Varonis Systems Earnings 2020-12-31
| Balance Sheet | Income Statement | Cash Flow |
|---|---|---|
|
Assets, Equity
|
Rev, G Profit, Net Income
|
Ops, Inv, Fin
|
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
_____________________
FORM 10-K
_____________________
(Mark One)
| ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 | |||||
for the Fiscal Year Ended December 31 , 2020
or
| TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 | |||||
for the transition period from to
Commission file number: 001-36324
________________________
(Exact name of registrant as specified in its charter)
_____________________________
| (State or other jurisdiction of incorporation or organization) | (I.R.S. Employer Identification No.) | ||||
(Address of principal executive offices including zip code)
Registrant’s telephone number, including area code: (877 ) 292-8767
Securities registered pursuant to Section 12(b) of the Act:
| Trading Symbol(s) | ||||||||
| (Title of class) | (Name of exchange on which registered) | |||||||
Securities registered pursuant to Section 12(g) of the Act: None
_____________________________
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☒ No ☐
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes ☐ No ☒
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes ☒ No ☐
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes ☒ No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
| ☒ | Accelerated Filer | ☐ | |||||||||
| Non-accelerated Filer | ☐ | Smaller reporting company | |||||||||
| Emerging growth company | |||||||||||
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☒
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act). Yes ☐ No ☒
The aggregate market value of voting stock held by non-affiliates of the registrant as of June 30, 2020 was approximately $2.73 billion based on the closing sale price of $88.48 as reported by the NASDAQ Global Select Market. Shares of common stock held by each executive officer and director and by each person who owns or may be deemed to own 10% or more of the outstanding common stock have been excluded since such persons may be deemed to be affiliates. This determination of affiliate status is not necessarily a conclusive determination for other purposes.
As of February 5, 2021, the registrant had 31,832,751 shares of common stock, par value $0.001 per share, outstanding.
DOCUMENTS INCORPORATED BY REFERENCE
Special Note Regarding Forward-Looking Statements
This report contains forward-looking statements that involve risks and uncertainties. Our actual results could differ materially from those discussed in the forward-looking statements. The statements contained in this report that are not purely historical are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended (the “Securities Act”), and Section 21E of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). Forward-looking statements are often identified by the use of words such as, but not limited to, “anticipate,” “believe,” “can,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “plan,” “project,” “seek,” “should,” “strategy,” “target,” “will,” “would” and similar expressions or variations intended to identify forward-looking statements. These statements are based on the beliefs and assumptions of our management based on information currently available to management. For example, statements in this Form 10-K regarding the potential future impact of the COVID-19 pandemic on the Company’s business and results of operations are forward-looking statements. Such forward-looking statements are subject to risks, uncertainties and other important factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified below and those discussed in the section titled “Risk Factors” included under Part I, Item 1A below. Furthermore, such forward-looking statements speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements.
Summary Risk Factors
Our business faces significant risks. In addition to the summary below, you should carefully review the “Risk Factors” section of this Annual Report on Form 10-K. We may be subject to additional risks and uncertainties not presently known to us or that we currently deem immaterial. Our business, financial condition and results of operations could be materially adversely affected by any of these risks, and the trading prices of our common stock could decline by virtue of these risks. These risks should be read in conjunction with the other information in this report. Some of the more significant risks relating to our business include:
•Risks related to the industry in which we operate, which may adversely affect our business and results of operations and growth and the sale of our products, including (i) potential limited growth ability of the market for the enterprise software; (ii) prolonged economic uncertainties or downturns; (iii) an increased competition in our market; and (iv) a failure to comply with legal requirements, contractual obligations and industry standards regarding security, data protection and privacy we are subject to.
•Risks Related to our Operations, which may adversely affect our business and results of operations and growth and the sale of our products, including (i) the effects of the recent global COVID-19 outbreak on our business and our customers; (ii) security breaches, cyberattacks or other cyber-risks of our IT systems; (iii) fluctuation in our quarterly results of operations due to variability in our revenues; (iv) a failure of our subscription-based business model to yield the benefits that we expect; (v) a decline and fluctuation in our customer renewal rates, which may result in a decline in our revenues and earnings; (vi) a failure to manage our business growth effectively; (vii) difficulties to evaluate and predict our future prospects and our ability to forecast our future operating results; (viii) our inability to attract new customers and expand sales to existing customers, both domestically and internationally; (ix) inability to be profitable in the future; (x) inability to maintain successful relationships with our channel partners; (xi) collection and credit risks; (xii) as related to substantial currency exchange rates fluctuation; (xiii) a failure to maintain or enhance our brand recognition or reputation; (xiv) a failure to maintain and increase our sales to customers in the public sector; (xv) failure to meet export and import controls, to which we are subject, which, in addition, could subject us to liability or impair our ability to compete in international markets; (xvi) increase in risks associated with our international activities where we have a business in countries with a history of corruption and where we have transactions with foreign governments; and (xvii) risks associated with acquisitions of other entities or business.
•Risks Related to Human Capital, which could adversely affect our results of operations and growth prospects, including; (i) a failure to maintain sales and marketing personnel productivity and a failure to hire and integrate additional sales and marketing personnel; (ii) a failure to retain, attract and recruit highly qualified personnel; and (iii) cessation of our co-founder, Chief Executive Officer and President’s services.
•Risks Related to our Technology, Products, Services and Intellectual Property, which could adversely affect sales of our products or future results of operations or business, including (i) a failure to continually enhance and improve our technology; (ii) our customer’s decision not to renew their subscription licenses or maintenance and support agreements or not to buy future products due to dissatisfactory from our technical support, customer success or professional services; (iii) a failure of the products in our platform to satisfy customers or to achieve increased market acceptance; (iv) interruptions or performance problems, including to our website or support website; (v) security breach of our software; (vi) as related to use of open source software, which in addition could negatively affect our
i
ability to sell our software and subject us to possible litigation; and (vii) a false detection of security breaches, false identification of malicious sources or misidentification of sensitive or regulated information.
•Risks related to our tax regime, including (i) significant change in our effective tax rate, due to fluctuations in our stock price and its impact on the tax effects of the accounting for stock-based compensation; (ii) our ability to fully utilize our net operating loss carryforwards; (iii) our provision for income taxes or adverse outcomes resulting from examination of our income tax returns; and (iv) the adoption of the U.S. tax reform and the enactment of additional legislation changes.
•Risks related to our 2025 Notes and Credit Facility, including (i) decrease in our business flexibility and access to capital and increase of our borrowing costs, due to the substantial debt we incurred so far and which may further incur in the future; (ii) ability to raise additional capital and burden on our future cash resources, particularly if we elect to settle our debt obligations in cash upon conversion or upon maturity or required repurchase; (iii) restrictive and financial covenants in our Credit Facility that may limit our operating flexibility; (iv) inability to comply with restrictive and financial covenants in our Credit Facility that may result in an acceleration of payment of funds that have been borrowed; (v) dilution of our existing stockholders and potentially adversely affect the market price of our common stock due to the issuance of shares in connection with conversions of the 2025 Notes; (vi) delay or prevent of takeover attempt of the Company due to certain provisions under the 2025 Notes; (vii) accounting method applicable to our 2025 Notes, which could have a material effect on our reported financial results; (viii) an adverse effect on the value of the 2025 Notes and our common stock due to the capped call transactions; and (ix) default of all or some of the financial institutions which are counterparties to the capped call transactions, as a result of which the protection under the capped call transactions shall not be available to us.
•Risks related to our operations in Israel, including (i) certain conditions related to Israel since its establishment, which may limit our ability to develop and sell our products and (ii) unavailability of certain tax benefits which were available to our Israeli subsidiary, or failure to meet certain conditions required to enjoy tax benefits.
•Risks related to our ownership of our common stock, including (i) substantial future sales of shares of our common stock, which could cause the market price of our common stock to decline; (ii) as we do not intend to pay dividend on our common stock, the return on investment might be limited to the value of our stock; and (iii) acquisition of our Company, which may be beneficial to our stockholders, might be more difficult due to anti-takeover provisions in our charter documents and under Delaware law and provisions in the indenture for our 2025 Notes and Credit Facility, which may also prevent attempts by our stockholders to replace or remove our current management.
•General Ricks Factors, which could substantially harm our business, including: (i) a failure to protect our proprietary technology and intellectual property rights; (ii) real or perceived errors, failures or bugs in our software; (iii) risks related to international operations; (iv) the lack of available capital on acceptable terms to support our business growth; (v) risks of fire, power outages, floods, earthquakes, pandemics and other catastrophic events, and interruption by manmade problems such as terrorism; (vi) changes in financial accounting standards, which may cause adverse and unexpected revenue fluctuations and impact our reported results of operations; (vii) volatility in the price of our common stock; (viii) the lack of published research or reports about our business the publish of negative reports about our business, which may adversely impact our stock price and trading volume; (ix) being a public company which subjects us to reporting requirements may strain our resources, divert management’s attention and affect our ability to attract and retain executive management and qualified board members; (x) internal control over financial reporting might not be determined to be effective, which may adversely affect investor confidence in our company and, as a result, the value of our common stock; and (xi) dilution of the percentage ownership of our stockholders that could cause our stock price to decline, due to future sales and issuances of our capital stock or rights to purchase capital stock.
ii
VARONIS SYSTEMS, INC.
ANNUAL REPORT ON FORM 10-K
For The Fiscal Year Ended December 31, 2020
TABLE OF CONTENTS
| Page | ||||||||
| PART I | ||||||||
| PART II | ||||||||
| PART III | ||||||||
| PART IV | ||||||||
iii
PART I
| Item 1. | Business | ||||
We were incorporated under the laws of the State of Delaware on November 3, 2004 and commenced operations on January 1, 2005. Our principal executive offices are located at 1250 Broadway, 29th Floor, New York, NY 10001. For convenience in this report, the terms “Company,” “Varonis,” “we” and “us” may be used to refer to Varonis Systems, Inc. and/or its subsidiaries, except where indicated otherwise. Our telephone number is (877) 292-8767.
Overview
Varonis is a pioneer in data security and analytics, fighting a different battle than conventional cybersecurity companies. We are pioneers because over a decade ago, we recognized that enterprise capacity to create and share data far exceeded its capacity to protect it. We believed the vast movement of information from analog to digital mediums combined with increasing information dependence would change both the global economy and the risk profiles of corporations and governments. Since then our focus has been on using innovation to address the cyber-implications of this movement, creating software that provides new ways to track, alert and protect data wherever it is stored.
Data continues to amass in new and existing data stores both on premises and in the cloud, a trend we have seen accelerate as companies around the world embark on a wave of digital transformation initiatives. As these data stores grow, the relationships between the data they hold and the users that collaborate with it grow more complex, making those relationships difficult to visualize, understand and control without automation. Because enterprises now use many different combinations of data stores and require different levels of protection, our offering provides coverage flexibility through software licensing. We aim to keep pace with the relentless growth and complexity of data, starting in 2005 with a single license, offering ten licenses at the time of our initial public offering in 2014, and today offering more than 25 integrated licenses across the most common on premises and cloud data stores. We plan to continue investing in product development to deliver new products in the future.
Our software specializes in data protection, threat detection and response and compliance. Varonis software enables enterprises to protect data stored on premises and in the cloud: sensitive files and emails; confidential personal data belonging to customers, patients and employees; financial records; strategic and product plans; and other intellectual property. Recognizing the complexities of securing data, we have built an integrated platform for security and analytics to simplify and streamline security and data management.
1
The Varonis Data Security Platform, built on patented technology, helps enterprises protect data against cyberattacks from both internal and external threats. Our products enable enterprises to analyze data, account activity and user behavior to detect attacks. Our Data Security Platform prevents or limits unauthorized use of sensitive information, prevents potential cyberattacks and limits others by automatically locking down data, allowing access to those who need it and automating the removal of stale data when it is no longer useful. Our products efficiently sustain a secure state with automation and address additional important use cases including data protection, data governance, zero trust, compliance, data privacy, classification and threat detection and response. Our Data Security Platform is driven by a proprietary technology, our Metadata Framework, that extracts critical metadata, or data about data, from an enterprise’s information technology ("IT") infrastructure. Our Data Security Platform uses this contextual information to map functional relationships among employees, data objects, systems, content and usage.
The revolution in internet search occurred when search engines began to mine internet metadata, such as the links between pages, in addition to page content, thereby making the internet’s content more usable and consequently more valuable. Similarly, our Data Security Platform creates advanced searchable data structures out of available content and metadata, providing real-time intelligence about an enterprise’s massive volumes of data, making it more secure, accessible and manageable.
We believe that the technology underlying our Data Security Platform is our primary competitive advantage. The strength of our solution is driven by several proprietary technologies and methodologies that we have developed, coupled with how we have combined them into our highly versatile platform. Our belief in our technological advantage stems from us having developed a way to do each of the following:
•analyze the relationships between users and data with sophisticated algorithms, including cluster analyses and machine learning;
•visualize and depict the analyses in an intuitive manner, including simulating contemplated changes and automatically executing tasks that are becoming increasingly more complex for IT and business personnel;
•identify and automatically classify data as sensitive, critical, private or regulated;
•automate remediation to directory service objects and access controls on large file systems to safely ensure a least privilege model;
•profile users, devices and data to detect suspicious account behavior and unusual file and email activity using deep analysis of metadata, machine learning and user behavior analytics;
•generate meaningful, actionable alerts when security-related incidents are detected;
•enable security teams to investigate and respond to cyber threats more quickly and conclusively;
•automatically respond to severe incidents like ransomware to limit potential impact and reduce recovery times;
•determine relevant metadata and security information to capture without impacting the enterprise's computing and network infrastructure;
•modify and enrich that metadata in a way that makes it comparable and analyzable despite it having originated from disparate IT systems, and create supplemental metadata, as needed, when the existing IT infrastructure’s activity logs are insufficient;
•decipher the key functional relationships of metadata, the underlying data, and its creators; and
•use those functional relationships to create a graphical depiction, or map, of the data that will endure as enterprises continuously add large volumes of data to their network and storage resources.
The broad applicability of our technology has resulted in our customers deploying our platform for numerous use cases. These use cases include: automatic discovery and classification of high-risk, sensitive data; automated remediation of over-exposed data; centralized visibility and risk analysis of enterprise data and monitoring of user behavior and file activity; security monitoring and risk reduction; data breach, insider threat, malware and ransomware detection; automatic response to ransomware and other severe incidents to limit exposure and reduce recovery times; data ownership identification, assignment, and automatic involvement; forensics, reporting and auditing with searchable logs; meeting security policy and compliance regulation; automatic data migration; intelligent archiving; and automated indexing for data subject requests related to privacy and compliance requirements.
2
We sell substantially all of our products and services to channel partners, including distributors and resellers, which sell to end-user customers, which we refer to in this report as our customers. We believe that our sales model, which combines the leverage of a channel sales model with our highly trained and professional sales force, has and will continue to play a major role in our ability to grow and to successfully deliver our unique value proposition for enterprise data. While our products serve customers of all sizes, in all industries and all geographies, the marketing focus and majority of our sales focus is on targeting organizations with 1,000 users or more who can make larger initial purchases with us and, over time, have a greater potential lifetime value. Our customers span leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, media and entertainment and education sectors. We believe our existing customers represent significant future revenue opportunities for us.
Prior to 2019, an insignificant amount of our revenues had been generated pursuant to on-premises, subscription-based license arrangements ("subscription licenses"). In these arrangements, the customer has the right to use the software over a designated period of time. In the first quarter of 2019, we announced our transition to a subscription-based business model, and, as we have completed our transition, our subscription revenues now account for almost all of our total license revenues.
COVID-19
In March 2020, the World Health Organization (”WHO”) declared the novel coronavirus COVID-19 (including any variants and mutations, "COVID-19") a global pandemic. The pandemic, which has continued to spread, has adversely affected workforces, economies, and financial markets globally, leading to an economic downturn, as well as, continued economic uncertainty and is expected to disrupt general business operations until the virus is contained. We believe that the impact of COVID-19 on the way organizations operate and its long-lasting effects has increased our long-term opportunity to help our customers protect their data and detect threats, as well as achieve regulatory compliance. Nevertheless, in the early stages of the pandemic, we experienced a negative impact on our results of operations in the last two weeks of the first quarter, as we believe our customers’ focus turned primarily to the safety of their employees and to immediately position themselves to operate under a work-from-home environment. However, since that time, we have seen companies become more focused on the elevated risks associated with having a highly distributed workforce collaborating on multiple platforms. Companies around the world now have employees working remotely from potentially vulnerable home networks, accessing critical on-premises data stores and infrastructure through VPNs and sharing information in cloud data stores like Office 365 and Microsoft Teams. We believe this trend is likely to continue in the long-term and that we are well positioned to capitalize on the opportunity ahead. Specifically, crises create optimal conditions for cybercrime, and we can help protect data and infrastructure against hackers and rogue employees. As companies and organizations understand that a data-centric approach to security is critical and that these elevated risks are expected to be here for the long-term, we have seen continued customer engagement and inbound interest, with some of this interest converting into new business or the expansion of existing business.
The extent to which the COVID-19 pandemic impacts our business going forward will depend on numerous evolving factors that we cannot reliably predict, including the duration and scope of the pandemic; efficiency of available vaccines and the availability of such vaccines to the worldwide population; governmental, business, and individuals' actions in response to the pandemic; and the impact on economic activity including the possibility of recession or financial market instability. The uncertainty associated with the COVID-19 pandemic could affect management’s accounting estimates and assumptions, which in turn could result in greater variability with forward-looking guidance. For a discussion of certain risks associated with the COVID-19 pandemic, please refer to Risk Factors (Part I, Item 1A of this Form 10-K).
Acquisitions
In the fourth quarter of 2020, we completed the acquisition of Polyrize Security Ltd. (“Polyrize”), a private company which developed software that maps and analyzes the relationships between users and data across a number of cloud applications and services, including Google Drive, Salesforce, Okta, GitHub, Slack, Amazon Web Services ("AWS"), Jira and others, making it simple for security teams to control access to cloud data and infrastructure and analyze cloud activity.
Size of Our Market Opportunity
The International Data Corporation’s Data Age 2025: The Digitization of the World from Edge to Core study (the "Study") estimates that the amount of data created in the world will grow from 45 Zettabytes in 2019 to 175 Zettabytes (or 175 trillion gigabytes) in 2025. The Study was updated in 2020 showing that data created in 2019 grew more than 35% year over year. We expect this trend is likely to continue as more enterprises require technologies to protect and manage their data and centralize data management, analytics, data security and privacy.
3
We believe that the diverse functionalities offered by our platform position us at the intersection of several powerful trends in the digital universe. We further believe that the business intelligence and functionalities delivered by our platform define a new market. Although we are not aware of any third party studies that accurately define our addressable market, the functionality of our software platform overlaps with portions of several established and growing enterprise software markets as defined by Gartner, Inc. in 2020, including security software ($43.2 billion), IT operations management ($30.9 billion), infrastructure software ($19.8 billion), storage management ($14.1 billion), data integration ($5.5 billion) and cloud access and cloud workload protection software ($2.4 billion). Further, the security software market, which we believe is our largest opportunity, has grown at a compound annual growth rate of 35% since 2018. We believe that our comprehensive product offering will attract a meaningful portion of this overall spend, and we estimate that our total addressable market is approximately 20% of these markets, with the remainder coming from content services and other application software. We have attempted to measure our total addressable market by utilizing estimates from Forrester on the number of companies in North America and Europe that fit our target criteria, and then assuming that each customer purchases the double digit number of licenses that we aim to sell to all of our customers. In both the “top-down” approach utilizing Gartner industry spend estimates, and the “bottoms-up” approach utilizing Forrester customer estimates, we calculate a total addressable market of more than $25.0 billion. Lastly, we believe that the acquisition of Polyrize in the fourth quarter of 2020, which we expect will allow us to expand our platform to support cloud applications and data stores that we do not currently cover, has the potential to meaningfully expand the addressable market described above through the introduction of new licenses in the future.
Our Technology
Our proprietary technology extracts critical information about an enterprise’s data and its supporting infrastructure, and uses this contextual information, or metadata, to create a functional map of an enterprise’s data and underlying file systems. Our Metadata Framework technology has been architected to process large volumes of enterprise data and the related metadata at a massive scale with minimal demands on the existing IT infrastructure.
Key Benefits of Our Technology
Data Protection
Comprehensive Solution for Managing and Protecting Enterprise Data. Our products enable a broad range of functionality, including data governance, least privilege and zero trust, as well as intelligent retention. Moreover, our solution is applicable across most major enterprise data stores (Windows, UNIX/Linux, Intranets, Intranets, email systems, Microsoft 365, including SharePoint Online and OneDrive for Business, Salesforce, AWS, Google Drive and Box).
Actionable Insight and Automation. Our products help customers identify and prioritize risks to their data and automatically remediate exposures so that they are less vulnerable to internal and external threats, more compliant and consistently follow a least privilege model. Because of the complexity present in even modest enterprises, effective remediation is impossible at scale without intelligent automation.
Visibility and Data Monitoring Capabilities All in One Place. Our solution combines analysis from disparate on-premises and cloud stores and infrastructure and presents them in a single view, even as data storage and user access become more dispersed and complex in hybrid environments.
Fast Time to Value and Low Total Cost of Ownership. Our solutions do not require custom implementations or long deployment cycles. Our Data Security Platform can be installed and ready for use within hours and allows customers to realize real value once used. We designed our platform to operate on commodity hardware on premises or in the cloud, with standard operating systems, further reducing the cost of ownership of our product.
Ease of Use. While we utilize complex data structures and algorithms in our data engine, we abstract that complexity to provide a sleek, intuitive interface. Our software is accessible through either a local client or a standard web browser and requires limited training, saving time and cost and making it accessible to a broader set of non-technical users.
Highly Scalable and Flexible Data Engine. Our metadata analysis technology is built to be highly scalable and flexible, allowing our customers to analyze vast amounts of enterprise data. Moreover, our proprietary Metadata Framework is built with a modular architecture, allowing customers to grow into the full capabilities of our solutions over time.
Threat Detection and Response
Threat Detection and Response with User, Data and System Context. Our solutions combine classification and data access governance with User and Entity Behavior Analytics (UEBA) on data stores, cloud applications, directory services and
4
perimeter devices, including DNS, VPN and web proxy, for accurate detection and risk reduction. Our solutions reduce risk relating to unauthorized use and cyberattacks and reduce time to detection (TTD) and time to resolution (TTR) for incidents.
