue to expect sales and marketing expenses will remain our largest category of operating expenses.

General and Administrative. General and administrative expenses consist primarily of personnel costs for our executive, finance, human resources, legal and administrative personnel. General and administrative expenses also include insurance premiums and external legal, accounting and other professional service fees. We continue to expect that general and administrative expense will increase in dollars and at least in line with our revenue growth rate as we grow and expand our operations and operate as a public company, including higher corporate insurance premiums, investor relations and accounting expenses, and the additional costs relating to our ongoing regulatory compliance efforts.

42


Financial Income (Expense), Net

Financial income (expense), net consists of mainly interest income, foreign currency exchange gains or losses, amortization of debt discount and issuance costs and foreign exchange forward transactions expenses. Interest income consists of interest earned on our cash, cash equivalents, short and long-term bank deposits and marketable securities. We expect interest income to vary depending on our average investment balances and market interest rates during each reporting period. Foreign currency exchange changes reflect gains or losses related to transactions denominated in currencies other than the U.S. dollar.

Taxes on Income

The ordinary corporate tax rate in Israel is 23.0%.

As discussed in greater detail below under “Israeli Tax Considerations and Government Programs”, we have been entitled to various tax benefits under the Investment Law. Under the Investment Law, our tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is generally 12.0%.

Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits, including accelerated deduction of research and development expenses, accelerated depreciation and amortization rates for tax purposes on certain intangible assets and deduction of public offering expenses in three equal annual installments.

Our non-Israeli subsidiaries are taxed according to the tax laws in their respective jurisdictions of tax residency. Due to our multi-jurisdictional operations, we apply significant judgment to determine our consolidated income tax position.

Comparison of Period to Period Results of Operations

The following table sets forth our results of operations in dollars and as a percentage of revenues for the periods indicated:

Year ended December 31,

2018

2019

2020

Amount

% of Revenues

Amount

% of Revenues

Amount

% of Revenues

($ in thousands)

Revenues:

License

$

192,514

56.1

%

$

237,879

54.8

%

$

226,113

48.7

%

Maintenance and professional services

150,685

43.9

196,016

45.2

238,318

51.3

 

Total revenues

343,199

100.0

433,895

100.0

464,431

100.0

 

 

Cost of revenues:

License

10,526

3.1

10,569

2.4

19,341

4.2

Maintenance and professional services

37,935

11.0

52,046

12.0

63,230

13.6

 

Total cost of revenues

48,461

14.1

62,615

14.4

82,571

17.8

 

Gross profit

294,738

85.9

371,280

85.6

381,860

82.2

 

Operating expenses:

Research and development

57,112

16.6

72,520

16.7

95,426

20.5

Sales and marketing

148,290

43.2

184,168

42.4

219,999

47.4

General and administrative

42,044

12.3

52,308

12.1

60,429

13.0

 

Total operating expenses

247,446

72.1

308,996

71.2

375,854

80.9

 

Operating income

47,292

13.8

62,284

14.4

6,006

1.3

Financial income (expense), net

4,551

1.3

7,800

1.8

(6,395

)

(1.4

)

 

Income (loss) before taxes on income

51,843

15.1

70,084

16.2

(389

)

(0.1

)

Taxes on income

(4,771

)

(1.4

)

(7,020

)

(1.6

)

(5,369

)

(1.2

)

 

Net income (loss)

$

47,072

13.7

%

$

63,064

14.6

%

$

(5,758

)

(1.2

)%

43


Year Ended December 31, 2019 Compared to Year Ended December 31, 2020

Revenues

Year ended December 31,

2019

2020

Change

Amount

% of

Revenues

Amount

% of

Revenues

Amount

%

($ in thousands)

Revenues:

License

$

237,879

54.8

%

$

226,113

48.7

%

$

(11,766

)

(4.9

)%

Maintenance and professional services

196,016

45.2

238,318

51.3

42,302

21.6

 

Total revenues

$

433,895

100.0

%

$

464,431

100.0

%

$

30,536

7.0

%

Revenues increased by $30.5 million, or 7%, from $433.9 million in 2019 to $464.4 million in 2020. This increase was due primarily to continued sales of our license solutions and increased revenues from our maintenance and professional services revenues. The largest increase in revenue occurred in the United States, where revenues increased by $12.9 million, while the increase in EMEA and the rest of the world was $12.1 million and $5.5 million, respectively. We increased our number of customers from approximately 5,300 as of December 31, 2019 to approximately 6,600 as of December 31, 2020.

44


License revenues decreased by $11.8 million, or 4.9%, from $237.9 million in 2019 to $226.1 million in 2020. In 2020, approximately 75% of license revenues were generated from sales to existing customers. The decline in the license revenue was in part because of the significant shift in our license bookings mix toward more recurring and ratable business, which includes subscriptions to our on-premises offerings, and also to our SaaS solutions which are recognized over the contract period.

Maintenance and professional services revenues increased by $42.3 million, or 21.6%, from $196.0 million in 2019 to $238.3 million in 2020. Maintenance revenues increased by $37.6 million from $159.7 million in 2019 to $197.3 million in 2020, with renewals accounting for approximately $22.8 million and initial maintenance contracts for approximately $14.7 million, respectively, of this increase. Professional services revenues increased by $4.7 million from $36.3 million in 2019 to $41.0 million in 2020, primarily due to the provision of more services to customers.

Cost of Revenues and Gross Profit

Year ended December 31,

2019

2020

Change

Amount

% of

Revenues

Amount

% of

Revenues

Amount

%

($ in thousands)

Cost of revenues:

License

$

10,569

2.4

%

$

19,341

4.2

%

$

8,772

83.0

%

Maintenance and professional services

52,046

12.0

63,230

13.6

11,184

21.5

%

 

Total cost of revenues

$

62,615

14.4

%

$

82,571

17.8

%

$

19,956

31.9

%

 

Gross profit

$

371,280

85.6

%

$

381,860

82.2

%

$

10,580

2.8

%

Cost of license revenues increased from $10.6 million in 2019 to $19.3 million in 2020. The increase in cost of license revenues was driven by a $4.3 million increase in cloud infrastructure costs, an additional $2.6 million of other costs associated with an increase in SaaS sales and an increase of $3.1 million from amortization of intangible assets, offset by a $1.3 million decrease in installations of appliances and hardware parts.