Protect Data from Insider Threats, Data Breaches, Malware and Cyberattacks. Our solutions analyze how employee accounts, service accounts and admin accounts use and access data, profile employees’ roles and file contents, baseline “normal” behavior patterns, and alert on significant deviations from profiled behaviors. Our customers are able to detect advanced persistent threats, cybercriminals, rogue insiders, attackers that have compromised internal systems and employee accounts, malware, ransomware and other significant threats.
Compliance
Discover and Identify Regulated Data. Our solutions automatically discover, identify and classify sensitive, critical and regulated data to help meet compliance requirements.
Monitor and Detect Security Vulnerabilities. Our solutions analyze, monitor, detect and report on potential security vulnerabilities: helping companies achieve compliance by creating full audit trails, achieving a least privilege model and locking down sensitive data to only those who need it, and facilitate breach notification and security investigations. By ensuring least privilege, monitoring all access and alerting on potential misuse, Varonis enables privacy-by-design on data stores containing sensitive and regulated information.
Fulfill Data Subject Access Requests and Protect Consumer Data. Our solutions help fulfill data subject access requests from file systems on premises and in the cloud. Customers can easily find relevant files, pinpoint who has access and enforce policies to move and quarantine regulated data.
Our Growth Strategy
Our objective is to be the primary vendor to which enterprises turn to protect their data. In the first quarter of 2019, we announced our strategic shift to a subscription-based business model, which allows our customers to better unleash the power of our platform through faster adoption of our integrated products. That transition has since been completed and, for the year ended December 31, 2020, 99% of our licenses revenues are subscriptions and 97% of our totals revenues are recurring in nature. As of December 31, 2020, 63% of our customers with 500 employees or more had purchased four or more licenses, compared to 54% a year ago, and 30% purchased six or more licenses, compared to 20% a year ago. The following are key elements of our growth strategy.
Extend Our Technological Capabilities Through Innovation and Strategic Transactions. We intend to increase, in absolute dollars, our current level of investment in product development in order to enhance existing products to address new use cases and deliver new products. We believe that the flexibility, sophistication and broad applicability of our Metadata Framework will allow us to use this framework as the core of numerous future products built on our same core technology. Our ability to leverage our research and development resources has enabled us to create a new product development engine that we believe can proactively identify and solve enterprise needs and help us further penetrate and grow our addressable markets. Additionally, in October 2020, in order to expand the Varonis Data Security Platform to cover additional cloud applications and infrastructure, we acquired a provider of software that maps and analyzes relationships between users and data across a number of cloud applications and services. We plan to incorporate these capabilities into our platform in order to accelerate product development and allow us to more quickly introduce new licenses, which we believe will in turn expand our addressable market. We will continue to seek additional opportunities to extend our technological capabilities and grow our business, from continued organic investments in our research and development efforts to technological tuck-in acquisitions.
Grow Our Customer Base. The unabated rise in enterprise data, ubiquitous reliance on digital collaboration and increased cybersecurity concerns will continue to drive demand for data protection, compliance and threat detection and response solutions. We intend to capitalize on this demand by targeting new customers, underpenetrated markets and use cases for our solutions. Our solutions address the needs of customers of all sizes, ranging from small and medium businesses to large multinational companies with hundreds of thousands of employees and petabytes of data. Although our solutions are applicable to organizations of all sizes, we will continue our focus on targeting larger organizations who can make larger purchases with us initially and over time.
Increase Sales to Existing Customers. We believe significant opportunities exist to further expand relationships with existing customers. Data growth (and subsequent security concerns) continues across all data stores, and enterprises want to standardize solutions that help them manage, protect and extract more value from their data, wherever it is stored. We will continue to cultivate incremental sales from our existing customers by driving increased use of our software within our installed
5
base by expanding footprint and usage. We currently have six product families, consisting of DatAdvantage, DatAlert, Data Classification Engine, DataPrivilege, Data Transport Engine and DatAnswers with over twenty-five licenses under these product families. As of December 31, 2020, 63% of our customers with 500 employees or more had purchased four or more licenses and 30% purchased six or more licenses. We believe our existing customer base serves as a strong source of incremental revenues given our broad platform of products, their growing volume and complexity of enterprise data and the associated security concerns. As we innovate and expand our product offering, we expect to have an even broader suite of products to offer our customers. Our perpetual license maintenance renewal rate for the year ended December 31, 2020 continued to be over 90%. Our key strategies to ensure a high subscription license renewal rate and maintain our high maintenance renewal rate include focusing on the quality and reliability of our customer service and support teams to ensure our customers receive value from our products and providing software upgrades and enhancements when and if they are available.
Grow Sales From Our Newer Licenses and Functionality. We continue to introduce additional licenses and enhancements to existing products to support new functionalities. In the second quarter of 2020, we introduced a Remote Work Update to our platform to increase visibility into potential security issues related to remote work, including dashboards for unusual VPN, DNS and Web usage; comprehensive Microsoft Teams visibility; out-of-the-box reports for pinpointing exposed cloud data; and more threat models for Office 365. We also announced the acquisition of Polyrize in October 2020, which we expect will allow us to extend our platform to cover additional cloud data stores and applications that we do not currently support. In 2019, we announced Version 7 of our Data Security Platform, which included new dashboards to assess compliance and Active Directory risk and GDPR security risks so that customers can more easily identify critical risk in their hybrid environments, including vulnerable user accounts, at-risk cloud data and potential compliance violations, as well as performance enhancements, such as the usage of SOLR, for faster, more scalable event retrieval and investigation. We also added classification functionality to help enterprises automatically discover and classify data that falls under data covered by the California Consumer Privacy Act, or CCPA. We added threat intelligence to our security insights, built incident response playbooks directly into the UI and made usability and performance improvements. In 2018, we introduced Varonis Edge, which analyzes perimeter devices like DNS, VPN and web proxy to detect attacks like malware, APT intrusion and data exfiltration, and enable enterprises to correlate events and alerts to track potential data leaks and spot vulnerabilities at the point of entry. We also released support for Box events and Data Classification Labels, integrating with Microsoft Information Protection (MIP) to help enterprises better classify, track and secure files across enterprise data stores and to address additional compliance requirements from new data privacy laws and standards. We added classification categories to the Data Classification Engine, to better identify and analyze regulated data related to GDPR, PII, PCI and PHI. We enhanced DatAnswers to address data privacy and compliance use cases, enabling customers to fulfill data subject access requests and protect personally identifiable information. We have enhanced our products to provide even more value to our customers including: an updated user interface for DataPrivilege, additional data store support, new geolocation support, enhanced threat detection and security monitoring and new threat models to protect sensitive and regulated data against security breaches, malware, ransomware and insider threats, and optimizations to make DatAlert faster and more intuitive for security investigations. We believe these new additions to our product offering can be a meaningful contributor to our growth.
Expand Our Sales Force. Continuing to expand our sales force will be essential to achieving our customer base expansion goals. The sales force and our approach to introducing products to the market have been key to our successful growth in the past and will be central to our growth plan in the future. While our products serve customers of all sizes, in all industries and all geographies, the marketing focus and majority of our sales focus is on targeting organizations with 1,000 users or more who can make larger initial purchases with us and, over time, generate a greater potential lifetime value. Our customers span leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, media and entertainment and education sectors. We also believe our existing customers represent significant future revenue opportunities for us. We believe that our sales model, which combines the leverage of a channel sales model with our highly trained and professional sales force and their ability to support our channel partners to efficiently identify leads, perform risk assessments and convert them to satisfied customers, has and will continue to play a major role in our ability to grow and to successfully deliver our unique value proposition for enterprise data. We intend to expand our sales capacity by adding headcount throughout our sales and marketing department.
Establish Our Data Security Platform as the Industry Standard. We have worked with several of the leading providers of network attached storage, or NAS, hybrid cloud storage, including Dell/EMC, IBM, NetApp, HP, Hitachi and Nasuni in order to expand our market reach and deliver enhanced functionality to our customers. We have worked with these vendors to assure compatibility with their product lines. Through the use of application programming interfaces, or APIs, and other integration work, our solutions also integrate with many providers of solutions in the ecosystem. We will continue to pursue such collaborations wherever they advance our strategic goals, thereby expanding our reach and establishing our product user interface as the de facto industry standard when it comes to enterprise data.
Continue International Expansion. We believe there is a significant opportunity for our platform in international markets to address the need for data protection and threat detection and response, as well as to comply with regulations such as the
6
European Union's ("EU") General Data Protection Regulation ("GDPR"). Revenues from Europe, the Middle East and Africa (“EMEA") accounted for approximately 26% of our revenues in 2020. Europe represented the substantial majority of revenues outside the United States. Although quarterly growth rates have fluctuated over the last few years in our European market, we believe that international expansion will be a key component of our growth strategy, and we will continue to market our products and services overseas.
Our Products
Our integrated platform of products currently contains six product families, most of which contain multiple licenses. Each license utilizes our core Metadata Framework technology to deliver features and functionality that allow enterprises to fully understand, secure and benefit from the value of their data. This architecture gives our clients the ability to select the features they require for their business needs and the flexibility to expand their usage simply by adding a license, and the fully-integrated nature of our products allows individual products to enhance the functionality of the others. At the same time, the ease of consumption under a subscription-based model has allowed us to deliver on customer demand for a greater number of our licenses, providing our customers value more quickly while leading to substantial future license upsell and cross-sell opportunities.
•DatAdvantage. DatAdvantage, our flagship product family, launched in 2006, builds on our Metadata Framework and captures, aggregates, normalizes and analyzes every data access event for every user on Windows and UNIX/Linux servers, storage devices, email systems and Intranet servers, without requiring native operating system auditing functionalities or impacting performance or storage on file systems. Through an intuitive graphical interface, DatAdvantage presents insights from massive volumes of data using normal computing infrastructure. It is also our presentation layer for IT departments, which provides an interactive map of relevant users, groups and data objects, usage and content, facilitating analysis from multiple vectors. IT departments can pinpoint areas of interest starting with any metadata object, simulate changes measuring potential impact against historical access patterns, and easily execute changes on all data stores through a unified interface. DatAdvantage identifies where users have unnecessary access based on user behavior and machine learning. The DatAdvantage product family currently contains 11 licenses, including:
◦Individual DatAdvantage licenses for on premises data stores and infrastructure (Windows, Directory Services, Sharepoint, Unix/Linux and Exchange) and cloud data stores (OneDrive, Sharepoint Online, Exchange Online, Azure Active Directory and Box).
◦Automation Engine, introduced in 2017, which automatically repairs broken file systems and safely remediates exposures, helps customers accelerate the enforcement of a least privilege model by limiting broad access without substantial manual effort or resources.
•DatAlert. Introduced in 2013, DatAlert profiles users and devices and their associated behaviors with respect to systems and data, detects and alerts on meaningful deviations that indicate compromise, provides a web-based dashboard and investigative interface and seamlessly integrates with security information and event management systems (SIEM). DatAlert helps enterprises quickly detect suspicious activity, prevents data breaches and cyberattacks, performs security forensics, visualizes risk and prioritizes and accelerates investigation. In addition, the DatAlert product family contains Varonis Edge, which was introduced in 2018. Edge analyzes perimeter devices like DNS, VPN and web proxy to expand user and device profiles to detect attacks like malware, APT intrusion and data exfiltration and enables enterprises to correlate events and alerts at the perimeter with alerts and events concerning data to better spot attacks at the point of entry and egress, reducing time to detection and time to resolution for security incidents.
•Data Classification Engine. As the volume of an enterprise’s information grows, enterprises struggle to find and tag different types of sensitive data, such as intellectual property, regulated content, including Personally Identifiable Information, and medical records. Furthermore, content by itself does not provide adequate context to determine ownership, relevance, or protection requirements. Introduced in 2009, Data Classification Engine identifies and tags data based on criteria set in multiple metadata dimensions and provides business and IT personnel with actionable intelligence about this data, including a prioritized list of folders and files containing the most sensitive data and with the most inadequate permissions. For the identified folders and files, it also identifies who has access to that data, who is using it, who owns it, and recommendations for how to restrict access without disrupting workflow. Data Classification Engine provides visibility into the content of data across file systems and Intranet sites and combines it with other metadata, including usage and accessibility. The Data Classification Engine product family currently contains six licenses, including:
7
◦Individual Data Classification Engine licenses for on premises data stores and infrastructure (Windows/SharePoint and Unix) and cloud data stores (OneDrive and Sharepoint Online).
◦Data Classification Policy Pack, introduced as GDPR Patterns in 2017, builds upon the Data Classification Engine with over 400 patterns for identifying and classifying personal information specific to GDPR and CCPA.
◦Data Classification Labels, introduced in 2018, integrates with Microsoft Information Protection (MIP) to protect sensitive data across customer environments regardless of where it lives or how it is shared. Data Classification Labels allows users to automatically apply classification labels and encrypt files that it has identified as sensitive.
•DataPrivilege. Introduced in 2006, DataPrivilege was designed for use by business unit personnel and provides a self-service web portal that allows users to request access to data necessary for their business functions, and allows owners to grant access without IT intervention. DataPrivilege enhances data protection and compliance by enabling business users to make access decisions based on queries, user requests and metadata analytics information, rather than static IT policies. DataPrivilege provides a presentation layer for business users to review accessibility, sensitivity and usage of their data assets and grant and revoke access. We currently offer DataPrivilege licenses for Windows and SharePoint.
•Data Transport Engine. Introduced in 2012, Data Transport Engine provides an execution engine that unifies the manipulation of data and metadata, translating business decisions and instructions into technical commands such as data migration or archiving. Data Transport Engine allows both IT and business personnel to standardize and streamline activities for data management and retention, from day-to-day maintenance to complex data store and domain migrations and archiving. Data Transport Engine ensures that data migrations automatically synchronize source and destination data with incremental copying even if the source data is still in use, translates access permissions across data stores and domains and provides reporting capabilities for data migration status. Moreover, it also provides IT personnel the flexibility to schedule recurring migrations to automatically find and move certain types of data such as sensitive or stale data and to perform active migrations, dispositions and archiving safely and efficiently.
•DatAnswers. DatAnswers was introduced in 2014 to provide secure, relevant and timely search functionality for enterprise data. In 2018, we enhanced DatAnswers to help meet growing demands to comply with data privacy regulations and eDiscovery requests, and to facilitate data subject access requests. As data privacy laws are becoming more prevalent across the globe, meeting subject access requests is a primary requirement in data regulation. As companies continue to generate and store data in numerous enterprise data stores, relevant files become harder to find and manage, and compliance officers, controllers, and administrators need to identify and locate relevant content related to a data subject. DatAnswers provides elevated search for compliance and e-discovery, helping solve the growing problem of being able to fulfill subject access requests to meet data privacy laws. We currently offer DatAnswers licenses for Windows, SharePoint, OneDrive and SharePoint Online.
Our Customers
We currently have customers in over 85 countries. Our customers span numerous industries and vary greatly in size, ranging from small and medium businesses to large multinational enterprises and government agencies. Our customers include leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, media and entertainment and education sectors, with hundreds of thousands of employees and petabytes of data.
Services
Maintenance and Support of Subscription and Perpetual Licenses
Prior to our transition to a subscription-based model, our customers typically purchased one year of software maintenance and support as part of their initial purchase of our perpetual license products, with an option to renew their maintenance agreements. These maintenance agreements provide customers the right to receive support and unspecified upgrades and enhancements when and if they become available during the maintenance period and access to our technical support services. Today, with the transition to a subscription model complete, the sales of new perpetual licenses are insignificant and therefore, we do not expect maintenance and support of perpetual licenses to grow versus prior year comparisons. Maintenance associated with a subscription contract is included in the Subscriptions revenue line of the income statement.
8
We maintain a customer support organization that provides all levels of support to our customers. Our customers that purchase maintenance and support services receive guaranteed response times, direct telephonic support and access to online support portals. Our customer support organization has global capabilities with expertise in both our software and complex IT environments and associated third-party infrastructure.
Professional Services
While users can easily download, install and deploy our software on their own, certain enterprises use our professional service team to provide fee-based services, which include training our customers in the use of our products, providing advice on network design, product configuration and implementation, automating and customizing reports and tuning policies and configuration of our products for the particular characteristics of the customer’s environment. Although professional services have always been a small percentage of our total revenues, we have recently seen, and expect to continue to see, that percentage decline as many of our newer licenses can provide remediation in a more automated way and our planned long-term strategy to allow our channel partners to take on more professional services work. As such, our overall maintenance and services revenues is also expected to continue to decline versus prior year comparisons.
Sales and Marketing
Sales
We sell the vast majority of our products and services to a global network of resellers and distributors that we refer to as our channel partners. Our channel partners, in turn, sell the products they purchase from us to customers. In addition, we maintain a highly trained professional sales force that is responsible for overall market development, including the management of the relationships with our channel partners and supporting channel partners in winning customers through operating demonstrations and risk assessments. Our channel partners identify potential sales targets, maintain relationships with customers and introduce new products to existing customers. Sales to our channel partners are generally subject to our standard, non-exclusive channel partner agreement. These agreements are generally for a term of one year with a one-year renewal term and can be terminated by us or the channel partner for any reason upon 30 days’ notice. A termination of the agreement has no effect on orders already placed. Payment to us from the channel partner is typically due within 30 to 60 calendar days of the invoice date.
Marketing
Our marketing strategy focuses on building our brand and product awareness, increasing customer adoption and demand, communicating advantages and business benefits and generating leads for our channel partners and sales force. We market our software as a Data Security Platform, a solution for securing and managing enterprise data. We execute our marketing strategy by leveraging a combination of internal marketing professionals, external marketing partners and a network of regional and global channel partners. Our marketing organization is responsible for branding, content generation, demand generation, field marketing and product marketing and works with our business operations team to support channel marketing and sales support programs. We provide one-on-one and community education and awareness and promote the expanded use of our software. We host in-person or virtual Varonis Connect! customer events across sales regions, as well as free, online technical webinars in multiple regions. We focus our efforts on highly relevant content creation, events, campaigns and activities that can be leveraged by our channel partners worldwide to extend our marketing reach, such as, information regarding product awards and technical certifications, security training, regional seminars and conferences, webinars, podcasts and various other demand-generation activities. Our marketing efforts also include public relations in multiple regions, analyst relations, customer marketing, account-based marketing, targeted advertising, extensive content development available through our web site and content syndication, and our active blog.
Research and Development
Our research and development efforts are focused primarily on improving and enhancing our existing products, as well as developing new products, features and functionality. Use of our products has expanded from data governance into areas such as data security, privacy, accessibility and retention, and we anticipate that customers and innovation will drive functionality into additional areas. We regularly release new versions of our products which incorporate new features and enhancements to existing ones. We conduct substantially all of our research and development activities in Israel, and we believe this provides us with access to world-class engineering talent. In addition, we continue to seek opportunities to extend our technological capabilities and grow our business from strategic technological tuck-in acquisitions.
9
Our research and development expense was $99.4 million, $80.8 million and $70.0 million in 2020, 2019 and 2018, respectively.
Intellectual Property
We attempt to protect our technology and the related intellectual property under patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions. No single intellectual property right is solely responsible for protecting our products. The nature and extent of legal protection of our intellectual property rights depends on, among other things, its type and the jurisdiction in which it arises. As of January 29, 2021, we had 74 issued patents and 28 pending patent applications in the United States. Our issued U.S. patents expire between 2025 and 2039. We also had 41 patents issued and 63 applications pending for examination in non-U.S. jurisdictions, and three pending Patent Cooperation Treaty (“PCT”) patent applications, all of which are counterparts of our U.S. patent applications. Certain of our patents are owned by our Israeli subsidiary. The claims for which we have sought patent protection relate primarily to inventions we have developed for incorporation into our products.
In addition to patented technology, we rely on our unpatented proprietary technology and trade secrets. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. We also rely on invention assignment agreements with our employees, consultants and others, to assign to the Company all inventions developed by such individuals in the course of their engagement with the Company.
Moreover, we have registered the “Varonis” name and logo and “DatAdvantage”, “DataPrivilege”, “DatAlert”, “DatAnywhere” and other names in the United States and, as related to some of these names, certain other countries.
In addition to Company-owned intellectual property, we license software from third parties for integration into our solution, including open source software and other software available on commercially reasonable terms. It may be necessary in the future to seek or renew licenses relating to various aspects of our products, processes and services. While we have generally been able to obtain such licenses on commercially reasonable terms in the past, we cannot provide assurance that such third parties will maintain such software or continue to make it available.
Seasonality
See Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations — Seasonality and Quarterly Trends.”
Competition
While there are some companies which offer certain features similar to those embedded in our solutions, as well as others with which we compete in certain use cases, we believe that we do not currently compete with a company that offers the same breadth of functionalities that we offer in a single integrated solution. Nevertheless, we do compete against a select group of software vendors that provide standalone solutions, similar to those found in our comprehensive software suite, in the specific markets in which we operate. We also face direct competition with respect to certain of our products, specifically Data Transport Engine, DatAnswers and DatAdvantage for Directory Services. As we continue to augment our functionality with insider threat detection and user behavior analytics and as we expand our classification capabilities to better serve compliance needs with new regulations, like GDPR, CCPA and other data privacy laws, and as these functionalities continue to be recognized as critical to protect enterprise data, we may face increased perceived and real competition from other security and classification technologies. In the future, as customer requirements evolve and new technologies are introduced, we may experience increased competition if established or emerging companies develop solutions that address the enterprise data market. Furthermore, because we operate in an evolving market, we anticipate that competition will increase based on customer demand for these types of products.
A number of factors influence our ability to compete in the markets in which we operate, including, without limitation: the continued reliability and effectiveness of our products’ functionalities; the breadth and completeness of our solutions’ features; the scalability of our solutions; and the ease of deployment and use of our products. We believe that we generally compete favorably in each of these categories. We also believe that we distinguish ourselves from others by delivering a single, integrated solution and sophisticated automation to address our customers’ needs regarding access, governance, security, privacy and retention with respect to their enterprise data. There can, however, be no assurance that we will remain unique in this capacity or that we will be able to compete favorably with other providers in the future.
10
If a more established company were to target our market, we may face significant competition. They may have competitive advantages, such as greater name recognition, larger sales, marketing, research and acquisition resources, access to larger customer bases and channel partners, a longer operating history and lower labor and development costs, which may enable them to respond more quickly to new or emerging technologies and changes in customer requirements or devote greater resources to the development, promotion and sale of their products than we do. Increased competition could result in us failing to attract customers or maintain renewals and licenses at the same rate. It could also lead to price cuts, alternative pricing structures or the introduction of products available for free or a nominal price, reduced gross margins, longer sales cycles and loss of market share.