Cost of maintenance and professional services revenues increased by $11.2 million, or 21.5%, from $52.0 million in 2019 to $63.2 million in 2020. The increase in cost of maintenance and professional services revenues was driven primarily by a $11.1 million increase in personnel costs and related expenses. Our technical support and professional services headcount grew from 253 at the end of 2019 to 309 at the end of 2020.

Gross profit increased by approximately $10.6 million, or 2.8%, from $371.3 million in 2019 to $381.9 million in 2020. Gross margins decreased from 85.6% in 2019 to 82.2% in 2020. This was driven by the increase in SaaS sales which have incremental costs related to cloud infrastructure and, as a result, a lower margin contribution.

45


Operating Expenses

Year ended December 31,

2019

2020

Change

Amount

% of

Revenues

Amount

% of

Revenues

Amount

%

($ in thousands)

Operating expenses:

Research and development

$

72,520

16.7

%

$

95,426

20.5

%

$

22,906

31.6

%

Sales and marketing

184,168

42.4

219,999

47.4

35,831

19.5

General and administrative

52,308

12.1

60,429

13.0

8,121

15.5

 

Total operating expenses

$

308,996

71.2

%

$

375,854

80.9

%

$

66,858

21.6

%

Research and Development. Research and development expenses increased by $22.9 million, or 31.6%, from $72.5 million in 2019 to $95.4 million in 2020. This increase was primarily attributable to an $18.6 million increase in personnel costs and related expenses, as we increased our research and development team headcount from 349 at the end of 2019 to 464 at the end of 2020 to support continued investment in our future product and service offerings. The increase was also attributable to a $3.1 million increase in software and related expenses and a $1.5 million increase related to facilities and depreciation overhead costs.

Sales and Marketing. Sales and marketing expenses increased by $35.8 million, or 19.5%, from $184.2 million in 2019 to $220.0 million in 2020. This increase was primarily attributable to a $37.0 million increase in personnel costs and related expenses due to increased headcount in all regions to expand our sales and marketing organization. The increase was also attributable to a $2.0 million increase in expenses related to our marketing programs, a $1.5 million increase in software and related expenses and a $1.8 million increase related to facilities and depreciation overhead costs, partially offset by a $6.9 million decrease in travel and related expenses due to COVID-19. Our sales and marketing headcount grew from 656 at the end of 2019 to 772 at the end of 2020.

General and Administrative. General and administrative expenses increased by $8.1 million, or 15.5%, from $52.3 million in 2019 to $60.4 million in 2020. This increase was primarily attributable to an increase of $2.9 million in personnel costs and related expenses due to increased headcount coupled with a $6.4 million increase in services fees due to external legal counsel, accounting, insurance and patent administration, offset by a $1.2 million decrease in depreciation and amortization. Our general and administrative headcount grew from 122 at the end of 2019 to 144 at the end of 2020.

Financial Income (Expense), Net. Financial income (expense), net changed by $14.2 million from $7.8 million of income in 2019 to $6.4 million of expenses in 2020. This change resulted primarily from an increase of $15.2 million in non-cash interest expense related to the amortization of debt discount and issuance costs and from a $0.5 million decrease in interest income from investments in marketable securities and short- and long-term bank deposits offset by a $1.4 million increase in financial income from foreign currency exchange differences.

Taxes on Income. Taxes on income decreased from $7.0 million in 2019 to $5.4 million in 2020. This decrease was mainly attributed to a decrease in our income before taxes on income offset by consequences of an intra-entity intellectual property transfer in 2020.

Application of Critical Accounting Policies and Estimates

Our accounting policies and their effect on our financial condition and results of operations are more fully described in our consolidated financial statements included elsewhere in this annual report. We have prepared our financial statements in conformity with U.S. GAAP, which requires management to make estimates and assumptions that in certain circumstances affect the reported amounts of assets and liabilities, revenues and expenses and disclosure of contingent assets and liabilities. These estimates are prepared using our best judgment, after considering past and current events and economic conditions. While management believes the factors evaluated provide a meaningful basis for establishing and applying sound accounting policies, management cannot guarantee that the estimates will always be consistent with actual results. In addition, certain information relied upon by us in preparing such estimates includes internally generated financial and operating information, external market information, when available, and when necessary, information obtained from consultations with third parties. Actual results could differ from these estimates and could have a material adverse effect on our reported results. See “Item 3.D. Risk Factors” for a discussion of the possible risks which may affect these estimates.

46


We believe that the accounting policies discussed below are critical to our financial results and to the understanding of our past and future performance, as these policies relate to the more significant areas involving management’s estimates and assumptions. We consider an accounting estimate to be critical if: (1) it requires us to make assumptions because information was not available at the time or it included matters that were highly uncertain at the time we were making our estimate; and (2) changes in the estimate could have a material impact on our financial condition or results of operations.

Revenue Recognition

We primarily generate revenues from licensing the rights to use our software products and providing the right to access our SaaS solutions, as well as from maintenance and professional services. License revenues include perpetual, the license portion of on-premises subscription contracts, as well as SaaS revenues recognized during the reported period. We sell our products through our direct sales force and indirectly through resellers. Payment is typically due within 30 to 90 calendar days of the invoice date.

We recognize revenues in accordance with ASC No. 606. As such, we identify a contract with a customer, identify the performance obligations in the contract, determine the transaction price, allocate the transaction price to each performance obligation in the contract and recognize revenues when (or as) we satisfy a performance obligation.