In addition, our current or prospective channel partners may establish cooperative relationships with any future competitors. These relationships may allow future competitors to rapidly gain significant market share. These developments could also limit our ability to generate revenues from existing and new customers. If we are unable to compete successfully against current and future competitors our business, results of operations and financial condition may be harmed.
Employees and Human Capital Resources
As of December 31, 2020, we had 1,719 employees and independent contractors who developed, marketed, sold and supported our technology solutions, of which 755 were in the United States, 601 were in Israel and 363 were in other countries.
We understand that our innovation leadership is ultimately rooted in people. Competition for qualified personnel in the technology space is intense, and our success depends in large part on our ability to recruit, develop and retain a productive and engaged workforce. Accordingly, investing in our employees and their well-being, offering competitive compensation and benefits, promoting diversity and inclusion, adopting progressive human capital management practices and community outreach constitute core elements of our corporate strategy.
•Support Employee Well-being and Engagement. We support the overall well-being of our employees from a physical, emotional, financial and social perspective. We also regularly seek input from employees, including through broad employee satisfaction and pulse surveys on specific issues, intended to assess our degree of success in promoting an environment where employees are engaged, satisfied, productive and possess a strong understanding of our business goals. Our global well-being program includes a long-standing practice of remote working arrangements, flexible paid time off, life planning benefits, wellness platforms and employee assistance programs.
•Offer Competitive Compensation and Benefits. We strive to ensure that our employees receive competitive and fair compensation and innovative benefits offerings, tying incentive compensation to both business and individual performance, offering competitive maternal leave policies, providing meaningful retirement and health benefits and maintaining an employee stock purchase plan. In 2020, in response to a salary reduction during the COVID-19 crisis, we also provided broader access to equity compensation to our employees by granting them restricted stock units. As the momentum of the business improved throughout 2020, we informed employees that salaries would be returned to original levels in two phases, with the first phase becoming effective in July 2020 and the second in January 2021.
•Promote Sense of Belonging through Diversity and Inclusion Initiatives. We conduct diversity and code of conduct trainings with employees and managers to make clear our views on diversity and promote an inclusive and diverse workplace, where all individuals are respected and feel they belong regardless of their age, race, national origin, gender, religion, disability, sexual orientation or gender identity. We also require managers to participate in unconscious bias training to improve awareness. Our customers are located in over 85 countries and our global workforce operates across cultures, functions, language barriers and time zones to support the challenges faced by customers worldwide. In order to support our customers’ needs we have established an international operation having employees and service providers from all around the world, with different language, culture, age, religious, gender, etc.
•Provide Programs for Employee Recognition. We also offer rewards and recognition programs to our employees, including awards to recognize employees who best exemplify our values and spot awards to recognize employee contributions. We believe that these recognition programs help drive strong employee performance. We conduct semi-annual employee performance reviews, where each employee is evaluated by their personal manager and also conducts a self-assessment, a process which empowers our employees. Employee performance is assessed based on a variety of key performance metrics, including the achievement of objectives specific to the employee’s department or role.
•Create Opportunities for Growth and Development. We focus on creating opportunities for employee growth, development, training and education, including opportunities to cultivate talent and identify candidates for new roles from within the company and management and leadership development programs. Employee training and education
11
includes online certification, in person certification and new hire training bootcamps. We also conduct manager training programs on an annual basis, which include in-depth managerial and coaching skills, as well as tailored feedback.
•Promote Community Outreach and Support. We believe it is important to give back and promote community outreach and support through corporate giving and employee volunteerism in the communities in which we live and work. We also provide corporate matching of employee charitable donations and flexible volunteering during work time and thereby letting our employees know that we care of the volunteer and charitable efforts that matters to them.
Response to the COVID-19 Pandemic. In response to the COVID-19 pandemic, we have prioritized the safety of our employees and business partners, while continuing to support the needs of our customers and communities during this unprecedented period. We temporarily closed most of our offices around the world and continue to comply with state and local requirements, guidelines and recommendations. We shifted from existing flexible working arrangements to working from home on a regular basis, using digital platforms and virtual collaboration tools to maintain productivity and to remain in contact with one another and our business partners and customers. In addition, we have also limited travel to further support and protect our employees. In April 2020, in light of the disruption and uncertainty created by the global COVID-19 pandemic and resulting impact on business conditions, and in order to avoid reducing our global workforce, we enacted a salary reduction to employees (including management) across the organization. At the time, we combined this with a one-time equity grant to our employees equal to the annualized amount of the salary reduction in order to retain and motivate them and to let our employees know that we are doing everything we can as a company to support them during these unprecedented times. As the momentum of the business improved throughout 2020, the salary reductions were recouped to the original salary pre-reduction in two phases. Additionally, in response to the pandemic, we provided our employees a work-from-home equipment allowance in order to allow them to continue effectively working remotely. Moreover, we enhanced and promoted programs to support our employees' physical and mental well-being. For example, we made available to our employees several virtual workshops to cover various subjects, including helping employees to manage stress. Lastly, in order to increase the morale of our employees, we conducted virtual fun days.
Available Information
Our website is located at www.varonis.com, and our investor relations website is located at http://ir.varonis.com. The information posted on our website is not incorporated into this Annual Report on Form 10-K. Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Exchange Act are available free of charge on our investor relations website as soon as reasonably practicable after we electronically file such material with, or furnish it to, the Securities and Exchange Commission (the “SEC"). You may also access all of our public filings through the SEC’s website at www.sec.gov.
Investors and other interested parties should note that we use our media and investor relations website and our social media channels to publish important information about us, including information that may be deemed material to investors. We encourage investors and other interested parties to review the information we may publish through our media and investor relations website and the social media channels listed on our media and investor relations website, in addition to our SEC filings, press releases, conference calls and webcasts.
| Item 1A. | Risk Factors | ||||
Investing in our common stock involves a high degree of risk. You should carefully consider the following risks and all other information contained herein, including our consolidated financial statements and the related notes thereto, before investing in our common stock. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, also may become important factors that affect us. If any of the following risks materialize, our business, financial condition and results of operations could be materially harmed. In that case, the trading price of our common stock could decline, and you may lose some or all of your investment.
Risks Related to the Industry in which we Operate
The market for software that analyzes, secures, governs, manages and migrates enterprise data is new and unproven and may not grow.
We believe our future success depends in large part on the growth of the market for software that enables enterprises to analyze, secure, govern, manage and migrate their data. In order for us to market and sell our products, we must successfully demonstrate to enterprise IT, security and business personnel the potential value of their data and the risk of that data getting
12
compromised or stolen. We must persuade them to devote a portion of their budgets to a unified platform that we offer to protect, secure, govern, manage and extract value from this resource. We cannot provide any assurance that enterprises will recognize the need for our products or, if they do, that they will decide that they need a solution that offers the range of functionalities that we offer. Software solutions focused on enterprise data may not yet be viewed as a necessity, and accordingly, our sales effort is and will continue to be focused in large part on explaining the need for, and value offered by, our solution. We can provide no assurance that the market for our solution will continue to grow at its current rate or at all. The failure of the market to develop would materially adversely impact our results of operations.
Prolonged economic uncertainties or downturns could materially adversely affect our business.
Our business depends on our current and prospective customers’ ability and willingness to invest in IT services, including cybersecurity projects, which in turn is dependent upon their overall economic health. Negative conditions in the general economy both in the United States and abroad, including conditions resulting from COVID-19, similar to the negative impact on our results of operations we experienced at the early stages of the pandemic in the last two weeks of the first quarter in 2020, changes in gross domestic product growth, potential future government shutdowns, the federal government's failure to raise the debt ceiling, financial and credit market fluctuations, the imposition of trade barriers and restrictions such as tariffs, political deadlock, restrictions on travel, natural catastrophes, warfare and terrorist attacks, could cause a decrease in business investments, including corporate spending on enterprise software in general and negatively affect the rate of growth of our business.
Uncertainty in the global economy makes it extremely difficult for our customers and us to forecast and plan future business activities accurately. This could cause our customers to reevaluate decisions to purchase our product or to delay their purchasing decisions, which could lengthen our sales cycles.
We have a significant number of customers across a variety of verticals, some of which are impacted significantly by the economic turmoil caused by the COVID-19 pandemic. A downturn in any of our leading industries, or a reduction in any revenue-generating vertical, may cause enterprises to react to worsening conditions by reducing their spending on IT. Customers may delay or cancel IT projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating maintenance and support agreements. To the extent purchases of licenses for our software are perceived by customers and potential customers to be discretionary, our revenues may be disproportionately affected by delays or reductions in general IT spending. In addition, the increased pace of consolidation in certain industries may result in reduced overall spending on our software. If the economic conditions of the general economy or industries in which we operate worsen from present levels, our business, results of operations and financial condition could be adversely affected.
We may face increased competition in our market.
While there are some companies which offer certain features similar to those embedded in our solutions, as well as others with whom we compete in certain tactical use cases, we believe that we do not currently compete with a company that offers the same breadth of functionalities that we offer in a single integrated solution. Nevertheless, we do compete against a select group of software vendors that provide standalone solutions, similar to those found in our comprehensive software suite, in the specific markets in which we operate. We also face direct competition with respect to certain of our products, specifically Data Transport Engine, DatAnswers and DatAdvantage for Directory Services. As we continue to augment our functionality with insider threat detection and user behavior analytics and as we expand our classification capabilities to better serve compliance needs, such as GDPR, CCPA and other data privacy laws, we may face increased perceived and real competition from other security and classification technologies. As we expand our coverage and penetration in the cloud, we may face increased perceived and real competition from other cloud-focused technologies. In the future, as customer requirements evolve and new technologies are introduced, we may experience increased competition if established or emerging companies develop solutions that address the enterprise data market. Furthermore, because we operate in a relatively new and evolving area, we anticipate that competition will increase based on customer demand for these types of products.
In particular, if a more established company were to target our market, we may face significant competition. They may have competitive advantages, such as greater name recognition, larger sales, marketing, research and acquisition resources, access to larger customer bases and channel partners, a longer operating history and lower labor and development costs, which may enable them to respond more quickly to new or emerging technologies and changes in customer requirements or devote greater resources to the development, promotion and sale of their products than we do. Increased competition could result in us failing to attract customers or maintain licenses at the same rate. It could also lead to price cuts, alternative pricing structures or the introduction of products available for free or a nominal price, reduced gross margins, longer sales cycles, lower renewal rates and loss of market share.
13
In addition, our current or prospective channel partners may establish cooperative relationships with any future competitors. These relationships may allow future competitors to rapidly gain significant market share. These developments could also limit our ability to obtain revenues from existing and new customers.
Our ability to compete successfully in our market will also depend on a number of factors, including ease and speed of product deployment and use, the quality and reliability of our customer service and support, total cost of ownership, return on investment and brand recognition. Any failure by us to successfully address current or future competition in any one of these or other areas may reduce the demand for our products and adversely affect our business, results of operations and financial condition.
We are subject to a number of legal requirements, contractual obligations and industry standards regarding security, data protection and privacy, and any failure to comply with these requirements, obligations or standards could have an adverse effect on our reputation, business, financial condition and operating results.
Privacy and data information security have become a significant issue in the United States and in many other countries where we have employees and operations and where we offer licenses to our products. The regulatory framework for privacy and personal information security issues worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. The U.S. federal and various state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations limiting, or laws and regulations regarding, the collection, distribution, use, disclosure, storage and security of personal information. For example, the CCPA, which went into effect on January 1, 2020, requires, among other things, covered companies to provide new disclosures to California consumers and afford such consumers new abilities to opt-out of certain sales of personal information.
Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure and security of data that identifies or may be used to identify or locate an individual, such as names, email addresses and, in some jurisdictions, Internet Protocol addresses. These laws and regulations often are more restrictive than those in the United States and are rapidly evolving. For example, the EU data protection regime, the GDPR became enforceable on May 25, 2018. Additionally, the United Kingdom enacted legislation in May 2018 that substantially implements the GDPR, but the United Kingdom’s exit from the EU (which formally occurred on January 31, 2020), commonly referred to as “Brexit," has created uncertainty with regard to the regulation of data protection in the United Kingdom. In particular, it is unclear how data transfers to and from the United Kingdom will be regulated following Brexit. Complying with the GDPR or other laws, regulations or other obligations relating to privacy, data protection or information security may cause us to incur substantial operational costs or require us to modify our data handling practices. Non-compliance could result in proceedings against us by governmental entities or others, could result in substantial fines or other liability and may otherwise adversely impact our business, financial condition and operating results.
Some statutory requirements, both in the United States and abroad, include obligations of companies to notify individuals of security breaches involving particular personal information, which could result from breaches experienced by us or our service providers. Even though we may have contractual protections with our service providers, a security breach could impact our reputation, harm our customer confidence, hurt our sales or cause us to lose existing customers and could expose us to potential liability or require us to expend significant resources on data security and in responding to such breach.
In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. We also expect that there will continue to be new proposed laws and regulations concerning privacy, data protection and information security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations and other obligations may require us to incur additional costs and restrict our business operations. Because the interpretation and application of laws and other obligations relating to privacy and data protection are still uncertain, it is possible that these laws and other obligations may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our software. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new features could be limited. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.
14
Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our products. Privacy and personal information security concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries.
Risks Related to Our Operations
The recent global COVID-19 outbreak has had, and could continue to have, harmful effects on our business and results of operations.
The COVID-19 pandemic and efforts to control its spread have significantly curtailed the movement of people, goods and services worldwide, including in most or all of the regions in which we sell our products and services and conduct our business operations. Internationally and domestically, federal, state, and local governments have taken a variety of actions to contain the spread of COVID-19. Many jurisdictions have required mandatory business closures, or imposed capacity limitations and other restrictions affecting our operations. At the end of the first quarter of 2020, we closed our offices and instructed employees to work remotely as a precautionary measure intended to minimize the risk of the virus to them, our customers, partners and the communities in which we operate. Since that time, we have complied with state and local requirements and have been opening and closing our offices based on these guidelines and recommendations. To the extent there are extended restrictions or closures, this may adversely affect economies and financial markets globally, leading to an economic downturn. Our operations, and the operations of our customers and partners, have been disrupted and may continue to be so for a period of time that cannot currently be predicted.
The move to remote working has not to date materially impacted our business operations and research and development activity; however, if our employees will not be able to continue working effectively as a result of the COVID-19 pandemic, including because of illness, quarantines, office closures, ineffective remote work arrangements or technology failures or limitations, our operations would be adversely impacted. Further, as recently seen in many places around the world, remote work arrangements may increase the risk of cybersecurity incidents, data breaches or cyber-attacks, which could have a material adverse effect on our business and results of operations, due to, among other things, the loss of proprietary data, interruptions or delays in the operation of our business, damage to our reputation and any government imposed penalty. While the move to remote working and virtual-only customer experience has not to date adversely impacted our sales, we have had to postpone or cancel customer and industry events or conduct them virtually, and we cannot predict with certainty the impact these changes may have on our sales.
Corporate expenditures are also subject to elevated scrutiny in the current environment and may lead to longer sales cycles. The pandemic, and its impact on our customers, has also made it more difficult to predict our future performance and we expect it will continue to be more challenging to estimate the pipeline conversion rates due to the economic uncertainty, and there is a greater risk that any guidance we provide to the market may turn out to be incorrect. We therefore cannot predict whether potential decreases in sales will be offset in subsequent periods by increased sales.
Additionally, concerns over the economic impact of COVID-19 have caused extreme volatility in financial and other capital markets which have temporarily adversely impacted, and may in the future adversely impact, our stock price.
Overall, and in addition to other risks discussed in this Form 10-K filing, the COVID-19 pandemic gives rise to a number of risks, including, but not limited to, the following:
•our ability to expand within our existing customer base, including through the adoption of additional licenses;
•reduced economic activity which could lead to a prolonged recession, which could negatively impact consumer discretionary spending and in return could severely impact our business operations, financial condition and liquidity;
•our ability to continue to show the positive trends at the levels we have shown in the last several quarters for certain key performance metrics, such as renewal rates, annual recurring revenues ("ARR") and dollar-based net retention rate;
•negatively affect our customer success efforts, our ability to enter into new markets and our ability to acquire new customers, in part due to potentially lower conversion rates on risk assessments and delay and lengthen our sales cycles due to virtual meetings;
•a reduction in the number of users as customers terminate and furlough employees;
•an increase in bad debt reserves as customers face economic hardship and collectability becomes more uncertain, including the risk of bankruptcies;
•our ability to timely retain, attract and recruit employees;
•a reduction in our operating effectiveness, employee productivity, sales and marketing efforts, as our employees work from home;
15
•potential negative impact on the health of our personnel and staff, particularly if a significant number of them are impacted, which could result in a deterioration in our ability to ensure business continuity during this disruption;
•our ability to remotely develop new products and enhance existing products; and
•our ability to raise capital.
These factors may make it more difficult for us to gain new customers and to expand within our existing customer base. While our revenues increased for the year ended December 31, 2020 compared to the year ended December 31, 2019, we may face future difficulties in gaining new customers and expanding within our existing customer base, similar to those difficulties we experienced during the last two weeks of the first quarter of 2020.
The full impact of COVID-19 on our business and our future performance is difficult to predict and there is some level of risk that any guidance we provide to the market may turn out to be incorrect. The challenges posed by COVID-19 on our business are uncertain and we will continue to evaluate our financial position in light of future developments, particularly those relating to COVID-19.
Security breaches, cyberattacks or other cyber-risks of our IT and production systems could expose us to significant liability and cause our business and reputation to suffer and harm our competitive position.
Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including as related to financial, technology, employees, marketing, sales, etc.) which is used on a daily basis in our operations. In addition to that, our software involves transmission and processing of our customers' confidential, proprietary and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Being a leading pioneer in the cyber industry, we may be an attractive target for cyber attackers or other data thieves.
High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened as a result of the number of employees working remotely due to COVID-19. Security industry experts and government officials have warned about the risks of hackers and cyberattacks targeting IT products and enterprise infrastructure. Because techniques used to obtain unauthorized access or to sabotage systems change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we continue to increase our client base and expand our brand, we may become more of a target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future. We cannot give assurance that we will always be successful in preventing or repelling unauthorized access to our systems. We also may face delays in our ability to identify or otherwise respond to any cybersecurity incident or any other breach. Additionally, we use third-party service providers to provide some services to us that involve the storage or transmission of data, such as SaaS, cloud computing, and internet infrastructure and bandwidth, and they face various cybersecurity threats and also may suffer cybersecurity incidents or other security breaches. Despite our security measures, our IT and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our IT. These actors may use a wide variety of methods, which may include developing and deploying malicious software or exploiting vulnerabilities in hardware, software, or other infrastructure in order to attack our products and services or gain access to our networks, using social engineering techniques to induce our employees, users, partners, or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users’ or customers’ data, or acting in a coordinated manner to launch distributed denial of service or other coordinated attacks. Inadequate account security practices may also result in unauthorized access to confidential and/or sensitive data.
Security risks, including, but not limited to, unauthorized use or disclosure of customer data, theft of proprietary information, theft of intellectual property, theft of internal employee’s PII/PHI information, theft of financial data and financial reports, loss or corruption of customer data and computer hacking attacks or other cyberattacks, could require us to expend significant capital and other resources to alleviate the problem and to improve technologies, may impair our ability to provide services to our customers and protect the privacy of their data, may result in product development delays, may compromise confidential or technical business information, may harm our competitive position, may result in theft or misuse of our intellectual property or other assets and could expose us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after a breach or other incident, and other liabilities. We are continuously working to improve our IT systems, together with creating security boundaries around our critical and sensitive assets. We provide advanced security awareness training to our employees and contractors that focuses on various aspects of the cybersecurity world. All of these steps are taken in order to mitigate the risk of attack and to ensure our readiness to responsibly handle any security violation or attack. However, because techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not recognized until successfully
16
launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures and our products could be harmed, we could lose potential sales and existing customers, our ability to operate our business could be impaired, and we may incur significant liabilities, and we could suffer harm to our reputation and competitive position, and our operating results could be negatively impacted.
Our quarterly results of operations have fluctuated and may fluctuate significantly due to variability in our revenues which could adversely impact our stock price.
Our revenues and other results of operations have fluctuated from quarter to quarter in the past and could continue to fluctuate in the future partially due to the front-loaded revenue recognition nature of our business. Additionally, we have a limited operating history under our new subscription model, which makes it difficult to forecast our results. As a result, comparing our revenues and results of operations on a period-to-period basis may not be meaningful, and should not be relied on for any particular past quarter or other period results. Our revenues depend in part on the conversion of enterprises that have undergone risk assessments, which can be and are frequently performed remotely, into paying customers; however, given the spread of COVID-19 and the impact on our prospects, these risk assessments may not be converted at the same historical rates. At the same time, the majority of our sales are typically made during the last three weeks of every quarter. We may fail to meet market expectations for that quarter if we are unable to close the number of transactions that we expect during this short period and closings are deferred to a subsequent quarter or not closed at all. In addition, our sales cycle from initial contact to delivery of and payment for the software license generally becomes longer and less predictable with respect to large transactions and often involves multiple meetings or consultations at a substantial cost and time commitment to us. The closing of a large transaction in a particular quarter may raise our revenues in that quarter and thereby make it more difficult for us to meet market expectations in subsequent quarters and our failure to close a large transaction in a particular quarter or any renewals may adversely impact our revenues in that quarter. Moreover, we base our current and future expense levels on our revenue forecasts and operating plans, and our expenses are relatively fixed in the short-term. Accordingly, we would likely not be able to reduce our costs sufficiently to compensate for an unexpected shortfall in revenues and even a relatively small decrease in revenues could disproportionately and adversely affect our financial results for that quarter.
The variability and unpredictability of these and other factors, many of which are outside of our control, could result in our failing to meet or exceed financial expectations for a given period. If our revenues or results of operations fall below the expectations of investors or any securities analysts that cover our stock, the price of our common stock could decline substantially.
If the transition to a subscription-based business model we have completed fails to continue yielding the benefits that we achieved, our results of operations could be negatively impacted.