We enter into contracts that can include combinations of products and services, which are generally capable of being distinct and accounted for as separate performance obligations and may include an option to provide professional services. The license is distinct as the customer can derive the economic benefit of the software without any professional services, updates or technical support.

The transaction price is determined based on the consideration to which we will be entitled in exchange for transferring goods or services to the customer. We do not grant a right of return to our customers.

In instances of contracts where revenue recognition differs from the timing of invoicing, we determined that those contracts generally do not include a significant financing component. The primary purpose of the invoicing terms is to provide customers with simplified and predictable ways of purchasing our products and services, not to receive or provide financing. We use the practical expedient and do not assess the existence of a significant financing component when the difference between payment and revenue recognition is a year or less.

We record unbilled receivables from contracts when the revenue recognized exceeds the amount billed to the customer.

We allocate the transaction price to each performance obligation based on its relative standalone selling price. For maintenance, we determine the standalone selling prices based on the price at which we separately sell a renewal contract. For professional services, we determine the standalone selling prices based on the prices at which we separately sell those services. For software licenses, we determine the standalone selling prices by taking into account available information such as historical selling prices, contract value, geographic location, and our price list and discount policy.

Our software license revenues from perpetual or on-premises subscription licenses, are recognized at the point of time when the license is made available for download by the customer. Maintenance revenue related to our perpetual license contracts and the maintenance component of our on-premises subscription offering as well as our SaaS revenues are recognized ratably, on a straight-line basis over the term of the related contract, which is generally one to three years. Professional services revenues consist mostly of time and material services that are recognized as the services are performed.

Contract liabilities consist of deferred revenues and include unearned amounts received under maintenance and support contracts, professional services contracts that do not meet the revenue recognition criteria as of the balance sheet date. Contract liabilities also include unearned, invoiced amounts in respect of SaaS services whereby there is an unconditional right for a consideration. Deferred revenues are recognized as (or when) we perform under the contract.

47


Transaction price allocated to remaining performance obligations represents non-cancelable contracts that have not yet been recognized, which includes deferred revenues and amounts not yet received that will be recognized as revenue in future periods.

Deferred Contract Costs

We pay sales commissions primarily to sales and certain management personnel based on their attainment of certain predetermined sales goals. Sales commissions are considered incremental and recoverable costs of obtaining a contract with a customer. Sales commissions paid for initial contracts, which are not commensurate with sales commissions paid for renewal contracts, are capitalized and amortized over an expected period of benefit. Based on our technology, customer contracts and other factors, we have determined the expected period of benefit to be approximately five years. Sales commissions for initial contracts, which are commensurate with sales commissions paid for renewal contracts, are capitalized and amortized correspondingly to the recognized revenue of the related initial contracts. Sales commissions for renewal contracts are capitalized and amortized on a straight-line basis over the related contractual renewal period and aligned with the revenue recognized from these contracts. Amortization expense of these costs are substantially included in sales and marketing expenses.

Derivative Instruments

ASC No. 815, “Derivative and Hedging”, requires companies to recognize all of their derivative instruments as either assets or liabilities on the balance sheet at fair value.

For those derivative instruments that are designated and qualify as hedging instruments, a company must designate the hedging instrument, based upon the exposure being hedged, as a fair value hedge, cash flow hedge or a hedge of a net investment in a foreign operation.

As a result of adopting ASU 2017-12, “Targeted Improvements to Accounting for Hedging Activities”, beginning on January 1, 2019, gains and losses on the derivatives instruments that are designated and qualify as a cash flow hedge are recorded in accumulated other comprehensive income (loss) and reclassified into earnings in the same accounting period in which the designated forecasted transaction or hedged item affects earnings. Prior to January 1, 2019, cash flow hedge ineffectiveness was separately measured and reported immediately in earnings.

To hedge against the risk of changes in cash flows resulting from foreign currency salary payments during the year, we have instituted a foreign currency cash flow hedging program. We hedge a portion of our forecasted expenses denominated in NIS. These forward and option contracts are designated as cash flow hedges, as defined by ASC 815, and are all effective, as their critical terms match underlying transactions being hedged.

In addition to the derivatives that are designated as hedges as discussed above, we also enter into certain foreign exchange forward transactions to economically hedge certain account receivables in Euros, British Pounds Sterling and Canadian Dollars. Gains and losses related to such derivative instruments are recorded in financial income (expense), net.

Share-Based Compensation

We account for share-based compensation in accordance with ASC No. 718, “Compensation - Stock Compensation” (“ASC No. 718”). ASC No. 718 requires companies to estimate the fair value of equity-based payment awards on the date of grant using an option-pricing model. The value of the award is recognized as an expense over the requisite service periods, which is generally the vesting period of the respective award, on a straight-line basis when the only condition to vesting is continued service. If vesting is subject to a performance condition, recognition is based on the implicit service period of the award. Expense for awards with performance conditions is estimated and adjusted on a quarterly basis based upon the assessment of the probability that the performance condition will be met.

We selected the Black-Scholes-Merton option-pricing model as the most appropriate fair value method for our option awards. The fair value of restricted stock units (“RSUs”) and performance stock units (“PSUs”) without market conditions, is based on the closing market value of the underlying shares at the date of grant. For PSUs subject to market conditions, we use a Monte Carlo simulation model, which utilizes multiple inputs to estimate payout level and the probability that market conditions will be achieved.

48


The option-pricing and Monte Carlo models require a number of assumptions, of which the most significant are the expected share price volatility and the expected option term. We recognize forfeitures of equity-based awards as they occur.

Goodwill and Other Intangible Assets

Goodwill and certain other purchased intangible assets have been recorded in our financial statements as a result of acquisitions. Goodwill represents excess of the purchase price in a business combination over the fair value of identifiable tangible and intangible assets acquired. Goodwill is not amortized, but rather is subject to an impairment test.