We have completed our transition to a subscription-based business model but it is uncertain whether the expected benefits will continue. Market acceptance of our products is dependent on our ability to include functionality and usability that address certain customer requirements. Additionally, we must optimally price our products in light of marketplace conditions, our costs and customer demand. At the start of the transition, we suffered a negative revenue and earnings impact, including on our quarterly results of operations. Such negative implications might return if we are unable to achieve the renewals we anticipate, either at all or on a timely basis.
This subscription strategy may give rise to a number of risks, including the following:
•our revenues and cash flows may fluctuate more than anticipated over the short-term as a result of this strategy;
•if our customers do not renew their subscriptions or do not renew them on a timely basis (including due to substantial implication of the economic turmoil caused by the COVID-19 pandemic), our revenues may decline and our business may suffer;
•the shift to a subscription strategy may raise, and has raised, concerns among our customer base, including concerns regarding changes to pricing over time;
•we may be unsuccessful in maintaining or implementing our target pricing or new pricing models, product adoption and projected renewal rates, or we may select a target price or new pricing model that is not optimal and could negatively affect our sales or earnings;
•our sales force may struggle with the additional requirements of selling subscription which may lead to increased turnover rates and lower headcount;
•if new or current customers desire only perpetual licenses our subscription sales may lag behind our expectations; and
•our relationships with existing partners that resell perpetual license products may be damaged.
17
We may not be able to predict subscription renewal rates and their impact on our future revenues and operating results.
Although our subscription solutions are designed to increase the number of customers that purchase our solutions and the number of products purchased by existing and new customers to create a recurring revenue stream that increases and is more predictable over time, our customers are not required to renew their subscriptions for our solutions and they may elect not to renew when, or as we expect, or they may elect to reduce the scope of their original purchases or delay their purchase. We cannot accurately predict renewal rates given our varied customer base of enterprise and small and medium size business customers and the number of multiyear subscription contracts. Customer renewal rates may decline or fluctuate due to a number of factors, including offering pricing, competitive offerings, customer satisfaction and reductions in customer spending levels or customer activity due to economic downturns including, but not limited to, the COVID-19 pandemic, the adverse impact of import tariffs or other market uncertainty. If our customers do not renew their subscriptions when or as we expect, or if they choose to renew for fewer subscriptions (in quantity or products) or renew for shorter contract lengths or if they renew on less favorable terms, our revenues and earnings may decline, and our business may suffer.
We have been growing and expect to continue to invest in our growth for the foreseeable future. If we fail to manage this growth effectively, our business and results of operations will be adversely affected.
We intend to continue to grow our business and plan to continue to hire new sales employees either for expansion or replacement of existing sales personnel. If we cannot adequately and timely hire new employees and if we fail to adequately train these new employees, including our sales force, engineers and customer support staff, which processes have become more challenging during the COVID-19 period, our sales may not grow at the rates we project and/or our sales productivity might suffer, our customers might decide not to renew or reduce the scope of their original purchases, or our customers may lose confidence in the knowledge and capability of our employees or products. We must successfully manage our growth to achieve our objectives. Although our business has experienced significant growth in the past, we cannot provide any assurance that our business will continue to grow at the same rate, or at all.
Our ability to effectively manage any significant growth of our business will depend on a number of factors, including our ability to do the following:
•adequately and timely recruit, train, motivate and integrate new employees, including our sales force and engineers, while retaining existing employees, maintaining the beneficial aspects of our corporate culture and effectively executing our business plan, especially during this challenging period of the COVID-19 pandemic;
•satisfy existing customers and attract new customers;
•successfully manage and integrate our acquisition and any future acquisitions of businesses, including our recent acquisition, and including, without limitation, the amount and timing of expenses and potential future charges for impairment of goodwill from acquired companies;
•successfully introduce new products and enhancements;
•effectively manage existing channel partnerships and expand to new ones;
•improve our key business applications and processes to support our business needs;
•enhance information and communication systems to ensure that our employees and offices around the world are well-coordinated and can effectively communicate with each other and our growing customer base;
•enhance our internal controls to ensure timely and accurate reporting of all of our operations and financial results;
•protect and further develop our strategic assets, including our intellectual property rights;
•make sound business decisions in light of the scrutiny associated with operating as a public company and the increased strain and pressures associated with COVID-19; and
•capitalize on the transition from perpetual licenses to a subscription-based business model.
These activities will require significant investments and allocation of valuable management and employee resources, and our growth will continue to place significant demands on our management and our operational and financial infrastructure. There are no guarantees we will be able to grow our business in an efficient or timely manner, or at all. Moreover, if we do not effectively manage the growth of our business and operations, the quality of our software could suffer, which could negatively affect our brand, results of operations and overall business.
We have a limited operating history at our current scale, which makes it difficult to evaluate and predict our future prospects and may increase the risk that we will not be successful.
We have a relatively short history operating our business at its current scale. For example, we have increased the number of our employees and have expanded our operations and product offerings. This limits our ability to forecast our future operating results and subjects us to a number of uncertainties, including our ability to plan for and model future growth. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in new
18
markets that may not develop as expected. Because we depend in part on the market’s acceptance of our products, it is difficult to evaluate trends that may affect our business. If our assumptions regarding these trends and uncertainties, which we use to plan our business, are incorrect or change in reaction to changes in our markets, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations and our business could suffer. Moreover, although we have experienced significant growth historically, we may not continue to grow as quickly in the future.
Our future success will depend in large part on our ability to, among other things:
◦reap the benefits from the transition to a subscription-based model successfully;
◦maintain and expand our business, including our customer base and operations, to support our growth, both domestically and internationally;
◦our ability to successfully manage and integrate our acquisition and any future acquisitions of businesses;
◦develop new products and services and bring products and services in beta to market;
◦renew subscription and maintenance and support agreements with, and sell additional products to, existing customers;
◦maintain high customer satisfaction and ensure quality and timely releases of our products and product enhancements;
◦increase market awareness of our products and enhance our brand;
◦maintain compliance with applicable governmental regulations and other legal obligations, including those related to intellectual property, international sales and taxation; and
◦hire, integrate, train and retain skilled talent, including members of our sales force and engineers.
If we fail to address the risks and difficulties that we face, including those associated with the challenges listed above as well as those described elsewhere in this “Risk Factors” section, our business will be adversely affected, and our results of operations will suffer.
If we are unable to attract new customers and expand sales to existing customers, both domestically and internationally, our growth could be slower than we expect, and our business may be harmed.
Our success will depend, in part, on our ability to support new and existing customer growth and maintain customer satisfaction. Due to COVID-19, our sales and marketing teams have avoided in-person meetings and are increasingly engaging with customers online and through other communications channels, including virtual meetings. While our revenues increased for the year ended December 31, 2020 compared to the year ended December 31, 2019, there is no guarantee that in the future our sales and marketing teams will be as successful or effective using these other communications channels as they try to build relationships. If we cannot provide the tools and training to our teams to efficiently do their jobs and satisfy customer demands, we may not be able to achieve anticipated revenue growth as quickly as expected.
Our future growth depends upon expanding sales of our products to existing customers and their organizations and receiving subscription and maintenance renewals. If our customers do not purchase additional licenses or capabilities, our revenues may grow more slowly than expected, may not grow at all or may decline. There can be no assurance that our efforts would result in increased sales to existing customers ("upsells") and additional revenues. If our efforts to upsell to our customers are not successful, our business would suffer.
Our future growth also depends in part upon increasing our customer base, particularly those customers with potentially high customer lifetime values. Our ability to achieve significant growth in revenues in the future will depend, in large part, upon the effectiveness of our sales and marketing efforts, both domestically and internationally, and our ability to attract new customers. Our ability to attract new customers may be adversely affected by newly enacted laws that may prohibit certain sales and marketing activities, such as recent legislation passed in the State of New York, pursuant to which, due to the declared disaster state of emergency attributed to COVID-19, unsolicited telemarketing sales calls are prohibited. If we fail to attract new customers and maintain and expand those customer relationships, our revenues may be adversely affected, and our business will be harmed.
We have a history of losses, and we may not be profitable in the future.
We have incurred net losses in each year since our inception, including a net loss of $94.0 million, $78.8 million and $28.6 million in each of the years ended December 31, 2020, 2019 and 2018, respectively. Due to our continued investment in the growth of our business, in 2020 our operating expenses increased to $326.8 million compared to $295.0 million and $271.7 million in 2019 and 2018, respectively. Because the market for our software is rapidly evolving and has still not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to
19
increase over the next several years as we hire additional personnel, expand and improve the effectiveness of our distribution channels, and continue to develop features and applications for our software. In addition, as a public company, we have incurred, and will continue to incur, significant legal, accounting and other operating expense.
If we are unable to maintain successful relationships with our channel partners, our business could be adversely affected.
We rely on channel partners, such as distribution partners and resellers, to sell licenses and support and maintenance agreements for our software and to perform some of our professional services. In 2020, our channel partners fulfilled substantially all of our sales, and we expect that sales to channel partners will continue to account for substantially all of our revenues for the foreseeable future. Our ability to achieve revenue growth in the future will depend in part on our success in maintaining successful relationships with our channel partners.
Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers the products of several different companies. If our channel partners do not effectively market and sell our software, choose to use greater efforts to market and sell their own products or those of others, or fail to meet the needs of our customers, including through the provision of professional services for our software, our ability to grow our business, sell our software and maintain our reputation may be adversely affected. Our contracts with our channel partners generally allow them to terminate their agreements for any reason upon 30 days’ notice. A termination of the agreement has no effect on orders already placed. The loss of a substantial number of our channel partners, our possible inability to replace them, or the failure to recruit additional channel partners could materially and adversely affect our results of operations. If we are unable to maintain our relationships with these channel partners, our business, results of operations, financial condition or cash flows could be adversely affected. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products and professional services or increased revenue.
We are exposed to collection and credit risks, which could impact our operating results.
Our accounts receivable and contract assets are subject to collection and credit risks. These agreements may include purchase commitments for multiple years of subscription-based software licenses and maintenance services, which may be invoiced over multiple reporting periods increasing these risks. For example, our operating results may be impacted by significant bankruptcies among customers, which could negatively impact our revenues and cash flows. Although we have processes in place that are designed to monitor and mitigate these risks, we cannot guarantee these programs will be effective. If we are unable to adequately control these risks, our business, operating results and financial condition could be harmed. Furthermore, as a result of the COVID-19 pandemic, existing customers may attempt to renegotiate contracts and obtain concessions, including, among other things, longer payment terms or modified subscription dates, or may fail to make payments on their existing contracts, which may materially and negatively impact our operating results and financial condition.
If currency exchange rates fluctuate substantially in the future, our results of operations, which are reported in U.S. dollars, could be adversely affected.
Our functional and reporting currency is the U.S. dollar, and we generate the majority of our revenues and incur the majority of our expenses in U.S. dollars. Revenues and expenses are also incurred in other currencies, primarily Euros, Pounds Sterling, Canadian dollars, Australian dollars and New Israeli Shekels ("NIS"). Accordingly, changes in exchange rates may have a material adverse effect on our business, results of operations and financial condition. The exchange rates between the U.S. dollar and foreign currencies have fluctuated substantially in recent years and may continue to fluctuate substantially in the future. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our software and our subscription licenses and maintenance renewals to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. Volatility in exchange rates may continue in the short-term after the United Kingdom's recent exit from the EU.
We incur expenses for employee compensation and other operating expenses at our non-U.S. locations in local currencies. The weakening of the U.S. dollar against such currencies would cause the U.S. dollar equivalent of such expenses to increase which could have a negative impact on our reported results of operations and our ability to attract employees in such non-U.S. locations due to the actual increase in the compensation to be paid to such employees. We use forward foreign exchange contracts to hedge or mitigate the effect of changes in foreign exchange rates on our operating expenses denominated in certain foreign currencies. However, this strategy might not eliminate our exposure to foreign exchange rate fluctuations and involves costs and risks of its own, such as cash expenditures, ongoing management time and expertise, external costs to implement the strategy and potential accounting implications. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets and the difference between the interest rates of the currencies being hedged.
20
Our business is highly dependent upon our brand recognition and reputation, and the failure to maintain or enhance our brand recognition or reputation may adversely affect our business.
We believe that enhancing the “Varonis” brand identity and maintaining our reputation in the IT industry is critical to our relationships with our customers and to our ability to attract new customers. Our brand recognition and reputation is dependent upon:
•our ability to continue to offer high quality, innovative and error- and bug-free products;
•our ability to maintain customer satisfaction with our products;
•our ability to be responsive to customer concerns and provide high quality customer support, training and professional services;
•our marketing efforts;
•any misuse or perceived misuse of our products;
•positive or negative publicity;
•our ability to prevent or quickly react to any cyberattack on our IT systems or security breach of or related to our software;
•interruptions, delays or attacks on our website; and
•litigation or regulatory-related developments.
We may not be able to successfully promote our brand or maintain our reputation. In addition, independent industry analysts often provide reviews of our products, as well as other products available in the market, and perception of our product in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive than reviews about other products available in the market, our brand may be adversely affected. Furthermore, negative publicity relating to events or activities attributed to us, our employees, our channel partners or others associated with any of these parties, may tarnish our reputation and reduce the value of our brand. If we do not successfully enhance our brand and maintain our reputation, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers or renewals, all of which would adversely affect our business, operations and financial results. Moreover, damage to our reputation and loss of brand equity may reduce demand for our products and have an adverse effect on our business, results of operations and financial condition. Any attempts to rebuild our reputation and restore the value of our brand may be costly and time consuming, and such efforts may not ultimately be successful.
Moreover, it may be difficult to enhance our brand and maintain our reputation in connection with sales to channel partners. Promoting our brand requires us to make significant expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and geographies and as more sales are generated to our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur.
Our success depends in part on maintaining and increasing our sales to customers in the public sector.
We derive a portion of our revenues from contracts with federal, state, local and foreign governments and government-owned or -controlled entities (such as public health care bodies, educational institutions and utilities), which we refer to as the public sector herein. We believe that the success and growth of our business will continue to depend on our successful procurement of public sector contracts. Selling to public sector entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that our efforts will produce any sales. Government demand and payment for our products and services may be impacted by public sector budgetary cycles, or lack of, and funding authorizations, including in connection with an extended government shutdown, with funding reductions or delays adversely affecting public sector demand for our products and services. Factors that could impede our ability to maintain or increase the amount of revenues derived from public sector contracts include:
•changes in public sector fiscal or contracting policies;
•decreases or elimination of available public sector funding;
•changes in public sector programs or applicable requirements;
•the adoption of new laws or regulations or changes to existing laws or regulations;
•potential delays or changes in the public sector appropriations or other funding authorization processes;
•the requirement of contractual terms that are unfavorable to us, such as most-favored-nation pricing provisions; and
•delays in the payment of our invoices by public sector payment offices.
Furthermore, we must comply with laws and regulations relating to public sector contracting, which affect how we and our channel partners do business in both the United States and abroad. These laws and regulations may impose added costs on our
21
business, and failure to comply with these or other applicable regulations and requirements, including non-compliance in the past, could lead to claims for damages from our channel partners, penalties, termination of contracts, and temporary suspension or permanent debarment from public sector contracting. Moreover, governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our products, which would adversely impact our revenue and results of operations, or institute fines or civil or criminal liability if the audit uncovers improper or illegal activities.
The occurrence of any of the foregoing could cause public sector customers to delay or refrain from purchasing licenses of our software in the future or otherwise have an adverse effect on our business, operations and financial results.
We are subject to governmental export and import controls that could subject us to liability or impair our ability to compete in international markets.
We incorporate encryption technology into certain of our products and these products are subject to U.S. export control. We are also subject to Israeli export controls on encryption technology since our product development initiatives are primarily conducted by our wholly-owned Israeli subsidiary. We have obtained the required licenses to export our products outside of the United States. In addition, the current encryption means used in our products are listed in the “free means encryption items” published by the Israeli Ministry of Defense, which means we are exempt from obtaining an encryption control license. If the applicable U.S. or Israeli legal requirements regarding the export of encryption technology were to change or if we change the encryption means in our products, we may need to apply for new licenses in the United States and may no longer be able to rely on our licensing exception in Israel. There can be no assurance that we will be able to obtain the required licenses under these circumstances. Furthermore, various other countries regulate the import of certain encryption technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries.
We are also subject to U.S. and Israeli export control and economic sanctions laws, which prohibit the shipment of certain products to embargoed or sanctioned countries, governments and persons. Our products could be exported to these sanctioned targets by our channel partners despite the contractual undertakings they have given us and any such export could have negative consequences, including government investigations, penalties and reputational harm. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Moreover, any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could result in decreased use of our products. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.
Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities.
As we operate and sell internationally, we are subject to the Foreign Corrupt Practices Act of 1977, as amended (the "FCPA"), the U.K. Bribery Act of 2010 (the "UK Bribery Act") and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental customers in countries known to experience corruption, particularly certain emerging countries in Eastern Europe, South and Central America, East Asia, Africa and the Middle East. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, channel partners or sales agents that could be in violation of various anti-corruption laws, even though these parties may not be under our control. While we have implemented safeguards to prevent these practices by our employees, consultants, channel partners and sales agents, our existing safeguards and any future improvements may prove to be less than effective, and our employees, consultants, channel partners or sales agents may engage in conduct for which we might be held responsible. Violations of the FCPA or other anti-corruption laws may result in severe criminal or civil sanctions, including suspension or debarment from government contracting, and we may be subject to other liabilities, which could negatively affect our business, operating results and financial condition.
Acquisitions could disrupt our business and adversely affect our results of operations, financial condition and cash flows.
As we continue to pursue business opportunities, we may make acquisitions that could be material to our business, results of operations, financial condition and cash flows. Acquisitions involve many risks, including the following:
22
•an acquisition may negatively affect our results of operations, financial condition or cash flows because it may require us to incur charges or assume substantial debt or other liabilities, may cause adverse tax consequences or unfavorable accounting treatment, including potential write-downs of deferred revenues, may expose us to claims and disputes by third parties, including intellectual property claims and disputes, or may not generate sufficient financial return to offset additional costs and expenses related to the acquisition;
•we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel or operations of any company that we acquire, particularly if key personnel of the acquired company decide not to work for us;
•an acquisition may disrupt our ongoing business, divert resources, increase our expenses and distract our management;
•an acquisition may result in a delay or reduction of customer purchases for both us and the company we acquired due to customer uncertainty about continuity and effectiveness of service from either company;
•we may encounter difficulties in, or may be unable to, successfully sell any acquired products;
•an acquisition may involve the entry into geographic or business markets in which we have little or no prior experience or where competitors have stronger market positions;
•challenges inherent in effectively managing an increased number of employees in diverse locations;
•the potential strain on our financial and managerial controls and reporting systems and procedures;
•potential known and unknown liabilities or deficiencies associated with an acquired company that were not identified in advance;
•our use of cash to pay for acquisitions would limit other potential uses for our cash and affect our liquidity;
•if we incur debt to fund such acquisitions, such debt may subject us to material restrictions on our ability to conduct our business as well as financial maintenance covenants;
•the risk of impairment charges related to potential write-downs of acquired assets or goodwill in future acquisitions;
•to the extent that we issue a significant amount of equity or convertible debt securities in connection with future acquisitions, existing stockholders may be diluted and earnings per share may decrease; and
•managing the varying intellectual property protection strategies and other activities of an acquired company.
We may not succeed in addressing these or other risks or any other problems encountered in connection with the integration of any acquired business. Our ability as an organization to successfully acquire and integrate technologies or businesses is unproven. The inability to integrate successfully the business, technologies, products, personnel or operations of any acquired business, or any significant delay in achieving integration, could have a material adverse effect on our business, results of operations, financial condition and cash flows.
Risks Related to Human Capital
A failure to maintain sales and marketing personnel productivity or hire and integrate additional sales and marketing personnel could adversely affect our results of operations and growth prospects.
Our business requires intensive sales and marketing activities. Our sales and marketing personnel are essential to attracting new customers and expanding sales to existing customers, both of which are key to our future growth. We face a number of challenges in successfully expanding our sales force. Our transition to a subscription-based model, and the additional demands involved in selling multiple products, has increased the complexity and to some extent impose new challenges in finding, hiring and retaining qualified sales force members. We must locate and hire a significant number of qualified individuals, and competition for such individuals is intense. In addition, as we expand into new markets with which we have less familiarity and develop existing territories, we will need to recruit individuals who have skills particular to a certain geography or territory, and it may be difficult to find candidates with those qualifications. We may be unable to achieve our hiring or integration goals due to a number of factors, including, but not limited to, the challenge in remotely recruiting employees and adequately training them due to COVID-19, the number of individuals we hire, challenges in finding individuals with the correct background due to increased competition for such hires, increased attrition rates among new hires and existing personnel as well as the necessary experience to sell our Data Security Platform rather than individual software products. Furthermore, based on our past experience in mature territories, it often can take up to 12 months before a new sales force member is trained and operating at a level that meets our expectations, and during the COVID-19 pandemic such training may take even longer. We invest significant time and resources in training new members of our sales force, and we may be unable to achieve our target performance levels with new sales personnel as rapidly as we have done in the past, or at all, due to larger numbers of hires or lack of experience training sales personnel to operate in new jurisdictions or because of the remote hiring and training process. Our failure to hire a sufficient number of qualified individuals, to integrate new sales force members within the time periods we have achieved historically or to keep our attrition rates at levels comparable to others in our industry may materially impact our projected growth rate.
23
Failure to retain, attract and recruit highly qualified personnel could adversely affect our business, operating results, financial condition and growth prospects.
Our future success and growth depend, in part, on our ability to continue to recruit and retain highly skilled personnel and to preserve the key aspects of our corporate culture. Because our future success is dependent on our ability to continue to enhance and introduce new products, we are particularly dependent on our ability to hire and retain engineers. Any of our employees may terminate their employment at any time, and we face intense competition for highly skilled employees. Competition for qualified employees, particularly in Israel, where we have a substantial presence and need for qualified engineers, from numerous other companies, including other software and technology companies, many of whom have greater financial and other resources than we do, is intense. Moreover, to the extent we hire personnel from other companies, we may be subject to allegations that they have been improperly solicited or may have divulged proprietary or other confidential information to us. In addition, during the COVID-19 pandemic, which is characterized as an unstable period, to some extent it may be more difficult to timely attract and train new employees. If we are unable to timely attract, retain or train qualified employees, particularly our engineers, salespeople and key managers, our ability to innovate, introduce new products and compete would be adversely impacted, and our financial condition and results of operations may suffer. Equity grants are a critical component of our current compensation programs. If we reduce, modify or eliminate our equity programs or if there will be decline in our stock price as a result of which the value of our equity compensation shall be lower, we may have difficulty attracting and retaining employees.