ASC No. 350, “Intangible—Goodwill and other” requires goodwill to be tested for impairment at least annually and, in certain circumstances, between annual tests. The accounting guidance gives the option to perform a qualitative assessment to determine whether further impairment testing is necessary. The qualitative assessment considers events and circumstances that might indicate that a reporting unit’s fair value is less than its carrying amount. If it is determined, as a result of the qualitative assessment, that it is more likely than not that the fair value of a reporting unit is less than its carrying amount, a quantitative test is performed. We operate as one reporting unit. Therefore, goodwill is tested for impairment by comparing the fair value of the reporting unit with its carrying value. We elect to perform an annual impairment test of goodwill as of October 1 of each year, or more frequently if impairment indicators are present.

For the years ended December 31, 2018, 2019 and 2020, no impairment losses were identified.

Purchased intangible assets with finite lives are carried at cost, less accumulated amortization. Amortization is computed over the estimated useful lives of the respective assets which range from two to twelve years. Intangible assets, consisting primarily of technology and customer relationships, are amortized over their estimated useful lives on a straight-line basis or in proportion to their economic benefits realized.

Convertible Senior Notes

We account for our convertible senior notes in accordance with ASC 470-20 “Debt with Conversion and Other Options.” We allocated the principal amount of the convertible senior notes between its liability and equity component. The liability component at issuance is recognized at fair value, based on the fair value of a similar instrument of similar credit rating and maturity that does not have a conversion feature. The equity component is based on the excess of the principal amount of the convertible senior notes over the fair value of the liability component and is recorded in additional paid-in capital. The equity component, net of issuance costs and deferred tax effects is presented within additional paid-in-capital and is not remeasured as long as it continues to meet the conditions for equity classification. We allocated the total issuance costs incurred to the liability and equity components of the convertible senior notes based on the same proportions as the proceeds from the notes.

Relating to the convertible senior notes issued in 2019, issuance costs attributable to the liability and equity components were $12.9 million and $2.0 million, respectively. Issuance costs attributable to the liability are netted against the principal balance and are amortized to interest expense using the effective interest method over the contractual term of the notes. The effective interest rate of the liability component of the notes is 3.50%. This interest rate was based on our credit risk rating using software industry rating methodology.

Issuance costs attributable to the equity component are netted with the equity component in additional paid-in capital.

Income Taxes

We account for income taxes in accordance with ASC No. 740-10, “Income Taxes” (“ASC No. 740-10”). ASC No. 740-10 prescribes the use of the asset and liability method whereby deferred tax asset and liability account balances are determined based on temporary differences between financial reporting and tax bases of assets and liabilities and are measured using the enacted tax rates and laws that will be in effect when the differences are expected to reverse. We provide a valuation allowance, if necessary, to reduce deferred tax assets to their estimated realizable value if it is more likely than not that some portion or all of the deferred tax assets will not be realized.

49


We establish reserves for uncertain tax positions based on the evaluation of whether or not our uncertain tax position is “more likely than not” to be sustained upon examination based on our technical merits. We record interest and penalties pertaining to our uncertain tax positions in the financial statements as income tax expense.

Legal Contingencies

From time to time we may be subject to legal proceedings and claims arising in the ordinary course of our business. Such matters are subject to many uncertainties and outcomes are not predictable with assurance. We accrue for contingencies when the loss is probable and we can reasonably estimate the amount of any such loss. We are currently not a party to any material litigation and are not aware of any pending or threatened material legal or administrative proceedings against us. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.

Israeli Tax Considerations and Government Programs

The following is a brief summary of the material Israeli tax laws applicable to us, and certain Israeli Government programs that benefit us. To the extent that the discussion is based on new tax legislation that has not yet been subject to substantive judicial or administrative interpretation, we cannot provide assurance that the appropriate tax authorities or the courts will accept the views expressed in this discussion. The discussion below is subject to change, including due to amendments under Israeli law or changes to the applicable judicial or administrative interpretations of Israeli law, which could affect the tax consequences described below.

General Corporate Tax Structure in Israel

Ordinary taxable income is subject to a corporate tax rate of 23% as of 2018. However, the effective tax rate payable by a company that derives income from an Approved Enterprise, a Benefited Enterprise, a Preferred Enterprise or a Preferred Technology Enterprise (as discussed below) may be considerably lower. Capital gains derived by an Israeli company are generally subject to tax at the prevailing ordinary corporate tax rate.

Tax Benefits for Research and Development

Israeli tax law allows, under certain conditions, a tax deduction for research and development expenditures, including capital expenditures, for the year in which they are incurred if:

the expenditures are approved by the relevant Israeli government ministry, determined by the field of research;

the research and development is for the promotion or development of the company; and

the research and development is carried out by or on behalf of the company seeking the deduction.

However, the amount of such deductible expenses shall be reduced by the sum of any funds received through government grants for the finance of such scientific research and development projects. Expenditures not so approved are deductible over a three-year period from the first year that the expenditures were made if the research or development is for the promotion or development of the company.

Law for the Encouragement of Industry (Taxes), 5729-1969

The Law for the Encouragement of Industry (Taxes), 5729-1969, generally referred to as the Industry Encouragement Law, provides several tax benefits for “Industrial Companies.”

The Industry Encouragement Law defines an “Industrial Company” as an Israeli resident company which was incorporated in Israel, of which 90% or more of its income in any tax year, other than income from certain government loans, is derived from an “Industrial Enterprise” owned by it and located in Israel or in the “Area”, in accordance with the definition in the section 3a of the Israeli Income Tax Ordinance (New Version) 1961, or the Ordinance. An “Industrial Enterprise” is defined as an enterprise whose principal activity in a given tax year is industrial production.