We are dependent on the continued services and performance of our co-founder, Chief Executive Officer and President, the loss of whom could adversely affect our business.
Much of our future performance depends in large part on the continued services and continuing contributions of our co-founder, Chief Executive Officer and President, Yakov Faitelson, to successfully manage our company, to execute on our business plan and to identify and pursue new opportunities and product innovations. The loss of Mr. Faitelson's services could significantly delay or prevent the achievement of our development and strategic objectives and adversely affect our business.
Risks Related to our Technology, Products, Services and Intellectual Property
Our failure to continually enhance and improve our technology could adversely affect sales of our products.
The market is characterized by the exponential growth in enterprise data, rapid technological advances, changes in customer requirements, including customer requirements driven by changes to legal, regulatory and self-regulatory compliance mandates, frequent new product introductions and enhancements and evolving industry standards in computer hardware and software technology. As a result, we must continually change and improve our products in response to changes in operating systems, application software, computer and communications hardware, networking software, data center architectures, programming tools, computer language technology and various regulations. Moreover, the technology in our products is especially complex because it needs to effectively identify and respond to a user’s data retention, security and governance needs, while minimizing the impact on database and file system performance. Our products must also successfully interoperate with products from other vendors.
While we extend our technological capabilities though innovation and strategic transactions, we cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to extend our technological expertise and develop new products or expand the functionality of our current products in a timely manner or at all. Even if we are able to anticipate, develop and introduce new products and expand the functionality of our current products, there can be no assurance that enhancements or new products will achieve widespread market acceptance.
Our product enhancements or new products could fail to attain sufficient market acceptance for many reasons, including:
•failure to accurately predict market demand in terms of product functionality and to supply products that meet this demand in a timely fashion;
•inability to interoperate effectively with the database technologies and file systems of prospective customers;
•defects, errors or failures;
•negative publicity or customer complaints about performance or effectiveness; and
•poor business conditions, causing customers to delay IT purchases.
If we fail to anticipate market requirements or stay abreast of technological changes, we may be unable to successfully introduce new products, expand the functionality of our current products or convince our customers and potential customers of the value of our solutions in light of new technologies. Accordingly, our business, results of operations and financial condition could be materially and adversely affected.
24
If our technical support, customer success or professional services are not satisfactory to our customers, they may not renew their subscription licenses or maintenance and support agreements or buy future products, which could adversely affect our future results of operations.
Our business relies on our customers’ satisfaction with the technical support and professional services we provide to support our products. Our customers have no obligation to renew their subscription licenses or maintenance and support agreements with us after the initial terms have expired. Our customers who had originally purchased perpetual licenses have an option to renew their maintenance agreements. For us to maintain and improve our results of operations, it is important that our existing customers renew their subscription licenses and maintenance and support agreements, if applicable, when the existing contract term expires. For example, our perpetual license maintenance renewal rate for each of the years ended December 31, 2020, 2019 and 2018 continued to be over 90%. Customer satisfaction will become even more important as almost all of our licensing has shifted to subscription license agreements.
If we fail to provide technical support services that are responsive, satisfy our customers’ expectations and resolve issues that they encounter with our products and services, then they may elect not to purchase or renew subscription licenses or annual maintenance and support contracts and they may choose not to purchase additional products and services from us. Accordingly, our failure to provide satisfactory technical support or professional services could lead our customers not to renew their agreements with us or renew on terms less favorable to us, and therefore have a material and adverse effect on our business and results of operations.
Because we derive substantially all of our revenues and cash flows from sales of licenses from a single platform of products, failure of the products in the platform to satisfy customers or to achieve increased market acceptance would adversely affect our business.
In 2020, we generated substantially all of our revenues from sales of licenses from five of our current product families, DatAdvantage, DatAlert, Data Classification Engine, DataPrivilege and Data Transport Engine. We expect to continue to derive the majority of our revenues from license sales relating to these products in the future. As such, market acceptance of these products is critical to our continued success. Demand for licenses for our platform of products is affected by a number of factors, some of which are outside of our control, including continued market acceptance of our software by referenceable accounts for existing and new use cases, technological change and growth or contraction in our market. We expect the proliferation of enterprise data to lead to an increase in the data analysis demands, and data security and retention concerns, of our customers, and our software, including the software underlying our Data Security Platform, may not be able to scale and perform to meet those demands. If we are unable to continue to meet customer demands or to achieve more widespread market acceptance of our software, our business, operations, financial results and growth prospects will be materially and adversely affected.
Interruptions or performance problems, including associated with our website or support website or any caused by cyberattacks, may adversely affect our business.
Our continued growth depends in part on the ability of our existing and potential customers to quickly access our website and support website. Access to our support website is also imperative to our daily operations and interaction with customers, as it allows customers to download our software, fixes and patches, as well as open and respond to support tickets and register license keys for evaluation or production purposes. We have experienced, and may in the future experience, website disruptions, outages and other performance problems due to a variety of factors, including technical failures, cyberattacks, natural disasters, infrastructure changes, human or software errors, capacity constraints due to an overwhelming number of users accessing our website simultaneously and denial of service or fraud. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. System failures or outages, including any potential disruptions due to significantly increased global demand on certain cloud-based systems during the COVID-19 pandemic, could compromise our ability to perform our day-to-day operations in a timely manner, which could negatively impact our business or delay our financial reporting. It may become increasingly difficult to maintain and improve the performance of our websites, especially during peak usage times and as our software becomes more complex and our user traffic increases. If our websites are unavailable or if our users are unable to download our software, patches or fixes within a reasonable amount of time or at all, we may suffer reputational harm and our business would be negatively affected.
25
If our software is perceived as not being secure, customers may reduce the use of or stop using our software, and we may incur significant liabilities.
Our software involves the transmission of data between data stores, and between data stores and desktop and mobile computers, and may in the future involve the storage of data. We have a legal and contractual obligation to protect the confidentiality and appropriate use of customer data. Any security breaches with respect to such data could result in the loss of this information, litigation, indemnity obligations and other liabilities. The security of our products and accompanied services is important in our customers’ decisions to purchase or use our products or services. Security threats are a significant challenge to companies like us whose business is providing technology products and services to others. While we have taken steps to protect the confidential information that we have access to, including confidential information we may obtain through our customer support services or customer usage of our products, we have no direct control over the substance of the content. Security measures might be breached as a result of third-party action, employee error, malfeasance or otherwise. We also incorporate open source software and other third-party software into our products. There may be vulnerabilities in open source software and third-party software that may make our products likely to be harmed by cyberattacks. Moreover, our products operate in conjunction with and are dependent on products and components across a broad ecosystem of third parties. If there is a security vulnerability in one of these components, and if there is a security exploit targeting it, such security vulnerability may adversely impact our product vulnerability and we could face increased costs, liability claims, reduced revenue, or harm to our reputation or competitive position. Because techniques used to obtain unauthorized access or sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures.
There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. While we maintain insurance coverage for some of the above events, the potential liabilities associated with these security breach events could exceed the insurance coverage we maintain.
Any or all of these issues could tarnish our reputation, negatively impact our ability to attract new customers or sell additional products to our existing customers, cause existing customers to elect not to renew their maintenance and support agreements or subject us to third-party lawsuits, regulatory fines or other action or liability, thereby adversely affecting our results of operations.
Our use of open source software could negatively affect our ability to sell our software and subject us to possible litigation.
We use open source software and expect to continue to use open source software in the future. Some open source software licenses require users who distribute open source software as part of their own software product to publicly disclose all or part of the source code to such software product or to make available any derivative works of the open source code on unfavorable terms or at no cost. We may face ownership claims of third parties over, or seeking to enforce the license terms applicable to, such open source software, including by demanding the release of the open source software, derivative works or our proprietary source code that was developed using such software. These claims could also result in litigation, require us to purchase a costly license or require us to devote additional research and development resources to change our software, any of which would have a negative effect on our business and results of operations. In addition, if the license terms for the open source code change, we may be forced to re-engineer our software or incur additional costs. Finally, while we implement policies and procedures, we cannot provide assurance that we have incorporated open source software into our own software in a manner that conforms with our current policies and procedures and we cannot assure that all open source software is reviewed prior to use in our solution, that our programmers have not incorporated open source software into our solution, or that they will not do so in the future.
In addition, our solution may incorporate third-party software under commercial licenses. We cannot be certain whether such third-party software incorporates open source software without our knowledge. In the past, companies that incorporate open source software into their products have faced claims alleging noncompliance with open source license terms or infringement or misappropriation of proprietary software. Therefore, we could be subject to suits by parties claiming noncompliance with open source licensing terms or infringement or misappropriation of proprietary software. Because few courts have interpreted open source licenses, the manner in which these licenses may be interpreted and enforced is subject to some uncertainty. There is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market or provide our solution. As a result of using open source software subject to such licenses, we could be required to release proprietary source code, pay damages, re-engineer our solution, limit or discontinue sales or take other remedial action, any of which could adversely affect our business.
26
False detection of security breaches, false identification of malicious sources or misidentification of sensitive or regulated information could adversely affect our business.
Our cybersecurity products may falsely detect threats that do not actually exist. For example, our DatAlert product may enrich metadata collected by our products with information from external sources and third-party data providers. If the information from these data providers is inaccurate, the potential for false positives increases. These false positives, while typical in the industry, may affect the perceived reliability of our products and solutions and may therefore adversely impact market acceptance of our products. As definitions and instantiations of personal identifiers and other sensitive content change, automated classification technologies may falsely identify or fail to identify data as sensitive. If our products and solutions fail to detect exposures or restrict access to important systems, files or applications based on falsely identifying legitimate use as an attack or otherwise unauthorized, then our customers’ businesses could be adversely affected. Any such false identification of use and subsequent restriction could result in negative publicity, loss of customers and sales, increased costs to remedy any problem and costly litigation.
Risks Related to our Tax Regime
Our tax rate may vary significantly depending on our stock price.
The tax effects of the accounting for stock-based compensation may significantly impact our effective tax rate from period to period. In periods in which our stock price is higher than the grant price of the stock-based compensation vesting in that period, we will recognize excess tax benefits that will decrease our effective tax rate, while in periods in which our stock price is lower than the grant price of the stock-based compensation vesting in that period, our effective tax rate may increase. The amount and value of stock-based compensation issued relative to our earnings in a particular period will also affect the magnitude of the impact of stock-based compensation on our effective tax rate. These tax effects are dependent on our stock price, which we do not control, and a decline in our stock price could significantly increase our effective tax rate and adversely affect our financial results.
Multiple factors may adversely affect our ability to fully utilize our net operating loss carryforwards.
A U.S. corporation's ability to utilize its federal net operating loss (“NOL”) carryforwards is limited under Section 382 of the Internal Revenue Code of 1986, as amended (the “Code”), if the corporation undergoes an ownership change.
We have accumulated a $207.8 million NOL since inception. Future changes in our stock ownership, including future offerings, as well as changes that may be outside of our control, could result in a subsequent ownership change under Section 382, that would impose an annual limitation on NOLs. In addition, the cash tax benefit from our NOLs is dependent upon our ability to generate sufficient taxable income. Accordingly, we may be unable to earn enough taxable income in order to fully utilize our current NOLs.
Changes in our provision for income taxes or adverse outcomes resulting from examination of our income tax returns could adversely affect our results.
We are subject to income taxation in the United States, Israel and numerous other jurisdictions. Determining our provision for income taxes requires significant management judgment. In addition, our provision for income taxes could be adversely affected by many factors, including, among other things, changes to our operating structure including a review of our intellectual property ("IP") structure, changes in the amounts of earnings in jurisdictions with different statutory tax rates, changes in the valuation of deferred tax assets and liabilities and changes in tax laws. Significant judgment is required to determine the recognition and measurement attributes prescribed in Accounting Standards Codification 740-10-25 (“ASC 740-10-25”). ASC 740-10-25 applies to all income tax positions, including the potential recovery of previously paid taxes, which if settled unfavorably could adversely impact our provision for income taxes. Our income in certain countries is subject to reduced tax rates provided we meet certain employment and capital investment criteria. Failure to meet these commitments could adversely impact our provision for income taxes.
We are also subject to the regular examination of our income tax returns by the U.S. Internal Revenue Services and other tax authorities in various jurisdictions. Tax authorities may disagree with our intercompany charges, cross-jurisdictional transfer pricing, IP structure or other matters and assess additional taxes. While we regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes, there can be no assurance that the outcomes from these regular examinations will not have a material adverse effect on our results of operations and cash flows. Further, we may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially
27
different from our historical tax provisions and accruals, which could have a material adverse effect on our results of operations or cash flows in the period or periods for which a determination is made.
The adoption of the U.S. tax reform and the enactment of additional legislation changes could materially impact our financial position and results of operations.
On December 22, 2017, the Tax Cuts and Jobs Act (the "TCJA") that significantly reforms the Code was enacted. The TCJA, among other things, includes changes to U.S. federal tax rates, imposes significant additional limitations on the deductibility of certain expenses, restricts the use of net operating loss carryforwards arising after December 31, 2017, allows for the expensing of capital expenditures. Due to the expansion of our international business activities, any changes in the U.S. taxation of such activities may increase our worldwide effective tax rate and adversely affect our financial position and results of operations. Further, foreign governments may enact tax laws in response to the TCJA that could result in further changes to global taxation and materially affect our financial position and results of operations.
We conduct our operations in a number of jurisdictions worldwide and report our taxable income based on our business operations in those jurisdictions. Therefore, our intercompany relationships are subject to transfer pricing regulations administered by taxing authorities in various jurisdictions. While we believe that we are currently in material compliance with our obligations under applicable taxing regimes, the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions and may seek to impose additional taxes on us, including for past sales. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations.
The Organization for Economic Cooperation and Development (“OECD”) introduced the base erosion and profit shifting project which sets out a plan to address international taxation principles in a globalized, digitized business world (the “BEPS Plan”). During 2018, as part of the BEPS Plan, more than 80 countries chose to implement the Multilateral Convention to Implement Tax Treaty Related Measures to Prevent BEPS (“MLI”). The MLI significantly changes the bilateral tax treaties signed by any country that chose to implement the MLI. In addition, during 2019 the OECD, the EU and individual countries (e.g., France, Austria and Italy) each published an initiative to tax digital transactions executed by a non-resident entity and a local end-user or local end consumer. Under each initiative, the local payer is obligated to withhold a fixed percentage from the gross proceeds paid to the non-resident entity as a tax on executing a digital transaction in that territory, provided the entity’s sales in that territory exceeds a certain threshold (“Digital Service Tax”). As a result of participating countries adopting the international tax policies set under the BEPS Plan, MLI and Digital Service Tax, changes have been and continue to be made to numerous international tax principles and local tax regimes. Due to the expansion of our international business activities, those modifications may increase our worldwide effective tax rate, create tax and compliance obligations in jurisdictions in which we previously had none and adversely affect our financial position.
Risks Related to the 2025 Notes and Credit Facility
We have incurred substantial indebtedness that may decrease our business flexibility, access to capital, and/or increase our borrowing costs, and we may still incur substantially more debt, which may adversely affect our operations and financial results.
In May 2020 we issued $253.0 million aggregate principal amount of 1.25% convertible senior notes due in 2025 (the "2025 Notes"). As of December 31, 2020, we had $253.0 million outstanding aggregate principal amount of 2025 Notes. In addition, on August 21, 2020 we entered into a credit and security agreement with KeyBank National Association and other parties thereto (the “Credit and Security Agreement") for a three-year secured revolving credit facility of $70.0 million, with a letter of credit sublimit of $15.0 million and an accordion feature under which the Company can increase the credit facility to up to $90.0 million (the “Credit Facility”). As of December 31, 2020, we had no outstanding obligations under our credit facility. Our indebtedness may limit our ability to borrow additional funds for working capital, capital expenditures, acquisitions or other general business purposes, limit our ability to use our cash flow or obtain additional financing for future working capital, capital expenditures, acquisitions or other general business purposes, require us to use a substantial portion of our cash flow from operations to make debt service payments, limit our flexibility to plan for, or react to, changes in our business and industry, place us at a competitive disadvantage compared to our less leveraged competitors and increase our vulnerability to the impact of adverse economic and industry conditions.
28
Our debt obligations may adversely affect our ability to raise additional capital and will be a burden on our future cash resources, particularly if we elect to settle these obligations in cash upon conversion or upon maturity or required repurchase.
Our ability to meet our payment obligations under the 2025 Notes and any outstanding indebtedness under our Credit Facility, depends on our future cash flow performance. This, to some extent, is subject to general economic, financial, competitive, legislative and regulatory factors, as well as other factors that may be beyond our control. There can be no assurance that our business will generate positive cash flow from operations, or that additional capital will be available to us, in an amount sufficient to enable us to meet our debt payment obligations and to fund other liquidity needs. If we are unable to generate sufficient cash flow to service our debt obligations, we may need to refinance or restructure our debt, sell assets, reduce or delay capital investments, or seek to raise additional capital. Our ability to refinance our indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. As a result, we may be more vulnerable to economic downturns, less able to withstand competitive pressures and less flexible in responding to changing business and economic conditions. In addition, our Credit Facility limits our ability to incur additional indebtedness under certain circumstances. If we are unable to obtain capital on favorable terms or at all, we may have to reduce our operations or forego opportunities, and this may have a material adverse effect on our business, financial condition and results of operations.
Our credit facility contains restrictive and financial covenants that may limit our operating flexibility.
Our Credit Facility contains certain restrictive covenants that either limit our ability to, or require a mandatory prepayment in the event we, among other things, incur additional indebtedness, issue guarantees, create liens on assets, make certain investments, merge with or acquire other companies, change business locations, pay dividends or make certain other restricted payments, transfer or dispose of assets, enter into transactions with affiliates and enter into various specified transactions. We, therefore, may not be able to engage in any of the foregoing transactions unless we obtain the consent of our lenders or prepay the outstanding amount under our Credit Facility. Our Credit Facility also contains certain financial covenants and financial reporting requirements. Our obligations under our Credit Facility are secured by all of our property, with certain exceptions. We may not be able to generate sufficient cash flow or sales to meet the financial covenants or pay the principal and interest under our Credit Facility. Furthermore, future working capital, borrowings or equity financing could be unavailable to repay or refinance the amounts outstanding under our Credit Facility. In the event of a liquidation, all outstanding principal and interest would have to be repaid prior to distribution of assets to unsecured creditors, and the holders of our common stock would receive a portion of any liquidation proceeds only if all of our creditors, including our lenders, were first repaid in full.
If we are unable to comply with the restrictive and financial covenants in our Credit Facility, there would be a default under the terms of that Credit and Security Agreement, and this could result in an acceleration of payment of funds that have been borrowed.
If we were unable to comply with the restrictive, negative and financial covenants in our Credit Facility, there would be a default under the terms of the Credit and Security Agreement. In such event, there can be no assurance that we would be able to make necessary payments to the lenders or that we would be able to find alternative financing. Even if we were able to obtain alternative financing, there can be no assurance that it would be on terms that are acceptable.
We may issue additional shares of our common stock in connection with conversions of the 2025 Notes, and thereby dilute our existing stockholders and potentially adversely affect the market price of our common stock.
In the event that the 2025 Notes are converted and we elect to deliver shares of common stock, the ownership interests of existing stockholders will be diluted, and any sales in the public market of any shares of our common stock issuable upon such conversion could adversely affect the prevailing market price of our common stock. In addition, the anticipated conversion of the 2025 Notes could depress the market price of our common stock.
The fundamental change provisions of the 2025 Notes may delay or prevent an otherwise beneficial takeover attempt of us.
If the Company undergoes a “fundamental change”, subject to certain conditions, holders may require the Company to repurchase for cash all or part of their 2025 Notes at a fundamental change repurchase price equal to 100% of the principal amount of the 2025 Notes to be repurchased, plus accrued and unpaid interest to, but excluding, the fundamental change repurchase date. In addition, if such fundamental change also constitutes a “make-whole fundamental change”, the conversion rate for the 2025 Notes may be increased upon conversion of the 2025 Notes in connection with such “make-whole fundamental change”. Any increase in the conversion rate will be determined based on the date on which the “make-whole fundamental change” occurs or becomes effective and the price paid (or deemed paid) per share of our common stock in such transaction. Any such increase will be dilutive to our existing stockholders. Our obligation to repurchase the 2025 Notes or
29
increase the conversion rate upon the occurrence of a make-whole fundamental change may, in certain circumstances, delay or prevent a takeover of us that might otherwise be beneficial to our stockholders.
The accounting method for convertible debt securities that may be settled in cash, such as the 2025 Notes, could have a material effect on our reported financial results.
Under Accounting Standards Codification 470-20, “Debt with Conversion and Other Options” (ASC 470-20), an entity must separately account for the liability and equity components of the convertible debt instruments (such as the 2025 Notes) that may be settled entirely or partially in cash upon conversion in a manner that reflects the issuer’s economic interest cost. The effect of ASC 470-20 on the accounting for the 2025 Notes is that the equity component is required to be included in the additional paid-in capital section of stockholders’ equity on our consolidated balance sheet at the issuance date and the value of the equity component would be treated as debt discount for purposes of accounting for the debt component of the 2025 Notes. As a result, we will be required to record non-cash interest expense through the amortization of the excess of the face amount over the carrying amount of the expected life of the 2025 Notes. We will report larger net losses (or lower net income) in our financial results because ASC 470-20 requires interest to include both the amortization of the debt discount and the instrument’s cash coupon interest rate, which could adversely affect our reported or future financial results, the trading price of our common stock and the trading price of the 2025 Notes.
In addition, under certain circumstances, convertible debt instruments (such as the 2025 Notes) that may be settled entirely or partly in cash may be accounted for utilizing the treasury stock method, the effect of which is that the shares issuable upon conversion of such 2025 Notes are not included in the calculation of diluted earnings per share except to the extent that the conversion value of such 2025 Notes exceeds their principal amount. Under the treasury stock method, for diluted earnings per share purposes, the transaction is accounted for as if the number of shares of common stock that would be necessary to settle such excess, if we elected to settle such excess in shares, are included in the denominator for purposes of calculating diluted earnings per share.