50


The following tax benefits, among others, are available to Industrial Companies:

deduction of the cost of purchased know-how, patents and rights to use a patent and know-how which are used for the development or promotion of the Industrial Enterprise, over an eight-year period commencing on the year in which such rights were first exercised;

under limited conditions, an election to file consolidated tax returns together with Israeli Industrial Companies controlled by it; and

expenses related to a public offering of shares in a stock exchange are deductible in equal amounts over three years commencing on the year of offering.

Eligibility for benefits under the Industry Encouragement Law is not contingent upon the approval of any governmental authority. We believe that we generally qualify as an Industrial Company within the meaning of the Industry Encouragement Law. The Israel Tax Authority may determine that we do not qualify as an Industrial Company, which could entail our loss of the benefits that relate to this status. There can be no assurance that we will continue to qualify as an Industrial Company or that the benefits described above will be available in the future.

Law for the Encouragement of Capital Investments, 5719-1959

The Law for the Encouragement of Capital Investments, 5719-1959, generally referred to as the Investment Law, provides certain incentives for capital investments in production facilities (or other eligible assets) by “Industrial Enterprises” (as defined under the Investment Law).

The Investment Law was significantly amended effective April 1, 2005, or the 2005 Amendment, further amended as of January 1, 2011, or the 2011 Amendment, and further amended as of January 1, 2017, or the 2017 Amendment. Pursuant to the 2005 Amendment, tax benefits granted in accordance with the provisions of the Investment Law prior to its revision by the 2005 Amendment remain in force but any benefits granted subsequently are subject to the provisions of the 2005 Amendment. Similarly, the 2011 Amendment introduced new benefits to replace those granted in accordance with the provisions of the Investment Law in effect prior to the 2011 Amendment. However, companies entitled to benefits under the Investment Law as in effect prior to January 1, 2011 were entitled to choose to continue to enjoy such benefits, provided that certain conditions are met, or elect instead, irrevocably, to forego such benefits and have the benefits of the 2011 Amendment apply. The 2017 Amendment introduced new benefits for Technological Enterprises which meet certain conditions, alongside the existing tax benefits.

Tax Benefits Prior to the 2005 Amendment

An investment program that is implemented in accordance with the provisions of the Investment Law prior to the 2005 Amendment, referred to as an “Approved Enterprise”, is entitled to certain benefits. A company that wished to receive benefits as an Approved Enterprise must have received approval from the Israeli Authority for Investments and Development of the Industry and Economy, or the Investment Center. Each certificate of approval for an Approved Enterprise relates to a specific investment program, delineated both by the financial scope of the investment, including sources of funds, and by the physical characteristics of the facility or other assets.

The tax benefits available under any certificate of approval relate only to taxable income attributable to the specific program and are contingent upon meeting the criteria set out in such certificate. Income derived from activity that is not integral to the activity of the Approved Enterprise will not enjoy tax benefits.

The tax benefits under the alternative benefits track include an exemption from corporate tax on undistributed income which was generated from an Approved Enterprise for between two and ten years from the first year of taxable income, depending on the geographic location of the Approved Enterprise facility within Israel, and the taxation of income generated from an Approved Enterprise at a reduced corporate tax rate of between 10% to 25% for the remainder of the benefits period, depending on the level of foreign investment in the company in each year, as detailed below.

In addition, a company that has an Approved Enterprise program is eligible for further tax benefits if it qualifies as a Foreign Investors’ Company, or a FIC, which is a company with a level of foreign investment, as defined in the Investment Law, of more than 25%.

If a company elects the alternative benefits track and subsequently distributes a dividend out of income derived by its Approved Enterprise during the tax exemption period it will be subject to corporate tax in respect of the amount of the distributed dividend (grossed-up to reflect the pre-tax income that it would have had to earn in order to distribute the dividend) at the corporate tax rate which would have been otherwise applicable if such income had not been tax-exempted under the alternative benefits track. This rate generally ranges from 10% to 25%, depending on the level of foreign investment in the company in each year, as mentioned above. In addition, dividends paid out of income attributed to an Approved Enterprise (or out of dividends received from a company whose income is attributed to an Approved Enterprise) are generally subject to withholding tax at source at the rate of 15% or such lower rate as may be provided in an applicable tax treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). The 15% tax rate is limited to dividends and distributions out of income derived during the benefits period and actually paid at any time up to 12 years thereafter. After this period, the withholding tax is applied at a rate of up to 30%, or at the lower rate under an applicable tax treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). In the case of a FIC, the 12-year limitation on reduced withholding tax on dividends does not apply.

51


The benefits available to an Approved Enterprise are subject to the continued fulfillment of conditions stipulated in the Investment Law and its regulations and the criteria in the specific certificate of approval, as described above. If a company does not meet these conditions, it would be required to refund the amount of tax benefits, adjusted to the Israeli consumer price index, and interest, or other monetary penalties.

Tax Benefits Subsequent to the 2005 Amendment

The 2005 Amendment applies to new investment programs commencing after 2004, but does not apply to investment programs approved prior to April 1, 2005. The 2005 Amendment provides that terms and benefits included in any certificate of approval that was granted before the 2005 Amendment became effective (April 1, 2005) will remain subject to the provisions of the Investment Law as in effect on the date of such approval. Pursuant to the 2005 Amendment, the Investment Center will continue to grant Approved Enterprise status to qualifying investments. The 2005 Amendment, however, limits the scope of enterprises that may be approved by the Investment Center by setting criteria for the approval of a facility as an Approved Enterprise, such as provisions generally requiring that at least 25% of the Approved Enterprise’s income be derived from exports.

Tax benefits are available under the 2005 Amendment to production facilities (or other eligible facilities) which are generally required to derive more than 25% of their business income from export to specific markets with a population of at least 14 million in 2012 (such export criteria will further be increased in the future by 1.4% per annum).

A company qualifying for tax benefits under the 2005 Amendment which pays a dividend out of income derived by its Benefited Enterprise during the tax exemption period will be subject to corporate tax in respect of the amount of the dividend distributed (grossed-up to reflect the pre-tax income that it would have had to earn in order to distribute the dividend) at the corporate tax rate which would have otherwise been applicable. Dividends paid out of income attributed to a Benefited Enterprise (or out of dividends received from a company whose income is attributed to a Benefited Enterprise) are generally subject to withholding tax at source at the rate of 15% or at a lower rate as may be provided in an applicable tax treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). The reduced rate of 15% is limited to dividends and distributions out of income attributed to a Beneficiary Enterprise during the benefits period and actually paid at any time up to 12 years thereafter except with respect to a FIC, in which case the 12-year limit does not apply.

The benefits available to a Benefited Enterprise are subject to the continued fulfillment of conditions stipulated in the Investment Law and its regulations. If a company does not meet these conditions, it would be required to refund the amount of tax benefits, adjusted to the Israeli consumer price index, and interest, or other monetary penalties.

Tax Benefits under the 2011 Amendment

The 2011 Amendment introduced new benefits for income generated by a “Preferred Company” through its “Preferred Enterprise” (as such terms are defined in the Investment Law) as of January 1, 2011. The definition of a Preferred Company includes a company incorporated in Israel that is not wholly owned by a governmental entity, and that has, among other things, Preferred Enterprise status and is controlled and managed from Israel. Pursuant to the 2011 Amendment, a Preferred Company is entitled to a reduced corporate tax rate of 15% with respect to its preferred income derived by its Preferred Enterprise in 2011 and 2012, unless the Preferred Enterprise is located in a development zone A, in which case the rate will be 10%. Such corporate tax rate was reduced from 15% and 10%, respectively, to 12.5% and 7%, respectively in 2013, and then increased to 16% and 9%, respectively, in 2014 until 2016. Pursuant to the 2017 Amendment, in 2017 and thereafter, the corporate tax rate for Preferred Enterprise which is located in development zone A was decreased to 7.5%, while the reduced corporate tax rate for other development zones remains 16%. Income derived by a Preferred Company from a ‘Special Preferred Enterprise’ (as such term is defined in the Investment Law) could be entitled, under certain conditions and limitations, to further reduced tax rates.

52


Dividends paid out of preferred income attributed to a Preferred Enterprise are generally subject to withholding tax at the rate of 20% or such lower rate as may be provided in an applicable tax treaty (each subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). However, if such dividends are paid to an Israeli company, no tax is required to be withheld (although, if such dividends are subsequently distributed to individuals or a non-Israeli company, withholding tax at a rate of 20% or such lower rate as may be provided in an applicable tax treaty will apply). In 2017-2019, dividends paid out of preferred income attributed to a Special Preferred Enterprise, directly to a foreign parent company, are subject to withholding tax at source at the rate of 5% (temporary provisions).

The 2011 Amendment also provided transitional provisions to address companies already enjoying existing tax benefits under the Investment Law. These transitional provisions provide, among other things, that unless an irrevocable request is made to apply the provisions of the Investment Law as amended in 2011 with respect to income to be derived as of January 1, 2011: (i) the terms and benefits included in any certificate of approval that was granted to an Approved Enterprise which chose to receive grants before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as in effect on the date of such approval, and subject to certain other conditions; (ii) the terms and benefits included in any certificate of approval that was granted to an Approved Enterprise which had participated in an alternative benefits track before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as in effect on the date of such approval, provided that certain conditions are met; and (iii) a Benefited Enterprise can elect to continue to benefit from the benefits provided to it before the 2011 Amendment became effective, provided that certain conditions are met.

From time to time, the Israeli Government has discussed reducing the benefits available to companies under the Investment Law. The termination or substantial reduction of any of the benefits available under the Investment Law could materially increase our tax liabilities.

We applied the new benefits under the 2011 Amendment instead of the benefits provided to our Approved Enterprise and Benefited Enterprise as of 2013 tax year onwards through 2016 tax year.

New Tax Benefits under the 2017 Amendment

The 2017 Amendment was enacted as part of the Economic Efficiency Law that was published on December 29, 2016, and is effective as of January 1, 2017. The 2017 Amendment provides new tax benefits for two types of “Technology Enterprises”, as described below, and is in addition to the other existing tax beneficial programs under the Investment Law.

The 2017 Amendment provides that a technology company satisfying certain conditions will qualify as a “Preferred Technology Enterprise” and will thereby enjoy a reduced corporate tax rate of 12% on income that qualifies as “Preferred Technology Income” which is generally generated by “Benefited Intangible Assets”, as defined in the Investment Law. The tax rate is further reduced to 7.5% for a Preferred Technology Enterprise and/or for its segment located in development Zone A. In addition, a Preferred Technology Enterprise will enjoy a reduced corporate tax rate of 12% on capital gain derived from the sale of certain “Benefitted Intangible Assets” (as defined in the Investment Law) to a related foreign company if the Benefitted Intangible Assets were acquired from a foreign company on or after January 1, 2017 for at least NIS 200 million, and the sale receives prior approval from the National Authority for Technological Innovation, or NATI.

The 2017 Amendment further provides that a technology company satisfying certain conditions will qualify as a “Special Preferred Technology Enterprise” and will thereby enjoy a reduced corporate tax rate of 6% on “Preferred Technology Income” regardless of the company’s geographic location within Israel. In addition, a Special Preferred Technology Enterprise will enjoy a reduced corporate tax rate of 6% on capital gain derived from the sale of certain “Benefitted Intangible Assets” to a related foreign company if the Benefitted Intangible Assets were either developed by an Israeli company or acquired from a foreign company on or after January 1, 2017, and the sale received prior approval from NATI. A Special Preferred Technology Enterprise that acquires Benefitted Intangible Assets from a foreign company for more than NIS 500 million will be eligible for these benefits for at least ten years, subject to certain approvals as specified in the Investment Law.