In August 2020, the FASB issued ASU 2020-06, ASC Subtopic 470-20 “Debt—Debt with “ Conversion and Other Options” and ASC subtopic 815-40 “Hedging—Contracts in Entity’s Own Equity” that changes the accounting for the convertible debt instruments described above. Under the new standard, an entity may no longer separately account for the liability and equity components of convertible debt instruments. Additionally, the treasury stock method for calculating earnings per share will no longer be allowed for convertible debt instruments whose principal amount may be settled using shares. Rather, the if-converted method may be required. Application of the “if converted” method may reduce our reported diluted earnings per share. The standard is effective for fiscal years beginning after December 15, 2021, including interim periods within those fiscal years and early adoption is permitted. We cannot be sure whether other changes may be made to the accounting standards related to the 2025 Notes, or otherwise, that could have an adverse impact on our financial statements.
The Capped Call Transactions may affect the value of the 2025 Notes and our common stock.
In connection with the issuance of the 2025 Notes, we entered into Capped Call Transactions with certain financial institutions. The Capped Call Transactions are expected generally to reduce or offset the potential dilution upon conversion of the 2025 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2025 Notes, as the case may be, with such reduction and/or offset subject to an initial cap price of $141.72 (the "Cap Price"), subject to certain adjustments under the terms of the Capped Call Transactions.
From time to time, certain financial institutions (with which we entered into the Capped Call Transactions) or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the 2025 Notes. This activity could also cause or avoid an increase or a decrease in the market price of our common stock.
The potential effect, if any, of these transactions and activities on the price of our common stock or 2025 Notes will depend in part on market conditions and cannot be ascertained at this time. Any of these activities could adversely affect the value of our common stock.
As of December 31, 2020, our stock price was higher than the Cap Price under the Capped Call Transactions, hence, as of December 31, 2020, and as long as our common stock price shall be higher than $141.72, the incremental amount by which the stock price exceeds the Cap Price is not protected under the Capped Call Transactions.
30
We are subject to counterparty risk with respect to the Capped Call Transactions.
All or some of the financial institutions (which are counterparties to the capped call transactions) might default under the Capped Call Transactions. Our exposure to the credit risk of the counterparties will not be secured by any collateral. Past global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at the time under the capped call transactions with such option counterparty. Our exposure will depend on many factors but, generally, an increase in our exposure will be correlated to an increase in the market price and in the volatility of our common stock. In addition, upon a default by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our common stock. We can provide no assurance as to the financial stability or viability of the option counterparties.
Risks Related to our Operations in Israel
Conditions in Israel may limit our ability to develop and sell our products, which could result in a decrease of our revenues.
Our principal research and development facility, which also houses a portion of our support and general and administrative teams, is located in Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries, as well as incidents of terror activities and other hostilities, and a number of state and non-state actors have publicly committed to its destruction. Political, economic and security conditions in Israel could directly affect our operations. We could be adversely affected by hostilities involving Israel, including acts of terrorism or any other hostilities involving or threatening Israel, the interruption or curtailment of trade between Israel and its trading partners, a significant increase in inflation or a significant downturn in the economic or financial condition of Israel. Any on-going or future armed conflicts, terrorist activities, tension along the Israeli borders or with other countries in the region, including Iran, or political instability in the region could disrupt international trading activities in Israel and may materially and negatively affect our business and could harm our results of operations.
Certain countries, as well as certain companies and organizations, continue to participate in a boycott of Israeli companies, companies with large Israeli operations and others doing business with Israel and Israeli companies. The boycott, restrictive laws, policies or practices directed towards Israel, Israeli businesses or Israeli citizens could, individually or in the aggregate, have a material adverse effect on our business in the future.
Some of our officers and employees in Israel are obligated to perform routine military reserve duty in the Israel Defense Forces, depending on their age and position in the armed forces. Furthermore, they have been and may in the future be called to active reserve duty at any time under emergency circumstances for extended periods of time. Our operations could be disrupted by the absence, for a significant period, of one or more of our officers or key employees due to military service, and any significant disruption in our operations could harm our business.
Our insurance does not cover losses that may occur as a result of an event associated with the security situation in the Middle East or for any resulting disruption in our operations. Although the Israeli government has in the past covered the reinstatement value of direct damages that were caused by terrorist attacks or acts of war, we cannot be assured that this government coverage will be maintained or, if maintained, will be sufficient to compensate us fully for damages incurred and the government may cease providing such coverage or the coverage might not suffice to cover potential damages. Any losses or damages incurred by us could have a material adverse effect on our business.
The tax benefits that were available to our Israeli subsidiary terminated in 2020 and unless new tax benefits become available in the future, our Israeli subsidiary could become subject to an increase in taxes.
Our Israeli subsidiary has benefited from a status of a “Beneficiary Enterprise” under the Israeli Law for the Encouragement of Capital Investments, 5719-1959, or the Investment Law, since its incorporation. Based on an evaluation of the relevant factors under the Investment Law, including the level of foreign (i.e., non-Israeli) investment in our company, we have determined that the effective tax rate to be paid by our Israeli subsidiary as a “Beneficiary Enterprise” has historically been approximately 10%. If our Israeli subsidiary does not meet the requirements for maintaining this status, for example, if the Israeli subsidiary materially changes the nature of its business or, if the level of foreign investment in our company decreases, it may no longer be eligible to enjoy this or any other reduced tax rate. As a result, our Israeli subsidiary would be subject to Israeli corporate tax at the standard rate, which, as of January 1, 2021 was set at 23%. Even if our Israeli subsidiary continues to meet the relevant requirements, the tax benefits that the status of “Beneficiary Enterprise” provides terminated on December 31, 2020 with respect to income generated after that date. Unless new tax benefits become available to us, the amount of taxes that our Israeli subsidiary would pay would increase, as all of our Israeli operations would consequently be subject to corporate tax at the
31
standard rate, which could adversely affect our tax expenses and effective tax rates. Additionally, if our Israeli subsidiary increases its activities outside of Israel, for example, through acquisitions, these activities may not be eligible for inclusion in Israeli tax benefit programs. The tax benefit derived from the status of “Beneficiary Enterprise” is dependent upon the ability to generate sufficient taxable income. Accordingly, our Israeli subsidiary may be unable to earn enough taxable income in order to fully utilize its tax benefits.
Risks Related to the Ownership of our Common Stock
Substantial future sales of shares of our common stock could cause the market price of our common stock to decline.
Sales of a substantial number of shares of our common stock into the public market, or the perception that these sales might occur, for whatever reason, including as a result of the conversion of the outstanding 2025 Notes, could depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. We are unable to predict the effect that such sales may have on the prevailing market price of our common stock.
As of December 31, 2020, we had options, restricted stock units (“RSUs”) and performance stock units ("PSUs") outstanding that, if fully vested and exercised, would result in the issuance of approximately 3.1 million shares of our common stock. All of the shares of our common stock issuable upon exercise of options and vesting of RSUs and PSUs have been registered for public resale under the Securities Act. Accordingly, these shares will be able to be freely sold in the public market upon issuance as permitted by any applicable vesting requirements.
We do not intend to pay dividends on our common stock, so any returns will be limited to the value of our stock.
We have never declared or paid cash dividends on our common stock. We currently anticipate that we will retain any future earnings and do not expect to pay any dividends in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our board of directors and will be dependent on a number of factors, including our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors may deem relevant. In addition, the Credit and Security Agreement for our Credit Facility contains a prohibition on the payment of cash dividends. Until such time that we pay a dividend, stockholders, including holders of our 2025 Notes who receive shares of our common stock upon conversion of the 2025 Notes, must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Anti-takeover provisions in our charter documents and under Delaware law and provisions in the indenture for our 2025 Notes and Credit Facility could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management, thereby depressing the trading price of our common stock and 2025 Notes.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may delay, discourage or prevent an acquisition of us or a change in our management, including transactions in which stockholders might otherwise receive a premium for their shares, or transactions that our stockholders might otherwise deem to be in their best interests. These provisions include:
•authorizing “blank check” preferred stock, which could be issued by the board without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt;
•a classified board of directors whose members can only be dismissed for cause;
•the prohibition on actions by written consent of our stockholders;
•the limitation on who may call a special meeting of stockholders;
•the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and
•the requirement of at least 75% of the outstanding capital stock to amend any of the foregoing second through fifth provisions.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us, unless the merger or combination is approved in a prescribed manner. Although we believe these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to
32
negotiate with our board of directors, they would apply even if an offer rejected by our board were considered beneficial by some stockholders. In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management.
In addition, if a “fundamental change” occurs prior to the maturity date of the 2025 Notes, holders of the 2025 Notes will have the right, at their option, to require us to repurchase all or a portion of their Convertible Notes. If a “make-whole fundamental change” (as defined in the Indenture) occurs prior the maturity date, we will in some cases be required to increase the conversion rate of the 2025 Notes for a holder that elects to convert its 2025 Notes in connection with such “make-whole fundamental change”. These features of the 2025 Notes may make a potential acquisition more expensive for a potential acquiror, which may in turn make it less likely for a potential acquiror to offer to purchase our company, or reduce the amount of consideration offered for each share of our common stock in a potential acquisition. Furthermore, the Indenture prohibits us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the 2025 Notes. Last, under our Credit Facility we cannot sell or transfer or otherwise dispose of any assets of the Company to any person or entity subject to certain exceptions and we cannot merge, amalgamate or consolidate with any other entity.
General Risks Factors
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business.
The success of our business and competitive position depends on our ability to obtain, protect and enforce our trade secrets, trademarks, copyrights, patents and other intellectual property rights. We attempt to protect our intellectual property under patent, trademark, copyrights and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection and may not now or in the future provide us with a competitive advantage.
As of January 29, 2021, we had 74 issued patents in the United States and 28 pending U.S. patent applications. We also had 41 patents issued and 63 applications pending for examination in non-U.S. jurisdictions, and three pending PCT patent applications, all of which are counterparts of our U.S. patent applications. We may file additional patent applications in the future. The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way through to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not issue as granted patents, that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. In addition, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property), but we cannot provide assurance that we have adequately protected our rights in every such agreement or that we have executed an agreement with every such party. Finally, in order to benefit from patent and other intellectual property protection, we must monitor, detect and pursue infringement claims in certain circumstances in relevant jurisdictions, all of which is costly and time-consuming. As a result, we may not be able to obtain adequate protection or to enforce our issued patents or other intellectual property effectively.
In addition to patented technology, we rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technologies and our intellectual property rights, unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners and customers, and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot provide assurance that the steps taken by us will prevent misappropriation of our trade secrets or technology or infringement of our intellectual property. In addition, the laws of some foreign countries where we operate do not protect our proprietary rights to as great an extent as the laws of the United States, and many foreign countries do not enforce these laws as diligently as government agencies and private parties in the United States.
33
Moreover, industries in which we operate, such as data security, cybersecurity, compliance, data retention and data governance are characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners or our customers. Successful claims of infringement or misappropriation by a third party could prevent us from distributing certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others or to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology. Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected. In some cases, we indemnify our channel partners and customers against claims that our products infringe the intellectual property of third parties. Defending against claims of infringement or being deemed to be infringing the intellectual property rights of others could impair our ability to innovate, develop, distribute and sell our current and planned products and services. If we are unable to protect our intellectual property rights and ensure that we are not violating the intellectual property rights of others, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative products that have enabled us to be successful to date.
We have registered the “Varonis” name and logo and “DatAdvantage”, “DataPrivilege”, “DatAlert”, “DatAnywhere” and other names in the United States and, as related to some of these names, certain other countries. However, we cannot provide assurance that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights.
We also license software from third parties for integration into our solution, including open source software and other software available on commercially reasonable terms. We cannot provide assurance that such third parties will maintain such software or continue to make it available. We also rely on confidentiality agreements, consulting agreements, work-for-hire agreements and invention assignment agreements with our employees, consultants and others.
Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solution, technologies or intellectual property rights.
Real or perceived errors, failures or bugs in our software could adversely affect our growth prospects.
Because our software uses complex technology, undetected errors, failures or bugs may occur. Our software is often installed and used in a variety of computing environments with different operating system management software, and equipment and networking configurations, which may cause errors or failures of our software or other aspects of the computing environment into which it is deployed. In addition, deployment of our software into computing environments may expose undetected errors, compatibility issues, failures or bugs in our software. Despite testing by us, errors, failures or bugs may not be found in our software until it is released to our customers. Moreover, our customers could incorrectly implement or inadvertently misuse our software, which could result in customer dissatisfaction and adversely impact the perceived utility of our products as well as our brand. Any of these real or perceived errors, compatibility issues, failures or bugs in our software could result in negative publicity, reputational harm, loss of or delay in market acceptance of our software, loss of competitive position or claims by customers for losses sustained by them. In such an event, we may be required, or may choose, for customer relations or other reasons, to expend additional resources in order to help correct the problem. Alleviating any of these problems could require significant expenditures of our capital and other resources and could cause interruptions or delays in the use of our solutions, which could cause us to lose existing or potential customers and could adversely affect our operating results and growth prospect.
34
Our long-term growth depends, in part, on being able to continue to expand internationally on a profitable basis, which subjects us to risks associated with conducting international operations.
Historically, we have generated the majority of our revenues from customers in North America. For the year ended December 31, 2020, approximately 70% of our total revenues were derived from sales in North America. Nevertheless, we have operations across the globe, and we plan to continue to expand our international operations as part of our long-term growth strategy. The further expansion of our international operations will subject us to a variety of risks and challenges, including:
•sales and customer service challenges associated with operating in different countries;
•increased management travel, a lack of travel due to pandemics, infrastructure and legal compliance costs associated with having multiple international operations;
•difficulties in receiving payments from different geographies, including difficulties associated with currency fluctuations, payment cycles, transfer of funds or collecting accounts receivable, especially in emerging markets;
•variations in economic or political conditions between each country or region;
•economic uncertainty around the world and adverse effects arising from economic interdependencies across countries and regions;
•the uncertainty around the effects of global pandemics, including the COVID-19 outbreak, on our business and results of operations;
•uncertainty around a potential reverse or renegotiation of international trade agreements and partnerships;
•the continued economic and legal uncertainty around how Brexit will impact the United Kingdom’s access to the EU Single Market, the related regulatory environment, the global economy and the resulting impact on our business;
•compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
•ability to hire, retain and train local employees and the ability to comply with foreign labor laws and local labor requirements, such as representations by an internal labor committee in France which is affiliated with an external trade union and the applicability of collective bargaining arrangements at the national level in certain European countries;
•compliance with laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act of 1977, or the FCPA, the UK Bribery Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our software in certain foreign markets, and the risks and costs of non-compliance;
•heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of financial statements and irregularities in financial statements;
•reduced protection for intellectual property rights in certain countries and practical difficulties and costs of enforcing rights abroad; and
•compliance with the laws of numerous foreign taxing jurisdictions and overlapping of different tax regimes and digital tax imposed on our operations in foreign taxing jurisdictions.
Any of these risks could adversely affect our international operations, reduce our revenues from outside the United States or increase our operating costs, adversely affecting our business, results of operations and financial condition and growth prospects. There can be no assurance that all of our employees, independent contractors and channel partners will comply with the formal policies we have and will implement, or applicable laws and regulations. Violations of laws or key control policies by our employees, independent contractors and channel partners could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our software and services and could have a material adverse effect on our business and results of operations.
We may require additional capital to support our business growth, and this capital might not be available on acceptable terms, or at all.
We continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our software, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financing to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate financing on
35
terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.
Our business is subject to the risks of fire, power outages, floods, earthquakes, pandemics and other catastrophic events, and to interruption by manmade problems such as terrorism.
A significant natural disaster, such as a fire, flood or an earthquake, an outbreak of a pandemic disease (such as COVID-19) or a significant power outage could have a material adverse impact on our business, results of operations and financial condition. In the event our customers’ IT systems or our channel partners’ selling or distribution abilities are hindered by any of these events, we may miss financial targets, such as revenues and sales targets, for a particular quarter. Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenue, customers in that region may delay or forego purchases of our products, which may materially and adversely impact our results of operations for a particular period. In addition, acts of terrorism could cause disruptions in our business or the business of channel partners, customers or the economy as a whole. Given our typical concentration of sales at each quarter end, any disruption in the business of our channel partners or customers that impacts sales at the end of our quarter could have a significant adverse impact on our quarterly results. All of the aforementioned risks may be augmented if the disaster recovery plans for us and our channel partners prove to be inadequate. To the extent that any of the above results in delays or cancellations of customer orders, or the delay in the development, deployment or shipment of our products, our business, financial condition and results of operations would be adversely affected.
Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations.
A change in accounting standards or practices could harm our operating results and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may harm our operating results or the way we conduct our business. Additionally, the adoption of new or revised accounting principles may require that we make significant changes to our systems process and controls.
Our stock price has been and will likely continue to be volatile.
The market price for our common stock has been, and is likely to continue to be, volatile for the foreseeable future, and
is subject to wide fluctuations in response to various factors, some of which are beyond our control. These factors, as well as the volatility of our common stock, could affect the price at which our convertible noteholders could sell the common stock received upon conversion of the 2025 Notes and could also impact the trading price of the 2025 Notes. Since shares of our common stock were sold in our initial public offering in March 2014 at a price of $22.00 per share, our common stock’s price on The Nasdaq Global Select Market has ranged from $13.25 to $191.98 through February 5, 2021. On February 5, 2021, the closing price of our common stock was $189.78. The market price of our common stock may fluctuate significantly in response to a number of factors, many of which we cannot predict or control, including the factors listed below and other factors described in this “Risk Factors” section:
•actual or anticipated fluctuations in our results or those of our competitors;
•the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections;
•failure of securities analysts to initiate or maintain coverage of our company, changes in financial estimates by any securities analysts who follow our company, or our failure to meet these estimates or the expectations of investors;
•ratings changes by any securities analysts who follow our company;
•announcements of new products, services or technologies, commercial relationships, acquisitions or other events by us or our competitors;
•new announcements that affect investor perception of our industry, including reports related to the discovery of significant cyberattacks;
•changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
•price and volume fluctuations in certain categories of companies or the overall stock market, including as a result of trends in the global economy;
•the trading volume of our common stock;
•changes in accounting principles;
•sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;
36
•additions or departures of any of our key personnel;
•lawsuits threatened or filed against us;
•short sales, hedging and other derivative transactions involving our capital stock;
•general economic conditions in the United States and abroad;
•changing legal or regulatory developments in the United States and other countries;
•conversion of the 2025 Notes; and
•other events or factors, including those resulting from war, incidents of terrorism, pandemic (such as COVID-19) or responses to these events.
In addition, the stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many technology companies. Stock prices of many technology companies have fluctuated in a manner unrelated or disproportionate to the operating performance of those companies. In the past, stockholders have instituted securities class action litigation following periods of market volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business and adversely affect our business, results of operations, financial condition and cash flows and may cause a significant increase in the premium paid for our directors and officers insurance.
If securities or industry analysts do not publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline.
The trading market for our common stock depends in part on the research and reports that securities or industry analysts publish about us or our business, our market and our competitors. We do not have any control over these analysts or their expectations regarding our performance on a quarterly or annual basis. If one or more of the analysts who cover us downgrade our stock or change their opinion of our stock, our stock price would likely decline. If we fail to meet one or more of these analysts' published expectations regarding our performance on a quarterly basis, our stock price or trading volume could decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our stock price or trading volume to decline.
The requirements of being a public company may strain our resources, divert management’s attention and affect our ability to attract and retain executive management and qualified board members.
As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the listing requirements of The Nasdaq Global Select Market and other applicable securities rules and regulations. Compliance with these rules and regulations have increased our legal and financial compliance costs, make some activities more difficult, time-consuming or costly and increase demand on our systems and resources.
The Exchange Act requires, among other things, that we file annual, quarterly and current reports with respect to our business and results of operations. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and, if required, improve our disclosure controls and procedures and internal control over financial reporting to meet this standard, significant resources and management oversight is required. As a result, management’s attention may be diverted from other business concerns, which could adversely affect our business and results of operations. We may need to hire more employees in the future or engage outside consultants, which will increase our costs and expenses. In addition, changing laws, regulations and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs and making some activities more time consuming. These laws, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices.
Being a public company, these rules and regulations have made it more expensive for us to obtain director and officer liability insurance, and in the future we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit and compensation committees, and qualified executive officers.
As a result of disclosure of information in our filings with the SEC, our business and financial condition have become more visible, which we believe may result in threatened or actual litigation, including by competitors and other third parties. If such claims are successful, our business and results of operations could be adversely affected, and even if the claims do not result in
37
litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and adversely affect our business and results of operations.
We are obligated to develop and maintain proper and effective internal control over financial reporting. These internal controls may not be determined to be effective, which may adversely affect investor confidence in our company and, as a result, the value of our common stock.
We are required, pursuant to Section 404 of the Sarbanes–Oxley Act, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. We are also required to have our independent registered public accounting firm issue an opinion on the effectiveness of our internal control over financial reporting on an annual basis. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective.
If we are unable to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal control over financial reporting, we could lose investor confidence in the accuracy and completeness of our financial reports, which could cause the price of our common stock to decline, and we may be subject to investigation or sanctions by the SEC.
Future sales and issuances of our capital stock or rights to purchase capital stock could result in additional dilution of the percentage ownership of our stockholders and could cause our stock price to decline.
Future sales and issuances of our capital stock or rights to purchase our capital stock could result in substantial dilution to our existing stockholders. We may sell common stock, convertible securities and other equity securities in one or more transactions at prices and in a manner as we may determine from time to time. If we sell any such securities in subsequent transactions, investors may be materially diluted. New investors in such subsequent transactions could gain rights, preferences and privileges senior to those of holders of our common stock.
38
| Item 1B. | Unresolved Staff Comments | ||||
We do not have any unresolved comments from the SEC staff.
| Item 2. | Properties | ||||
Our corporate headquarters are located in New York City in an office consisting of approximately 46,000 square feet. This lease expires in February 2026, although we have the option to terminate the lease in February 2023 which we intend to exercise. In addition, we lease offices in North Carolina consisting of approximately 68,500 square feet, which is our primary U.S. customer support and inside sales center. This lease expires in July 2030, although we have an option to extend the lease for an additional 10 years. We also lease an office located in Herzliya, Israel, consisting of approximately 130,000 square feet, where we employ the majority our research and development team and a portion of our support and general and administrative teams. The lease for this office expires in December 2028, although we have the option to extend the lease for an additional five years. We also have a lease in Tel Aviv, Israel consisting of approximately 2,700 square feet, where we employ additional research and development personnel which expires in May 2021. Further, we lease offices in Cork, Ireland consisting of approximately 40,000 square feet, which is our primary EMEA customer support and inside sales center and which expires in December 2035, although we have the option to terminate the lease in December 2030. We also lease smaller offices in France, the United Kingdom, Oregon, Virginia, New Jersey, Australia, Germany, the Netherlands, Luxembourg and Belgium (which serve as regional sales offices and some of which are customer support centers). We plan to invest in additional space as needed to accommodate our growth.
| Item 3. | Legal Proceedings | ||||
We are not currently a party to any material litigation.
| Item 4. | Mine Safety Disclosures | ||||
Not applicable.
39
PART II
| Item 5. | Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities | ||||
Market for Registrant’s Common Equity
Our common stock has been listed on The NASDAQ Global Select Market under the symbol “VRNS” since February 28, 2014, the date of our initial public offering.
Dividend Policy
We have never declared or paid cash dividends on our common stock. We currently intend to retain any future earnings for use in the operation of our business and do not intend to declare or pay any cash dividends in the foreseeable future. Any further determination to pay dividends on our common stock will be at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors considers relevant.
Stockholders
As of February 5, 2021, there were eight stockholders of record of our common stock, including The Depository Trust Company, which holds shares of our common stock on behalf of an indeterminate number of beneficial owners.
Issuance of Unregistered Securities
On October 29, 2020, we issued 35,642 shares of our Common Stock to the two founders of Polyrize. Such issuance was a portion of the consideration paid to the two founders in connection with the acquisition, and it was in lieu of a cash payment that otherwise would have been paid to them. Such shares were issued in reliance upon the exemption from registration available under Regulation S as the issuance of our securities was to individuals that were non-U.S. persons.
40
STOCK PERFORMANCE GRAPH
The following shall not be deemed “filed” for purposes of Section 18 of the Exchange Act, or incorporated by reference into any of our other filings under the Exchange Act or the Securities Act, except to the extent we specifically incorporate it by reference into such filing.
This chart compares the cumulative total return on our common stock with that of the NASDAQ Composite Index and the NASDAQ Computer Index. The chart assumes $100 was invested at the close of market on December 31, 2015 in our common stock, the NASDAQ Composite Index and the NASDAQ Computer Index, and assumes the reinvestment of any dividends. The stock price performance on the following graph is not necessarily indicative of future stock price performance.
The closing price of our common stock on December 31, 2020, the last trading day of our 2020 fiscal year, was $163.61 per share.
| Company/Index | 12/31/2015 | 12/31/2016 | 12/31/2017 | 12/31/2018 | 12/31/2019 | 12/31/2020 | ||||||||||||||||||||||||||||||||
| Varonis Systems, Inc. | $ | 100.00 | $ | 142.55 | $ | 258.24 | $ | 281.38 | $ | 413.35 | $ | 870.27 | ||||||||||||||||||||||||||
| NASDAQ Composite | $ | 100.00 | $ | 107.50 | $ | 137.86 | $ | 132.51 | $ | 179.19 | $ | 257.38 | ||||||||||||||||||||||||||
| NASDAQ Computer | $ | 100.00 | $ | 112.27 | $ | 155.80 | $ | 150.06 | $ | 225.59 | $ | 338.35 | ||||||||||||||||||||||||||
Purchase of Equity Securities by Issuer and Affiliated Purchasers
None.
41
| Item 6. | Selected Financial Data | ||||
The following selected consolidated historical financial data are derived from our audited financial statements. The consolidated balance sheet data as of December 31, 2020 and 2019 and the consolidated statement of operations data for the years ended December 31, 2020, 2019 and 2018 are derived from our audited consolidated financial statements and related notes that are included elsewhere in this Annual Report on Form 10-K. The consolidated balance sheet data as of December 31, 2018, 2017 and 2016 and the consolidated statement of operations for the years ended December 31, 2017 and 2016 are derived from our audited consolidated financial statements and related notes which are not included in this Annual Report. The information set forth below is not necessarily indicative of our results of future operations and should be read in conjunction with our historical financial statements, including the notes thereto, and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” included elsewhere in this Annual Report.
| Year Ended December 31, | |||||||||||||||||||||||||||||
| 2020 | 2019 | 2018 | 2017 | 2016 | |||||||||||||||||||||||||
| (in thousands, except share and per share data) | |||||||||||||||||||||||||||||
| Consolidated Statement of Operations Data: | |||||||||||||||||||||||||||||
| Revenues: | |||||||||||||||||||||||||||||
| Subscriptions | $ | 161,188 | $ | 76,730 | $ | 8,750 | $ | 2,627 | $ | 3,764 | |||||||||||||||||||
| Perpetual licenses | 1,473 | 42,093 | 139,578 | 118,689 | 90,028 | ||||||||||||||||||||||||
| Maintenance and services | 130,028 | 135,367 | 121,960 | 94,074 | 72,071 | ||||||||||||||||||||||||
| Total revenues | 292,689 | 254,190 | 270,288 | 215,390 | 165,863 | ||||||||||||||||||||||||
Cost of revenues(1) | 44,261 | 35,144 | 27,683 | 20,714 | 15,737 | ||||||||||||||||||||||||
| Gross profit | 248,428 | 219,046 | 242,605 | 194,676 | 150,126 | ||||||||||||||||||||||||
| Operating costs and expenses: | |||||||||||||||||||||||||||||
Research and development(1) | 99,363 | 80,764 | 69,971 | 47,369 | 36,660 | ||||||||||||||||||||||||
Sales and marketing(1) | 179,902 | 169,898 | 168,309 | 133,925 | 105,639 | ||||||||||||||||||||||||
General and administrative(1) | 47,578 | 44,371 | 33,460 | 26,801 | 19,822 | ||||||||||||||||||||||||
| Total operating expenses | 326,843 | 295,033 | 271,740 | 208,095 | 162,121 | ||||||||||||||||||||||||
| Operating loss | (78,415) | (75,987) | (29,135) | (13,419) | (11,995) | ||||||||||||||||||||||||
| Financial income (expenses), net | (7,483) | (389) | 970 | 2,362 | (885) | ||||||||||||||||||||||||
| Loss before income taxes | (85,898) | (76,376) | (28,165) | (11,057) | (12,880) | ||||||||||||||||||||||||
| Income taxes | (8,112) | (2,388) | (413) | (2,787) | (1,313) | ||||||||||||||||||||||||
| Net loss | $ | (94,010) | $ | (78,764) | $ | (28,578) | $ | (13,844) | $ | (14,193) | |||||||||||||||||||
Net loss per share of common stock, basic and diluted(2) | $ | (2.99) | $ | (2.60) | $ | (0.98) | $ | (0.50) | $ | (0.54) | |||||||||||||||||||
Weighted average shares used to compute net loss per share attributable to common stockholders, basic and diluted | 31,445,631 | 30,257,410 | 29,020,645 | 27,467,440 | 26,406,312 | ||||||||||||||||||||||||
(1) Includes non-cash stock-based compensation as follows:
| Year Ended December 31, | |||||||||||||||||||||||||||||
| 2020 | 2019 | 2018 | 2017 | 2016 | |||||||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||||||||
| Cost of revenues | $ | 5,013 | $ | 2,561 | $ | 1,757 | $ | 1,078 | $ | 699 | |||||||||||||||||||
| Research and development | 21,979 | 13,188 | 9,645 | 5,209 | 3,052 | ||||||||||||||||||||||||
| Sales and marketing | 25,578 | 14,782 | 16,081 | 8,542 | 6,104 | ||||||||||||||||||||||||
| General and administrative | 16,015 | 15,608 | 7,478 | 5,006 | 3,083 | ||||||||||||||||||||||||
| Total | $ | 68,585 | $ | 46,139 | $ | 34,961 | $ | 19,835 | $ | 12,938 | |||||||||||||||||||
42
(2)Basic and diluted net loss per share of common stock is computed based on the weighted average number of shares of common stock outstanding during each period. For additional information, see Note 2.s to our consolidated financial statements included elsewhere in this Annual Report.
| As of December 31, | |||||||||||||||||||||||||||||
| 2020 | 2019 | 2018 | 2017 | 2016 | |||||||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||||||||
| Consolidated Balance Sheet Data: | |||||||||||||||||||||||||||||
| Cash, cash equivalents, marketable securities and short-term deposits | $ | 298,262 | $ | 120,460 | $ | 158,915 | $ | 136,557 | $ | 113,808 | |||||||||||||||||||
| Working capital | 237,212 | 55,297 | 112,750 | 109,918 | 91,734 | ||||||||||||||||||||||||
| Total assets | 555,482 | 318,312 | 284,978 | 245,638 | 193,173 | ||||||||||||||||||||||||
| Deferred revenues, current and long-term | 101,366 | 101,435 | 94,216 | 80,101 | 59,241 | ||||||||||||||||||||||||
| Total stockholders’ equity | 94,071 | 93,532 | 125,370 | 114,642 | 95,955 | ||||||||||||||||||||||||
| Item 7. | Management’s Discussion and Analysis of Financial Condition and Results of Operations | ||||
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. This discussion contains forward-looking statements that reflect our plans, estimates and beliefs, and involve risks and uncertainties. Our actual results and the timing of certain events could differ materially from those anticipated in these forward-looking statements as a result of several factors, including those discussed in the section titled “Risk Factors” included under Part I, Item 1A and elsewhere in this Annual Report. See “Special Note Regarding Forward-Looking Statements” in this Annual Report.
COVID-19
In December 2019, COVID-19 was first reported in China; in January 2020, the WHO declared it a Public Health Emergency of International Concern; and in March 2020, the WHO declared it a pandemic. The worldwide spread of the COVID-19 virus has resulted in a global economic slowdown and is expected to continue to disrupt general business operations until the virus is contained. The duration and severity of the COVID-19 pandemic remain uncertain and difficult to predict. The COVID-19 pandemic and the measures taken by many governments around the world in response could in the future meaningfully impact our business, results of operations, financial condition and stock price.
We believe that the impact of COVID-19 on the way organizations operate and its long lasting effects has increased our long-term opportunity to help our customers protect their data and detect threats, as well as achieve regulatory compliance. Nevertheless, in the early stages of the pandemic, we experienced a negative impact on our results of operations, starting in the last two weeks of the first quarter, as we believe our customers’ focus turned primarily to the safety of their employees and to immediately position themselves to operate under a work-from-home environment. However, since that time, we have seen companies become more focused on the elevated risks associated with having a highly distributed workforce collaborating on multiple platforms. Companies around the world now have the majority of their employees working remotely from potentially vulnerable home networks, accessing critical on-premises data stores and infrastructure through VPNs and in cloud data stores like Office 365 and Microsoft Teams. We believe this trend is likely to continue in the long-term and that we are well positioned to capitalize on the opportunity ahead. Specifically, crises create optimal conditions for cybercrime, and we can help protect data and infrastructure against hackers and rogue employees. As companies understand that a data-centric approach to security is critical and that these elevated risks are here for the long-term, we have seen significant customer engagement and inbound interest, and in the third and fourth quarters of 2020, we continued to see some of this interest convert into new business or the expansion of existing business.
We currently offer more than 25 licenses across our six product families, and since commencing our transition to a subscription model in the beginning of 2019, we have seen a significant increase in the number of licenses purchased by new customers, and in the engagement of our existing customers who are adopting more licenses. As of December 31, 2020, 63% of our customers with 500 employees or more had purchased four or more licenses, compared to 54% a year ago, and 30% purchased six or more licenses, compared to 20% a year ago. We believe the increase in these metrics underscores the logic behind our transition to a subscription model and confirms how we are unleashing the potential of our platform. This is reflected in ARR, which as of December 31, 2020 grew 37% year-over-year to $287.3 million. Additionally, renewal rates of maintenance on perpetual
43
licenses continued to be over 90% for the year ended December 31, 2020. As a result, the recurring component of our revenue base has significantly increased as we have completed our subscription transition, which now provides more visibility into future revenues and places us in a stronger position. Lastly, our dollar-based net retention rate ("NRR") as of December 31, 2020 was 116%. NRR is calculated as of a period end by starting with the ARR from the cohort of active customers as of the 12 months prior to such period end, or Prior Period ARR. We then calculate the ARR from the same customers as of the current period end, or Current Period ARR. Current Period ARR includes any upsells and is net of contraction or attrition over the trailing 12 months, but excludes subscription revenues from new customers in the current period. We then divide the total Current Period ARR by the total Prior Period ARR to arrive at the dollar-based net retention rate.
The pandemic has forced us to adapt and change the way we have historically operated. At the end of the first quarter of 2020, we closed our offices and instructed employees to work remotely as a precautionary measure intended to minimize the risk of the virus to them, our customers, partners and the communities in which we operate. Since that time, we have complied with local requirements in each jurisdiction and have been opening and closing our offices based on these guidelines and recommendations. As we have always aimed to tie our level of investment in the business to the revenues we plan to achieve, and, due to the revenues shortfall in the first quarter of 2020, we took prompt steps to manage our expenses, including responsible cost cutting measures, implementing a hiring freeze with the exception of key sales positions and reducing our capital expenditures. In order to avoid reducing our global workforce, further actions taken in early April included reducing employee salaries across the organization, with senior management and our highest compensated employees seeing the largest reductions, and reducing the cash retainers for all members of our Board of Directors. At the time, we combined this salary reduction to employees with a one-time equity grant equal to the annualized amount of the salary reduction in order to retain and motivate our employees. As the momentum of the business improved throughout 2020 and based on what we were seeing in the market, we decided to readjust the April reductions to recoup an amount equal to half the original cuts as of July 2020 and also gradually resumed investments in the business. Further, in January 2021, we readjusted the affected salaries back to pre-pandemic levels. In addition, as part of the move to remote work and virtual-only customer experience, we have had to postpone or cancel customer and industry events or conduct them virtually, and we cannot predict with certainty the impact these changes may have on our future sales. However, our risk assessments, a critical part of our sales process, have always been and continue to be conductible remotely.
Overview
Varonis is a pioneer in data security and analytics, fighting a different battle than conventional cybersecurity companies. We are pioneers because over a decade ago, we recognized that enterprise capacity to create and share data far exceeded its capacity to protect it. We believed the vast movement of information from analog to digital mediums combined with increasing information dependence would change both the global economy and the risk profiles of corporations and governments. Since then our focus has been on using innovation to address the cyber-implications of this movement, creating software that provides new ways to track, alert and protect data wherever it is stored.
Data continues to amass in new and existing data stores both on premises and in the cloud, a trend we have seen accelerate as companies around the world embark on a wave of digital transformation initiatives. As these data stores grow, the relationships between the data they hold and the users that collaborate with it grow more complex, making those relationships difficult to visualize, understand and control without automation. Because enterprises now use many different combinations of data stores and require different levels of protection, our offering provides coverage flexibility through software licensing. We aim to keep pace with the relentless growth and complexity of data, starting in 2005 with a single license, offering ten licenses at the time of our initial public offering in 2014, and today offering more than 25 integrated licenses across the most common on premises and cloud data stores. We plan to continue investing in product development to deliver new products in the future.
Our software specializes in data protection, threat detection and response and compliance. Varonis software enables enterprises to protect data stored on premises and in the cloud: sensitive files and emails; confidential personal data belonging to customers, patients and employees; financial records; strategic and product plans; and other intellectual property. Recognizing the complexities of securing data, we have built an integrated platform for security and analytics to simplify and streamline security and data management.
The Varonis Data Security Platform, built on patented technology, helps enterprises protect data against cyberattacks from both internal and external threats. Our products enable enterprises to analyze data, account activity and user behavior to detect attacks. Our Data Security Platform prevents or limits unauthorized use of sensitive information, prevents potential cyberattacks and limits others by automatically locking down data, allowing access to those who need it and automating the removal of stale data when it is no longer useful. Our products efficiently sustain a secure state with automation and address additional important use cases including data protection, data governance, zero trust, compliance, data privacy, classification and threat detection and response. Our Data Security Platform is driven by a proprietary technology, our Metadata Framework, that
44
extracts critical metadata, or data about data, from an enterprise’s IT infrastructure. Our Data Security Platform uses this contextual information to map functional relationships among employees, data objects, systems, content and usage.
We started operations in 2005 with a vision to make enterprise data more accessible, manageable, secure and actionable. We began offering our flagship product, DatAdvantage, which provides centralized visibility for enterprise data, in 2006. Since then we have continued to invest in innovation and have consistently introduced new products and software features to our customers.
In 2017, we introduced the Automation Engine to allow customers to automatically repair and maintain file systems so that organizations are less vulnerable to attacks and security breaches, more compliant and consistently meeting a least privilege model. We enhanced DatAlert, which was originally introduced in 2013 to monitor and alert on sensitive data and file activity, with DatAlert Analytics Rewind to allow customers to analyze past user and data activity to identify security breaches that may have occurred in the past and pre-emptively tune out false positives. We updated our web UI for DatAlert and added new threat models to detect suspicious mailbox, Exchange and Exchange Online behaviors, password resets and unusual activity from personal devices. We introduced a new security dashboard in DatAlert, along with enhanced behavioral analytics, geolocation and more to make it easier than ever to perform security investigations and forensics. In 2017, we also released GDPR Patterns, part of the Data Classification Engine family, to help enterprises identify data that falls under the EU GDPR and expanded our offerings that can help enterprises meet compliance and regulation requirements.
In 2018, we introduced Varonis Edge to extend our proactive security approach, enabling customers to spot signs of attack at the perimeter by analyzing telemetry from DNS, VPN and web proxy. We introduced Data Classification Labels to integrate with Microsoft Information Protection (MIP) and enable customers to better classify, track and secure files across enterprise data stores. We enhanced DatAnswers, a secure enterprise search solution for enterprise data that delivers highly relevant and secure search results to enterprise employees and which was originally introduced in 2014, to address additional compliance requirements from new data privacy laws and standards. We added classification categories to the Data Classification Engine, to better identify and analyze regulated data like GDPR, PII, PCI and PHI. We updated the DataPrivilege UI for improved usability and added classification categories making it easier to see who can access regulated data. We updated our web UI and introduced new features to DatAlert, including new threat models to combat cyberattacks, support for more data stores and optimizations to make DatAlert faster and more intuitive for security investigations.
In 2019, we introduced updates to our existing products to include new dashboards to highlight cloud, Active Directory and GDPR security risks so that customers can more easily identify critical risk in their hybrid environments, including vulnerable user accounts, at-risk cloud data and potential compliance violations. We extended our cloud support to include Box, added threat intelligence to our security insights, built incident response playbooks directly into the UI, and made usability and performance improvements. We also added classification functionality to help enterprises automatically discover and classify data that falls under data covered by the CCPA.
In the second quarter of 2020, we introduced an update to our platform to increase visibility into potential security issues related to remote work. Our “Remote Work Update” included a new dashboard to help customers spot unusual VPN, DNS and web activity, built-in threat hunting queries to accelerate investigations, deeper visibility into Microsoft Teams, and additional threat models for Office 365. In the fourth quarter of 2020, we completed the acquisition of Polyrize, a software provider that maps and analyzes the relationships between users and data across a number of cloud applications and services, including Google Drive, Salesforce, Okta, GitHub, Slack, AWS, Jira and others, making it simple for security teams to control access to cloud data and infrastructure and analyze cloud activity.
In 2020, we successfully completed the strategic shift to a subscription-based business model, which allows our customers to better unleash the power of our platform through faster adoption of our integrated products. We currently have six product families, consisting of DatAdvantage, DatAlert, Data Classification Engine, DataPrivilege, Data Transport Engine and DatAnswers with over twenty-five licenses under these product families. As of December 31, 2020, 63% of our customers with 500 employees or more had purchased four or more licenses, compared to 54% a year ago, and 30% purchased six or more licenses, compared to 20% a year ago. Additionally, as of December 31, 2020, 2019 and 2018, 100.0% of our customers had purchased DatAdvantage; 57.8%, 54.5% and 50.4% of our customers, respectively, had purchased DatAlert; 57.2%, 53.8% and 49.3% of our customers, respectively, had purchased Data Classification Engine; 15.6%, 15.6% and 15.4% of our customers, respectively, had purchased DataPrivilege; 10.2%, 8.9% and 7.7% of our customers, respectively, had purchased Data Transport Engine; and 3.2%, 2.5% and 1.8% of our customers, respectively, had purchased DatAnswers. As of December 31, 2020, 2019 and 2018, 22.0%. 24.1% and 27.0% of our customers, respectively, made standalone purchases of DatAdvantage. No other product families outside of DatAdvantage can be sold on a standalone basis. As of December 31, 2020, 2019 and 2018, approximately 78%, 76% and 73% of our customers, respectively, had purchased products in two or more families, one of which was DatAdvantage for all of these customers. As of December 31, 2020, 2019 and 2018, approximately 49%, 45%
45
and 40% of our customers, respectively, had purchased products in three or more families. Our perpetual license maintenance renewal rate for each of the years ended December 31, 2020, 2019 and 2018 continued to be over 90%. Our key strategies to ensure and maintain a high subscription and maintenance renewal rate include focusing on the quality and reliability of our customer service and support to ensure our customers receive value from our products and providing software upgrades and enhancements when and if they are available.
We sell substantially all of our products and services to channel partners, including distributors and resellers, which sell to end-user customers, which we refer to in this report as our customers. We believe that our sales model, which combines the leverage of a channel sales model with our highly trained and professional sales force, has and will continue to play a major role in our ability to grow and to successfully deliver our unique value proposition for enterprise data. While our products serve customers of all sizes, in all industries and all geographies, the marketing focus and majority of our sales focus is on targeting organizations with 1,000 users or more who can make larger initial purchases with us and, over time, have a greater potential lifetime value. Our customers span leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, media and entertainment and education sectors. We believe our existing customer base serves as a strong source of incremental revenues given our broad platform of products, their growing volumes and complexity of enterprise data and associated security concerns. We will continue our focus on targeting organizations with 1,000 users or more who can make larger purchases with us initially and over time.
We believe there is a significant long-term growth opportunity in both domestic and foreign markets, which could include any organization that uses file shares, intranets and email for collaboration, regardless of region. For the year ended December 31, 2020, 71% of our revenues were derived from North America, while EMEA accounted for approximately 26% of our revenues and Rest of World (“ROW”) accounted for approximately 3% of our revenues. Additionally, even with our subscription mix increasing from 65% for the year ended December 31, 2019 to 99% for the year ended December 31, 2020, we still had revenue growth of approximately 15% worldwide. We believe the transition from a perpetual-based model to a subscription-based model has positioned us well for the future, and, although revenues are still front-end loaded, they are more predictable and recurring in nature. We continue to expect sales growth in North America and international expansion to be key components of our long-term growth strategy.
Despite the challenges currently resulting from COVID-19, we continue to expand our domestic and international operations as part of our long-term growth strategy. While the expansion of our domestic operations is focused primarily on our under penetrated territories, the expansion of our international operations depends in particular on our ability to hire, integrate and retain local sales personnel in these international markets, acquire new channel partners and implement an effective marketing strategy. Given the nominal amount of our ROW revenues, our ROW revenue growth rates have fluctuated in the past and may fluctuate in the future based on the timing of deal closures. In addition, the further expansion of our international operations will increase our sales and marketing and general and administrative expenses and will subject us to a variety of risks and challenges, including those related to economic and political conditions in each region, compliance with foreign laws and regulations, and compliance with domestic laws and regulations applicable to our international operations.
We derive almost all of our revenues from subscription sales and renewals of maintenance contracts and, to a lesser extent, from professional services and perpetual license sales of our products. Subscription revenues are comprised of time-based licenses whereby new and existing customers use our software with related maintenance for a specified period. Perpetual license revenues consist of the revenues recognized from sales of perpetual licenses to new and existing customers. While prior to 2019 fees from subscription licenses comprised an insignificant amount of our revenues, as we transitioned to a subscription-based business in 2019, subscription licenses became a significantly larger portion of our total revenues. Subscription licenses accounted for 55%, 30% and 3% of our total revenues for the years ended December 31, 2020, 2019 and 2018, respectively. Perpetual license sales accounted for less than 1%, 17% and 52% of our total revenues for the years ended December 31, 2020, 2019 and 2018, respectively. Subscription licenses accounted for 99%, 65% and 6% of our license revenues for the years ended December 31, 2020, 2019 and 2018, respectively.
We have achieved significant revenue growth and scale since inception under a perpetual business model. We have continued to grow our revenues for the year ended December 31, 2020 despite our transition to a subscription-based business model, and headwinds caused by the COVID-19 pandemic. For the years ended December 31, 2020, 2019 and 2018, subscription revenues were $161.2 million, $76.7 million, and $8.8 million, respectively, representing year-over-year growth of 110% and 777%. For the years ended December 31, 2020, 2019 and 2018, our total revenues were $292.7 million, $254.2 million and $270.3 million, respectively. For the years ended December 31, 2020, 2019 and 2018, we had operating losses of $78.4 million, $76.0 million and $29.1 million and net losses of $94.0 million, $78.8 million and $28.6 million, respectively.
46
Key Performance Indicators and Recent Business Highlights
Annual Recurring Revenues
Annual recurring revenues is a key performance indicator defined as the annualized value of active term-based subscription license contracts and maintenance contracts related to perpetual licenses in effect at the end of that period. Subscription license contracts and maintenance for perpetual license contracts are annualized by dividing the total contract value by the number of days in the term and multiplying the result by 365. As of December 31, 2020, 2019 and 2018, ARR was $287.3 million, $210.5 million and $130.3 million, respectively, an increase of 37% and 62% period over period. The annualized value of contracts is a legal and contractual determination made by assessing the contractual terms with our customers. The annualized value of maintenance contracts is not determined by reference to historical revenues, deferred revenues or any other GAAP financial measure over any period. ARR is not a forecast of future revenues and can be impacted by contract start and end dates and renewal rates. We expect ARR to continue to increase in absolute dollars.
Dollar-Based Net Retention Rate
Our dollar-based net retention rate as of December 31, 2020 was 116%. NRR is calculated as of a period end by starting with the ARR from the cohort of active customers as of the 12 months prior to such period end, or Prior Period ARR. We then calculate the ARR from the same customers as of the current period end, or Current Period ARR. Current Period ARR includes any upsells and is net of contraction or attrition over the trailing 12 months, but excludes subscription revenues from new customers in the current period. We then divide the total Current Period ARR by the total Prior Period ARR to arrive at the dollar-based net retention rate.
Business Combination
On October 29, 2020, we completed the acquisition of Polyrize, a private company which develops software that maps and analyzes the relationships between users and data across a number of cloud applications and services.
Components of Operating Results
Revenues
Our revenues consist of licenses and maintenance and services revenues.
Subscription Revenues. Subscription revenues are comprised of time-based licenses whereby customers use our software with related maintenance for a specified period. Subscription licenses are sold on premises and are recognized from sales of subscription licenses (including the associated maintenance) to existing and new customers. Similar to perpetual license revenues, subscription license revenues are recognized at the point of time when the software license has been delivered and the benefit of the asset has transferred. Maintenance associated with subscription licenses is recognized ratably over the term of the agreement and is included as part of the subscription revenues line item. We continue to expect revenues from subscription licenses to become an even more significant portion of our total revenues in the future, resulting in revenues that are expected to be more recurring and predictable. Due to the timing of the renewals and the subscription renewal rates, we could produce significant variation in the revenues we recognize in a given period. We are focused on acquiring new subscription customers and increasing subscription revenues from our existing customers.
Perpetual License Revenues. Perpetual license revenues reflect the revenues recognized from sales of perpetual licenses to new customers and sales of additional perpetual licenses to existing customers who can purchase additional users for existing licenses or purchase new licenses. Our perpetual license revenues consist of revenues from perpetual licenses, under which we generally recognize the license fee portion of the arrangement upon delivery as the benefit of the asset has transferred. Perpetual licenses have the same functionality as subscriptions. Due to the transition to a subscription-based business model, perpetual license revenues have meaningfully decreased and represent an insignificant percentage of our total revenues for the year ended December 31, 2020.
Maintenance and Services Revenues. Maintenance and services revenues consist of revenues from maintenance agreements of perpetual license sales and, to a lesser extent, professional services. When purchasing a perpetual license, a customer also typically purchases a one-year maintenance contract for which we charge a percentage of the license fee. Customers may renew, and generally have renewed, their maintenance agreements for a fee that is based upon a percentage of the initial perpetual license fee paid. Customers with maintenance agreements are entitled to receive support and unspecified upgrades and enhancements when and if they become available during the maintenance period. We recognize the revenues
47
associated with maintenance ratably, on a straight-line basis, over the associated maintenance period. We measure the perpetual license maintenance renewal rate for our customers over a 12-month period, based on a dollar maintenance renewal rate for contracts expiring during that time period. Our perpetual license maintenance renewal rate for each of the years ended December 31, 2020, 2019 and 2018 continued to be over 90%. We have historically experienced growth in maintenance revenues primarily due to increased perpetual license sales to new and existing customers and high renewal rates. However, due to our transition to a subscription-based model, we have seen and expect to continue to see insignificant perpetual license revenues in the future and, therefore, less associated maintenance revenues. We also offer professional services focused on training our customers in the use of our products, providing advice on deployment planning, network design, remediation, product configuration and implementation, automating and customizing reports and tuning policies and configuration. We recognize the revenues associated with these professional services, which are generally provided on a time and materials basis, as we deliver the services, provide the training or when the service term has expired. Although professional services have always been a small percentage of our total revenues, we have recently seen, and expect to continue to see, that percentage decline as many of our newer licenses can provide remediation in a more automated way and our planned long-term strategy to allow our channel partners to take on more professional services work. As such, our overall maintenance and services revenues is also expected to continue to decline.
The following table sets forth the percentage of our revenues that have been derived from licenses and maintenance and services revenues for the periods presented.
| Year Ended December 31, | |||||||||||||||||
| 2020 | 2019 | 2018 | |||||||||||||||
| (as a percentage of total revenues) | |||||||||||||||||
| Revenues: | |||||||||||||||||
| Subscriptions | 55.1 | % | 30.1 | % | 3.2 | % | |||||||||||
| Perpetual licenses | 0.5 | % | 16.6 | % | 51.7 | % | |||||||||||
| Maintenance and services | 44.4 | % | 53.3 | % | 45.1 | % | |||||||||||
| Total revenues | 100.0 | % | 100.0 | % | 100.0 | % | |||||||||||
| Year Ended December 31, | |||||||||||||||||
| 2020 | 2019 | 2018 | |||||||||||||||
| (as a percentage of total perpetual licenses and subscriptions revenues) | |||||||||||||||||
| Subscriptions and Perpetual Licenses Revenues: | |||||||||||||||||
| Subscriptions | 99.1 | % | 64.6 | % | 5.9 | % | |||||||||||
| Perpetual licenses | 0.9 | % | 35.4 | % | 94.1 | % | |||||||||||
| Total subscriptions and perpetual licenses revenues | 100.0 | % | 100.0 | % | 100.0 | % | |||||||||||
Our products are used by a wide range of enterprises, including Fortune 500 corporations and small and medium-sized businesses. Our customers span a broad array of industries and are located in over 85 countries.
Cost of Revenues, Gross Profit and Gross Margin
Our cost of revenues consists of cost of maintenance and services revenues. Cost of maintenance and services revenues consist primarily of salaries (including payroll tax expense related to stock-based compensation), employee benefits (including commissions and bonuses) and stock-based compensation for our maintenance and services employees; travel expenses; and allocated overhead costs for facilities, IT and depreciation. We recognize expenses related to maintenance and services as they are incurred. We expect that our cost of maintenance and services revenues will increase in absolute dollars as we continue to invest in our customer success and professional services teams and programs that support our subscription-based business model and our overall renewals. This spending increased sequentially in each quarter of 2020 and, given our results and the opportunities we see ahead, our incremental increase in investments was larger in the second half of the year. We expect to continue to increase our investments in the business in the future.
Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a percentage of total revenues. As the majority of our expenses are relatively fixed quarter over quarter and due to the seasonality of our business, the first quarter typically results in the lowest gross margin as our first quarter revenues have historically been the lowest for the
48
year. Conversely, the fourth quarter typically results in the highest gross margin as our fourth quarter revenues have historically been the highest for the year.
Operating Costs and Expenses
Our operating costs and expenses are classified into three categories: research and development, sales and marketing and general and administrative. For each category, the largest component is personnel costs, which consists of salaries (including payroll tax expense related to stock-based compensation), employee benefits (including commissions and bonuses) and stock-based compensation. Operating costs and expenses also include allocated overhead costs for facilities, IT and depreciation. Allocated costs for facilities primarily consist of rent and office maintenance. Operating costs and expenses are generally recognized as incurred. As a company, we have always aimed to tie our level of investment in the business to the revenues we expect to achieve and we actively manage expenses across the business. While at the end of the first quarter of 2020 we took prompt cost cutting measures to manage our expenses in response to the COVID-19 pandemic, given our results over the last three quarters of the year and the interest we continue to see in the market, we have resumed investments in the business, including in research and development and sales and marketing. We expect personnel costs to continue to increase in absolute dollars as we continue to grow our business in the long-term.
Research and Development. Research and development expenses primarily consist of personnel costs attributable to our research and development personnel, as well as allocated overhead costs. We expense research and development costs as incurred. We expect that our research and development expenses will continue to increase in absolute dollars as we further strengthen our technology platform and invest in the development of both existing and new products through the hiring of talented and capable employees. This spending increased sequentially in each quarter of 2020 and, given our results and the opportunities we see ahead, our incremental increase in investments was larger in the fourth quarter. We expect to continue to increase our investments in the business in the future.
Sales and Marketing. Sales and marketing expenses are the largest component of our operating costs and expenses and consist primarily of personnel costs, as well as marketing and business development costs, travel expenses, training and education and allocated overhead costs. We expect that sales and marketing expenses will continue to increase in absolute dollars in the long-term, as we plan to expand our sales and marketing efforts, both domestically and internationally. This spending increased sequentially in each quarter of 2020 and, given our results and the opportunities we see ahead, our incremental increase in investments was larger in the second half of the year. We expect to continue to increase our investments in the business in the future. We expect sales and marketing expenses to continue to be our largest category of operating costs and expenses.
General and Administrative. General and administrative expenses mostly consist of personnel and facility-related costs for our executive, finance, legal, human resources and administrative personnel. Other expenses are comprised of legal, accounting and other consultant fees and other corporate expenses and allocated overhead. We expect that general and administrative expenses will increase in absolute dollars in the long-term as we expand our operations. This spending declined in the second quarter of 2020 compared to the prior quarter but, given our results and the opportunities we see ahead, our investments increased in the second half of the year which results in increased general and administrative allocated overhead expenses.
Financial Income (Expenses), Net
Financial income (expenses), net consist primarily of foreign exchange gains or losses, amortization of debt discount and issuance costs, interest expense and interest income. Foreign exchange gains or losses relate to our business activities in foreign countries with different operational reporting currencies. As a result of our business activities in foreign countries, we expect that foreign exchange gains or losses will continue to occur due to fluctuations in exchange rates in the countries where we do business. Other factors such as the COVID-19 pandemic and the United Kingdom’s exit from the EU, commonly referred to as “Brexit," as well as other member countries' public discussions about the possibility of withdrawing from the EU, could also contribute to instability and volatility in the global financial and foreign exchange markets, including volatility in the value of Pounds Sterling, Euros and other currencies. Amortization of debt discount and issuance costs relate to the 2025 Notes we issued in May 2020 and the Credit Facility we entered into August 2020. Interest expense consists of the contractual interest expenses associated with the 2025 Notes. Interest income represents interest received on our cash, cash equivalents, marketable securities and short-term deposits.
49
Income Taxes
We operate in several tax jurisdictions and are subject to taxes in each country or jurisdiction in which we conduct business. Earnings from our non-U.S. activities are subject to local country income tax and may be subject to U.S. income tax. To date, on a consolidated basis, we have incurred accumulated net losses and have not recorded any U.S. federal tax provisions.
Because of our history of U.S. net operating losses, we have established a full valuation allowance against potential future benefits for deferred tax assets, including loss carryforwards, in that jurisdiction; however, we have recorded a net deferred tax asset of $1.1 million as of December 31, 2020 for foreign jurisdictions. Our income tax provision could be significantly impacted by estimates surrounding our uncertain tax positions and changes to our valuation allowance in future periods. We reevaluate the judgments surrounding our estimates and make adjustments as appropriate each reporting period.
In addition, we are subject to the regular examinations of our income tax returns by different tax authorities. For example, we are currently subject to tax audits in Israel. We regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes.
The U.S. Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) was signed into law on March 27, 2020. As of December 31, 2020 we had $1.9 million in deferred payroll taxes under the CARES Act which allows employers to defer certain employer payroll taxes. These deferred payroll taxes are included in accrued expenses and other short-term liabilities in our consolidated balance sheets. We are also monitoring for other similar tax relief programs provided by the governments of our non-US subsidiaries.
For 2020, we incurred a one-time tax expense related to the acquisition of Polyrize which caused our tax expense to increase significantly compared to prior years.
Results of Operations
The following tables are a summary of our consolidated statements of operations in dollars and as a percentage of our total revenues.
| Year Ended December 31, | |||||||||||||||||
| 2020 | 2019 | 2018 | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Statement of Operations Data: | |||||||||||||||||
| Revenues: | |||||||||||||||||
| Subscriptions | $ | 161,188 | $ | 76,730 | $ | 8,750 | |||||||||||
| Perpetual licenses | 1,473 | 42,093 | 139,578 | ||||||||||||||
| Maintenance and services | 130,028 | 135,367 | 121,960 | ||||||||||||||
| Total revenues | 292,689 | 254,190 | 270,288 | ||||||||||||||
| Cost of revenues | 44,261 | 35,144 | 27,683 | ||||||||||||||
| Gross profit | 248,428 | 219,046 | 242,605 | ||||||||||||||
| Operating costs and expenses: | |||||||||||||||||
| Research and development | 99,363 | 80,764 | 69,971 | ||||||||||||||
| Sales and marketing | 179,902 | 169,898 | 168,309 | ||||||||||||||
| General and administrative | 47,578 | 44,371 | 33,460 | ||||||||||||||
| Total operating expenses | 326,843 | 295,033 | 271,740 | ||||||||||||||
| Operating loss | (78,415) | (75,987) | (29,135) | ||||||||||||||
| Financial income (expenses), net | (7,483) | (389) | 970 | ||||||||||||||
| Loss before income taxes | (85,898) | (76,376) | (28,165) | ||||||||||||||
| Income taxes | (8,112) | (2,388) | (413) | ||||||||||||||
| Net loss | $ | (94,010) | $ | (78,764) | $ | (28,578) | |||||||||||
50
| Year Ended December 31, | |||||||||||||||||
| 2020 | 2019 | 2018 | |||||||||||||||
| (as a percentage of total revenues) | |||||||||||||||||
| Statement of Operations Data: | |||||||||||||||||
| Revenues: | |||||||||||||||||
| Subscriptions | 55.1 | % | 30.1 | % | 3.2 | % | |||||||||||
| Perpetual licenses | 0.5 | 16.6 | 51.7 | ||||||||||||||
| Maintenance and services | 44.4 | 53.3 | 45.1 | ||||||||||||||
| Total revenues | 100.0 | 100.0 | 100.0 | ||||||||||||||
| Cost of revenues | 15.1 | 13.8 | 10.2 | ||||||||||||||
| Gross profit | 84.9 | 86.2 | 89.8 | ||||||||||||||
| Operating costs and expenses: | |||||||||||||||||
| Research and development | 33.9 | 31.8 | 25.9 | ||||||||||||||
| Sales and marketing | 61.5 | 66.8 | 62.3 | ||||||||||||||
| General and administrative | 16.3 | 17.5 | 12.4 | ||||||||||||||
| Total operating expenses | 111.7 | 116.1 | 100.6 | ||||||||||||||
| Operating loss | (26.8) | (29.9) | (10.8) | ||||||||||||||
| Financial income (expenses), net | (2.5) | (0.1) | 0.4 | ||||||||||||||
| Loss before income taxes | (29.3) | (30.0) | (10.4) | ||||||||||||||
| Income taxes | (2.8) | (1.0) | (0.2) | ||||||||||||||
| Net loss | (32.1) | % | (31.0) | % | (10.6) | % | |||||||||||
Comparison of Years Ended December 31, 2020 and 2019
Revenues
| Year Ended December 31, | |||||||||||||||||
| 2020 | 2019 | % Change | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Revenues: | |||||||||||||||||
| Subscriptions | $ | 161,188 | $ | 76,730 | 110.1 | % | |||||||||||
| Perpetual licenses | 1,473 | 42,093 | (96.5) | % | |||||||||||||
| Maintenance and services | 130,028 | 135,367 | (3.9) | % | |||||||||||||
| Total revenues | $ | 292,689 | $ | 254,190 | 15.1 | % | |||||||||||
| Year Ended December 31, | |||||||||||
| 2020 | 2019 | ||||||||||
| (as a percentage of total revenues) | |||||||||||
| Revenues: | |||||||||||
| Subscriptions | 55.1 | % | 30.1 | % | |||||||
| Perpetual licenses | 0.5 | % | 16.6 | % | |||||||
| Maintenance and services | 44.4 | % | 53.3 | % | |||||||
| Total revenues | 100.0 | % | 100.0 | % | |||||||
51
| Year Ended December 31, | |||||||||||
| 2020 | 2019 | ||||||||||
| (as a percentage of total perpetual licenses and subscriptions revenues) | |||||||||||
| Subscriptions and Perpetual Licenses Revenues: | |||||||||||
| Subscriptions | 99.1 | % | 64.6 | % | |||||||
| Perpetual licenses | 0.9 | % | 35.4 | % | |||||||
| Total subscriptions and perpetual licenses revenues | 100.0 | % | 100.0 | % | |||||||
Subscription revenues increased 110% from $76.7 million for the year ended December 31, 2019 to $161.2 million for the year ended December 31, 2020. The increase in subscription revenues was driven by our customers’ demand for a higher number of licenses than the number that we historically sold with perpetual license sales and our high subscription renewal rate. Despite the revenue headwinds associated with the transition to a subscription-based model and the impact of COVID-19, total revenues increased approximately 15% for the year ended December 31, 2020. ARR was $287.3 million and $210.5 million as of December 31, 2020 and 2019, respectively, representing an increase of 37%. The anticipated decrease in maintenance and services revenues was primarily due to our accelerated transition to a subscription business, together with a reduction in our services revenues due to newer licenses providing remediation in a more automated way and the long-term strategic shift of having our channel partners take on more professional services work. In each of the years ended December 31, 2020 and 2019, our perpetual license maintenance renewal rate continued to be over 90%. As of December 31, 2020, 63% of our customers with 500 employees or more had purchased four or more licenses, compared to 54% a year ago, and 30% purchased six or more licenses, compared to 20% a year ago. Additionally, as of December 31, 2020 and 2019, 78% and 76% of our customers, respectively, had purchased products in two or more families and 49% and 45% of our customers, respectively, purchased products in three or more families.
Cost of Revenues and Gross Margin
| Year Ended December 31, | |||||||||||||||||
| 2020 | 2019 | % Change | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Cost of revenues | $ | 44,261 | $ | 35,144 | 25.9 | % | |||||||||||
| Year Ended December 31, | |||||||||||
| 2020 | 2019 | ||||||||||
| (as a percentage of total revenues) | |||||||||||
| Total gross margin | 84.9 | % | 86.2 | % | |||||||
The increase in cost of revenues was primarily related to an increase of $7.4 million in salaries and benefits and stock-based compensation expense due to increased headcount for customer success and support personnel to ensure high customer satisfaction and maintain our strong renewal rates. The increase was also due to a $2.7 million increase in facilities and allocated overhead costs and amortization of acquired intangible assets which was partially offset by a $1.0 million decrease in expenses related to COVID-19, including reductions in travel.
Operating Costs and Expenses
| Year Ended December 31, | |||||||||||||||||
| 2020 | 2019 | % Change | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Operating costs and expenses: | |||||||||||||||||
| Research and development | $ | 99,363 | $ | 80,764 | 23.0 | % | |||||||||||
| Sales and marketing | 179,902 | 169,898 | 5.9 | % | |||||||||||||
| General and administrative | 47,578 | 44,371 | 7.2 | % | |||||||||||||
| Total operating expenses | $ | 326,843 | $ | 295,033 | 10.8 | % | |||||||||||
52
| Year Ended December 31, | |||||||||||
| 2020 | 2019 | ||||||||||
| (as a percentage of total revenues) | |||||||||||
| Operating costs and expenses: | |||||||||||