53


Dividends distributed by a Preferred Technology Enterprise or a Special Preferred Technology Enterprise, paid out of Preferred Technology Income, are generally subject to withholding tax at source at the rate of 20% or such lower rate as may be provided in an applicable tax treaty (each subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for such reduced tax rate). However, if such dividends are paid to an Israeli company, no tax is required to be withheld. If such dividends are distributed to a foreign company that holds alone or together with other foreign companies 90% or more in the Israeli company and other conditions are met, the withholding tax rate will be 4%.

We have obtained a tax ruling confirming, among others, that we generally qualify as a Preferred Technology Enterprise since 2017 onwards.

Recently Issued Accounting Pronouncements

See Note 2(ab) and Note 2(ac) to our consolidated financial statements included elsewhere in this annual report for information regarding recent accounting standards issued.

Non-GAAP Financial Measures

Non-GAAP gross profit, non-GAAP operating income and non-GAAP net income are non-GAAP financial measures. Non-GAAP gross profit is calculated as GAAP gross profit excluding share-based compensation expense, expenses related to acquisitions and amortization of intangible assets related to acquisitions. Non-GAAP operating income is calculated as GAAP operating income excluding share-based compensation expense, expenses related to acquisitions, expenses related to facility exit and transition costs and amortization of intangible assets related to acquisitions. Non-GAAP net income is calculated as GAAP net income (loss) excluding share-based compensation expense, expenses related to acquisitions, amortization of intangible assets related to acquisitions, expenses related to facility exit and transition costs, non-cash interest expense related to amortization of debt discount and issuance costs, intra-entity intellectual property transfer tax effects and the tax effects related to these non-GAAP adjustments.

The following tables reconcile gross profit, operating income and net income (loss), the most directly comparable U.S. GAAP measures, to non-GAAP gross profit, non-GAAP operating income and non-GAAP net income for the periods presented:

Year ended December 31,

2018

2019

2020

($ in thousands)

Reconciliation of Gross Profit to Non-GAAP Gross Profit:

Gross profit

$

294,738

$

371,280

$

381,860

Share-based compensation –License, Maintenance and professional services

3,350

5,690

8,734

Acquisition related expenses

447

Amortization of intangible assets – License

5,563

5,029

8,244

Non-GAAP Gross profit

$

303,651

$

381,999

$

399,285

54


Year ended December 31,

2018

2019

2020

($ in thousands)

Reconciliation of Operating Income to Non-GAAP Operating Income:

Operating income

$

47,292

$

62,284

$

6,006

Share-based compensation

35,964

55,517

71,849

Acquisition related expenses

268

4,526

Amortization of intangible assets – Cost of revenues

5,563

5,029

8,244

Amortization of intangible assets – Sales and marketing

793

576

683

Facility exit and transition costs

580

140

Non-GAAP operating income

$

90,460

$

123,406

$

91,448

 

Year ended December 31,

2018

2019

2020

($ in thousands)

Reconciliation of Net Income (Loss) to Non-GAAP Net Income:

Net income (loss)

$

47,072

$

63,064

$

(5,758

)

Share-based compensation

35,964

55,517

71,849

Acquisition related expenses

268

4,526

Amortization of intangible assets – Cost of revenues

5,563

5,029

8,244

Amortization of intangible assets – Sales and marketing

793

576

683

Facility exit and transition costs

580

140

Amortization of debt discount and issuance costs

1,966

17,183

Taxes on income related to non-GAAP adjustments

(15,485

)

(18,251

)

(20,807

)

Intra-entity intellectual property transfer tax effect, net

1,768

5,036

Non-GAAP net income

$

76,523

$

107,901

$

81,096

55


We believe that providing non-GAAP gross profit and non-GAAP operating income that exclude, as appropriate, share-based compensation expenses, expenses related to facility exit and transition costs, expenses related to acquisitions and amortization of intangible assets related to acquisitions, allows for more meaningful comparisons between our operating results from period to period. Share-based compensation expense has been, and will continue to be, for the foreseeable future, a significant recurring expense in our business and an important part of the compensation we provide to employees. We also believe that non-GAAP net income which additionally excludes intra-entity intellectual property transfer tax effects, the tax effects related to non-GAAP adjustments and non-cash interest expense related to amortization of debt discount and issuance costs allows for more meaningful comparison between our net income (loss) from period to period. We also believe that expenses related to our acquisitions, expenses related to facility exit and transition costs, amortization of intangible assets related to acquisitions, intra-entity intellectual property transfer tax effects, tax effects related to the non-GAAP adjustments set forth above and non-cash interest expense related to amortization of debt discount and issuance costs do not reflect the performance of our core business and would impact period-to-period comparability. Each of our non-GAAP financial measures is an important tool for financial and operational decision making and for evaluating our own financial results over different periods of time. In particular, these financial measures reflect our operating expenses, the largest of which is currently sales and marketing. Accordingly, we assess the effectiveness of our sales and marketing efforts in part by considering whether increases in such expenditures are reflected in increased revenues and increased non-GAAP operating income and non-GAAP net income.

Non-GAAP financial measures may not provide information that is directly comparable to that provided by other companies in our industry, as other companies in the industry may calculate non-GAAP financial results differently, particularly related to non-recurring, unusual items. In addition, there are limitations in using non-GAAP financial measures as they exclude expenses that may have a material impact on our reported financial results. The presentation of non-GAAP financial information is not meant to be considered in isolation or as a substitute for the directly comparable financial measures prepared in accordance with U.S. GAAP. We urge investors to review the reconciliation of our non-GAAP financial measures to the comparable U.S. GAAP financial measures included above, and not to rely on any single financial measure to evaluate our business.

B.Liquidity and Capital Resources

We fund our operations with cash generated from operating activities. We have also raised capital through issuing convertible senior notes, the sale of equity securities in public offerings and to a lesser extent, through exercised options. Our primary current uses of our cash are ongoing operating expenses and capital expenditures.

As of December 31, 2020, we had $1.2 billion of cash, cash equivalents, short-term bank deposits and marketable securities. This compared with cash, cash equivalents, short-term bank deposits and marketable securities of $1.1 billion as of December 31, 2019. We believe that our existing cash, cash equivalents, marketable securities and short-term bank deposits will be sufficient to fund our operations and capital expenditures for at least the next 12 months. Our future capital requirements will depend on many factors, including our rate of revenue growth, the expansion of our sales and marketing activities, the timing and extent of spending to support product development efforts and expansion into new geographic locations, the timing of introductions of new software products and enhancements to existing software products and the continuing market acceptance of our software offerings.

The following table presents the major components of net cash flows for the periods presented:

Year Ended December 31,

2019

2020

($ in thousands)

Net cash provided by operating activities

$

141,710

$

106,769

Net cash used in investing activities

(143,222

)

(412,387

)

Net cash provided by financing activities

532,042

13,249

56


A substantial source of our net cash provided by operating activities is our deferred revenues, which are included on our consolidated balance sheet as a liability. The majority of our deferred revenues consists of the unrecognized portion of upfront payments associated with maintenance and professional services and SaaS offerings that have been invoiced but not yet recognized. We assess our liquidity, in part, through an analysis of our short-term and long-term deferred revenues that have not yet been recognized as revenues together with our other sources of liquidity. Revenues from SaaS contracts and maintenance and support contracts are recognized ratably on a straight line basis over the term of the related contract which is typically one year and, to a lesser extent, three years, and from professional services as services are performed. Thus, upfront payments add to the liquidity of our operations since we frequently recognize on-premises subscription, SaaS, maintenance and support and professional services revenues and expenses in subsequent periods to when the payments may be received.

Net Cash Provided by Operating Activities

Our cash flows historically have reflected our net income (loss) coupled with changes in our non-cash working capital. During the year ended December 31, 2020, operating activities provided $106.8 million in cash as a result of $5.8 million of net loss, adjusted by $71.8 million of non-cash charges related to share-based compensation expense, $15.5 million related to depreciation and amortization expenses, $17.2 million in non-cash interest expense related to the amortization of debt discount and issuance costs and a net change of $24.0 million in non-cash working capital offset by a $2.0 million increase in deferred tax assets and a $13.9 million net change from other long-term assets and liabilities.

The change of $24.0 million in non-cash working capital was due to a $37.2 million increase in short-term deferred revenues, an increase of $7.8 million in employees and payroll accruals and an increase of $0.6 million in trade payables, offset by an increase of $17.2 million in trade receivables and a decrease of $4.4 million in other current liabilities.

During the year ended December 31, 2019, operating activities provided $141.7 million in cash as a result of $63.1 million of net income, adjusted by $55.5 million of non-cash charges related to share-based compensation expenses, $10.6 million related to depreciation and amortization expenses, a $5.0 million net change from other long-term assets and liabilities and a net change of $14.5 million in non-cash working capital, offset by a $7.0 million increase in deferred tax assets.

The change of $14.5 million in non-cash working capital was due to a $26.1 million increase in short term deferred revenue, an increase of $7.3 million in employees and payroll accruals, an increase of $1.6 million in trade payables and an increase of $5.1 million in other current liabilities, offset by an increase of $1.1 million in other current assets and an increase of $24.5 million in trade receivables.

During the years ended December 31, 2019 and 2020, our days’ sales outstanding, or DSO, was 66 days and 85 days, respectively. The increase of the DSO is mainly due to long-term unbilled receivables from contracts in which the revenue recognized exceeded the amount billed.

Net Cash Used in Investing Activities

Investing activities have consisted of investment in, and proceeds from, short-term and long-term deposits, investment in, and proceeds from marketable securities, acquisitions and purchase of property and equipment.

Net cash used in investing activities was $143.2 million and $412.4 million for the years ended December 31, 2019 and 2020, respectively.

The increase of $269.2 million in net cash used in investing activities in 2020 was due to a net increase of $200.5 million in investments in short and long term deposits and marketable securities, an increase of $68.6 million in payments for business acquisitions, net of cash acquired and by an increase of $0.1 million in capital expenditures.

The increase of $94.5 million in net cash used in investing activities in 2019 was due to a net increase of $114.5 million in investments in short- and long-term deposits and marketable securities, offset by a decrease of $18.4 million in payments for business acquisitions, net of cash acquired, and a decrease of $1.6 million in capital expenditures.

57


Net Cash Provided by Financing Activities

Our financing activities have consisted of proceeds from the exercise of share options, proceeds from the issuance of convertible senior notes net of issuance costs, purchase of capped calls and proceeds from withholding tax related to employee stock plans.

Net cash provided by financing activities was $532.0 million and $13.2 million for the years ended December 31, 2019 and 2020, respectively.

C.Research and Development, Patents and Licenses, etc.

We conduct our research and development activities primarily in Israel as well as the United States, India and Ukraine. As of December 31, 2020, our research and development department included 464 employees and contractors. In 2020, research and development costs accounted for 20.5% of our total revenues.

For a description of our research and development policies, see “Item 4.B. Business Overview—Research and Development.”

For information regarding our patents, see “Item 4.B. Business Overview—Intellectual Property.”

D.Trend Information

Other than as disclosed elsewhere in this annual report, we are not aware of any trends, uncertainties, demands, commitments or events since December 31, 2020 that are reasonably likely to have a material adverse effect on our net revenue, income, profitability, liquidity or capital resources, or that caused the disclosed financial information to be not necessarily indicative of future operating results or financial condition.

E.Off-Balance Sheet Arrangements

We do not currently engage in off-balance sheet financing arrangements. In addition, we do not have any interest in entities referred to as variable interest entities, which includes special purposes entities and other structured finance entities.

F.Contractual Obligations

The following summarizes our contractual obligations as of December 31, 2020: