UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 10-K
☒ | |
Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 |
For the Annual Period Ended December 31, 2017
or
☐ | |
Transition Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 |
For the transition period from to
Commission file number 001-35662
QUALYS, INC.
(Exact name of registrant as specified in its charter)
Delaware | 77-0534145 | |
(State or other jurisdiction of | (I.R.S. Employer | |
incorporation or organization) | Identification Number) |
919 E. Hillsdale Boulevard, 4th Floor, Foster City, California 94404
(Address of principal executive offices, including zip code)
(650) 801-6100
(Registrant’s telephone number, including area code)
Securities registered pursuant to section 12(b) of the Act:
Title of each class | Trading Symbol(s) | Name of |
Common stock, $0.001 par value per share | QLYS | NASDAQ Stock Market |
Securities registered pursuant to section 12(g) of the Act:
NoneIndicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes
Indicate by check mark whether the Registrantregistrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrantregistrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes
Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files). Yes
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company”company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act. (Check one):
Large accelerated filer | ☒ | Accelerated filer | ☐ | Non-accelerated filer | ☐ | Smaller reporting company | ☐ | |||
Emerging growth company | ☐ |
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☒
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes
As of June 30, 2017,2021, the aggregate market value of voting shares of common stock held by non-affiliates of the registrant was $1,293$2,961 million based on the last reported sale price of the registrant
The number of shares of the Registrant'sregistrant's common stock outstanding as of January 31, 2018February 16, 2022 was 38,628,442 39,029,415 shares.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's Proxy Statement for its 20182022 Annual Meeting of Stockholders are incorporated by reference in Part III of this Annual Report on Form 10-K where indicated. Such proxy statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year ended December 31, 2017.2021.
TABLE OF CONTENTS
Page | |||
Risk Factor Summary | 3 | ||
Note Regarding Forward-Looking Statements | |||
Item 1. | |||
Item 1A. | |||
Item 1B. | |||
Item 2. | |||
Item 3. | |||
Item 4. | |||
Item 5. | |||
Item 6. | |||
Item 7. | |||
Item 7A. | |||
Item 8. | |||
Item 9. | |||
Item 9A. | |||
Item 9B. | |||
Item | |||
Item 10. | |||
Item 11. | |||
Item 12. | |||
Item 13. | |||
Item 14. | |||
Item 15. | |||
Our business is subject to significant risks and uncertainties that make an investment in us speculative and risky. Below we summarize what we believe are the principal risk factors but these risks are not the only ones we face, and you should carefully review and consider the full discussion of our risk factors in the section titled “Risk Factors,” together with the other information in this Annual Report on Form 10-K. If any of the following risks actually occurs (or if any of those listed elsewhere in this Annual Report on Form 10-K occur), our business, reputation, financial condition, results of operations, revenue, and future prospects could be seriously harmed. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that adversely affect our business.
• | The continued spread of Coronavirus Disease 2019 (COVID-19), or any similar widespread infectious disease outbreak, could harm our business, financial condition and results of operations. | |
• | Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline. | |
• | If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be harmed. | |
• | If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our operating results and our business would be harmed. | |
• | If we are unable to renew existing subscriptions for our IT, security and compliance solutions, sell additional subscriptions for our solutions and attract new customers, our operating results would be harmed. | |
• | If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed. | |
• | Our current research and development efforts may not produce successful products or enhancements to our platform that result in significant revenue, cost savings or other benefits in the near future. | |
• | Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales. | |
• | Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may vary from period to period, which may cause our operating results to fluctuate and could harm our business. | |
• | Adverse economic conditions or reduced IT spending may adversely impact our business. | |
• | Our IT, security and compliance solutions are delivered from eleven shared cloud platforms, and any disruption of service at these facilities would interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results. | |
• | We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive position. | |
• | If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations. | |
• | If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed. | |
• | We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution channels, our revenues could decline and our growth prospects could suffer. | |
• | A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could be harmed. | |
• | Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or are unable to improve our systems and processes, our operating results may be negatively affected. | |
• | A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks. | |
• | Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability. | |
• | Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacy and other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions. | |
• | Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our solutions. | |
• | We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers or harm to our reputation and our operating results. | |
• | Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results. | |
• | Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our business and operating results. |
In addition to historical information, this Annual Report on Form 10-K contains "forward-looking" statements within the meaning of Section 21E of the federal securities laws, which statements involve substantial risks and uncertainties.Securities Exchange Act of 1934, as amended, or the Exchange Act. Forward-looking statements generally relate to future events or our future financial or operating performance. In some cases, it is possible to identify forward-looking statements because they contain words such as "anticipates," "believes," "contemplates," "continue," "could," "estimates," "expects," "future," "intends," "likely," "may," "plans," "potential," "predicts," "projects," "seek," "should," "target," or "will," or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
• | our financial performance, including our revenues, costs, expenditures, growth rates, operating expenses and ability to generate positive cash flow to fund our operations and sustain profitability; |
• | anticipated technology trends, such as the use of cloud solutions; |
• | our ability to adapt to changing market conditions; |
• | the impact of the ongoing COVID-19 pandemic and related public health measures on our business; | |
• | economic and financial conditions, including volatility in foreign exchange rates; |
• | our ability to diversify our sources of revenues, including selling additional solutions to our existing customers and our ability to pursue new customers; |
• | the effects of increased competition in our market; |
• | our ability to innovate and enhance our cloud solutions and platform and introduce new solutions; |
• | our ability to effectively manage our growth; |
• | our anticipated investments in sales and marketing, our infrastructure, new solutions, research and development, and acquisitions; |
• | maintaining and expanding our relationships with channel partners; |
• | our ability to maintain, protect and enhance our brand and intellectual property; |
• | costs associated with defending intellectual property infringement and other claims; |
• | our ability to attract and retain qualified employees and key personnel, including sales and marketing personnel; |
• | our ability to successfully enter new markets and manage our international expansion; |
• | our expectations, assumptions and conclusions related to our income tax provision, our deferred tax assets and our effective tax rate; and |
• | other factors discussed in this Annual Report on Form 10-K in the sections titled "Risk Factors," "Management's Discussion and Analysis of Financial Condition and Results of Operations" and "Business." |
We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. The results, events and circumstances reflected in these forward-looking statements are subject to risks, uncertainties, assumptions, and other factors including those described in Part I, Item 1A (Risk Factors) of this Annual Report. Report and those discussed in other documents we file with the U.S. Securities and Exchange Commission (SEC). Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time, and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements used herein. We cannot provide assurance that the results, events, and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.
You should not rely on forward-looking statements as predictions of future events. Except as required by law, neither we nor any other person assumes responsibility for the accuracy and completeness of the forward-looking statements, and we undertake no obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements.
Qualys, the Qualys logo and QualysGuard, and other trademarks and service marks of Qualys appearing in this Annual Report on Form 10-K are the property of Qualys. This Annual Report on Form 10-K also contains trademarks and trade names of other businesses that are the property of their respective holders. We have omitted the ® and ™ designations, as applicable, for the trademarks used in this Annual Report on Form 10-K.
Overview
We
are a pioneer and leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. Our integrated suite of IT, security and compliance solutionsOur cloud solutions address the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets. Our integrated suite of security and compliance solutions delivered on our Qualys cloud platform enables our customers to identify their IT assets, collect and analyze large amounts of IT security data, discover and prioritize vulnerabilities, recommend remediation actions and verify the implementation of such actions. Organizations use our integrated suite of solutions delivered on our Qualys cloud platform to cost-effectively obtain a unified view of their IT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer security and cloud teams.
IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon a myriad of interconnected information systems and related IT assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical and virtual infrastructure, and numerous external networks and cloud services. In this environment, new and evolving digital technologies intended to improve organizations’ operations can also increase vulnerability to cyber-attacks, which can expose sensitive data, damage IT and physical infrastructures, and result in serious financial or reputational consequences. In addition, the rapidly increasing amount of data and devices in IT environments makes it more difficult to identify and remediate vulnerabilities in a timely manner. The predominant approach to IT security has been to implement multiple disparate security products that can be costly and difficult to deploy, integrate and manage and may not adequately protect organizations. As a result, we believe there is a large and growing opportunity for comprehensive cloud-based IT, security and compliance solutions delivered in a single platform.
We designed our Qualys cloud platformCloud Platform to transform the way organizations secure and protect their IT infrastructures and applications. Our cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security assessments, and compliance management for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud. Since inception, our solutions have been designed to be delivered through the cloud and to be easily and rapidly deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premises enterprise software products. Our customers, ranging from some of the largest global organizations to small businesses, are served from our globally-distributed cloud platform, enabling us to rapidly deliver new solutions, enhancements and security updates.
We believe that our cloud platform provides our customers with unique advantages, including:
• | No hardware to buy or manage. There is no infrastructure or software to buy and maintain thus reducing our customers’ operating costs; all services are accessible in the cloud via web interface. Qualys operates and maintains the platform. |
• | Real-time visibility in one place, anytime and anywhere. Our customers can conveniently see their security and compliance posture across their global IT asset inventory in one browser window, without plugins or a virtual private network (VPN), whenever and wherever Internet access is available. |
• | Easy global scanning. Our customers can easily perform scans on geographically distributed and segmented networks at the perimeter, behind the firewall, on dynamic cloud environments and on endpoints. |
• | Seamless scaling. Our cloud platform is a scalable, comprehensive, and end-to-end solution for the IT, security and compliance needs of our customers. Our customers can seamlessly add new coverage, users and services after they have deployed our platform. |
• | Up to date resources. Qualys has one of the largest knowledge bases of vulnerability signatures in the industry. All security updates are made in real-time. |
• | Data stored securely. Data is securely stored and processed in a multi-tiered architecture of load-balanced servers. Our encrypted databases are physically and logically secured. |
We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced newadditional solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions offeredthat we offer on our cloud platform which weand refer to as the Qualys Cloud Apps includes: Asset Inventory (AI), CMDB Sync (SYN), VM, Continuous Monitoring (CM),helps our customers protect a range of assets across on-premises, endpoints, cloud, containers, and mobile environments. These Cloud Agent Platform (CAP), Threat Protection (TP), Security Configuration Assessment (SCA), Indication of Compromise (IOC), Policy Compliance (PC), PCI Compliance (PCI), Security Assessment Questionnaire (SAQ), File Integrity Monitoring (FIM), Web Application Scanning (WAS)Apps address and Web Application Firewall (WAF).
• | IT Security: Vulnerability Management (VM),Vulnerability Management, Detection and Response (VMDR), Threat Protection (TP), Continuous Monitoring (CM), Patch Management (PM), Multi-Vector Endpoint Detection and Response (EDR), Certificate Assessment (CRA), SaaS Detection and Response (SaaSDR), Secure Enterprise Mobility (SEM); |
• | Compliance: Policy Compliance (PC), Security Configuration Assessment (SCA), PCI Compliance (PCI), File Integrity Monitoring (FIM), Security Assessment Questionnaire (SAQ), Out of-Band Configuration Assessment (OCA); |
• | Web Application Security: Web Application Scanning (WAS), Web Application Firewall (WAF); |
• | Asset Management: Global Asset View (GAV), Cybersecurity Asset Management (CSAM), Certificate Inventory (CRI); and |
• | Cloud/Container Security: Cloud Inventory (CI), Cloud Security Assessment (CSA), Container Security (CS). |
We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue to experience significant revenue growth from our existing customers as they renew and purchase additional subscriptions.
Our Qualys cloud platformCloud Platform is currently used by over 10,30010,000 customers in more than 130 countries,worldwide, including a majority
Our Platform
Our cloud platform consists of a suite of asset management, IT security, compliance, monitoring,web application security, asset management and web applicationcloud and container security solutions, which we refer to as the Qualys Cloud Apps, that leverages our shared and extensible core services and our highly scalable multi-tenant cloud infrastructure. We also provide open application program interfaces, or APIs, and other developer tools that allow third parties to embed our technology into their solutions and build applications on our cloud platform.
Our cloud platform utilizes sensors, including physical and virtual and cloud scanners,sensors, and cloud agents that provide our customers with continuous visibility enabling customers to respond to threats immediately. ItCustomers can extend visibility to all known IT infrastructure using our Out-of-Band Configuration Assessment sensor for systems that are air-gapped or otherwise difficult to assess.
The Qualys Cloud Platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend. The technology underlying our cloud infrastructure
enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices.Our cloud platform is delivered to our customers via our eleven global shared platform offering from our global data centers,cloud platforms, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's data center. The PCP is a standalone version of our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy within a customer's data center. Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform. Our PCP utilizes hardware and software owned by us and is physically located on the customer's premises. The customer is not permitted to take possession of the software or access the software code. OurWe also offer our PCP provides ouras a subscription-based platform services to the customer using a virtual version of our software. This virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software. Additionally, in 2016, we introduced theWe also offer Private Cloud Platform Appliance (PCPA), an on-premises IT, security and compliance solution packaged in a form-factor for medium-sized companies.
Qualys Core Services
Our core services enable integrated workflows, management and real-time analysis and reporting across all of our IT, security and compliance solutions for our customers inside their organizations, on the perimeter, on endpoints or in the cloud.
Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through what we call a “single-pane-of-glass” user interface.natively integrated unified platform. Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate and correlate all of their IT, security and compliance data in one place, drill down into details, and generate reports customized for different audiences. Our cloud platform’s powerful elasticsearchElasticsearch clusters enable customers to instantly find detailed data on any asset.
Our core services include:
• | Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT environments and automates the process of inventory management and hierarchical organization of IT assets. Built on top of this core service is the Qualys GAV framework, which is a global asset inventory service enabling our customers to search for information on any IT asset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search IT assets and maintain an up-to-date inventory on a continuous basis. |
• | Reporting and Dashboards. A highly configurable reporting engine that provides customers with reports and dashboards based on their roles and access privileges. |
• | Questionnaires and Collaboration. A configurable workflow engine that enables customers to easily build questionnaires and capture existing business processes and workflows to evaluate controls and gather evidence to validate and document compliance. |
• | Remediation and Workflow. An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation and to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking and escalation. This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open tickets once patches are applied and remediation is verified in subsequent scans. |
• | Big Data Correlation and Analytics Engine. Provides Elasticsearch capabilities for indexing, searching and correlating large amounts of security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable customers to quickly assess risk and access information for remediation, incident analysis and forensic investigations. |
• | Alerts and Notifications. Creates email notifications to alert customers of new vulnerabilities, malware infections, scan completion, open trouble tickets and system updates. |
Qualys Cloud Apps
Many organizations have an array of heterogeneous point tools that do not interoperate well and are difficult and costly to maintain and integrate, making it difficult for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to obtain a single, unified view of their organization’s security and compliance posture. The Qualys cloud platformCloud Platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their IT environment.
The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as vulnerability management, IT security, compliance, web application security, asset management ITand cloud and container security web app security and compliance monitoring.
From inception through December 31, 2020, we have added the following Cloud Apps currently includes: AI, SYN,Apps: VM, CM, CAP, TP, SCA, IOC, PC, PCI, WAS, WAF, CM, SAQ, TP, FIM, WASGAV (including a free version), SCA, CS, CI, CSA, CRI, CRA, OCA, PM, VMDR, and WAF.
We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one platform, share a common user interface,
Our customers can subscribe to one or more of our IT, security and compliance Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions. WeFor VMDR, we offer threefour editions of our Qualys Cloud Apps:App: Enterprise for large enterprises, Express for medium-sized businesses, and Express Lite for small-sized businesses.
Many of our customers use multiple Cloud Apps to develop a more complete understanding of their respective environment’s IT, security and compliance posture. The Qualys cloud platformCloud Platform currently provides the following Cloud Apps to our customers:
IT Security
Vulnerability Management (VM): VM is an industry leading and award-winning solution that automates network auditing and vulnerability management across an organization, including network discovery and mapping, asset management, vulnerability reporting and remediation tracking. Driven by our comprehensive knowledge base of known vulnerabilities, VM enables cost-effective protection against vulnerabilities without substantial resource deployment.
Vulnerability Management, Detection and Response (VMDR): BuiltVMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on top of VM, CM isthe network, inventory all hardware and software, and classify and tag critical assets. VMDR continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities. Finally, VMDR automatically detects the latest superseding patch for the vulnerable asset and easily deploys it for remediation. By delivering all this in a next-generation cloud service that can detect networksingle app workflow, VMDR automates the entire process and significantly accelerates an organization’s ability to respond to threats, and unexpected changes before they turn into breaches. Whenever it spots an anomaly in your network, it immediately sends targeted, informative alerts to the right people for each situation and each machine. CM tracks what happens throughout public perimeters, internal networks, and cloud environments - anywhere in the world.
Threat Protection (TP): Thousands of new vulnerabilities are disclosed annually. With TP, customers can pinpoint their most critical threats and identify what they need to remediate first. TP continuously correlates external threat information against a customer's vulnerabilities and IT asset inventory, so customers know which threats pose the greatest risk to their organization at any given time. As Qualys engineers continuously validate and rate new threats from internal and external sources, TP’s live feed displays the latest vulnerability disclosures and maps them to customers’ impacted IT assets. Customers can see the assets affected by each threat, and drill down into details.
Continuous Monitoring (CM): ABuilt on top of VM, add-on, SCA expands our VM program with automatic assessment of IT assets’ configurations usingCM is a next-generation cloud service that can detect network threats and unexpected changes before they turn into breaches. Whenever CM spots an anomaly in a network, it immediately sends targeted, informative alerts to the latest Centerright people for Internet Security (CIS) Benchmarks for operating systems, databases, applicationseach situation and network devices. SCA provides intuitive workflows for assessing, monitoring, reporting and remediating security-related configuration issues. SCA’s CIS assessments are provided via a web-based user interface and delivered from the Qualys cloud platform, enabling centralized management with minimal deployment overhead. SCA users can automatically create downloadable reports and view dashboards.
Patch Management (PM): PM provides automated patch deployment capabilities by IT. IOC utilizes the Cloud Agent to capture endpoint activity on files, processes, mutant handles, registries,correlating vulnerabilities and network connections,patches. It continuously gathers and uploads the datatelemetry about installed software, open vulnerabilities and missing patches to the Qualys cloudCloud Platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability-centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches more efficiently.
Multi-Vector Endpoint Detection and Response (EDR): Traditional endpoint detection and response solutions focus only on endpoint activity to detect attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and negatives, requiring organizations to use multiple point solutions and large incident response teams. Qualys fills the gaps by bringing a new multi-vector approach and the unifying power of its highly scalable Cloud Platform to EDR, providing vital context and comprehensive visibility to the entire attack chain, from prevention to detection to response. EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response.
Certificate Assessment (CRA): CRA assesses digital certificates and Transport Layer Security (TLS) configurations. CRA generates certificate instance grades using a straightforward methodology that allows administrators to assess often overlooked server SSL/TLS configurations without having to become SSL experts. It also identifies out-of-policy certificates with weak signatures or key length and shows how many unique Certificate Authorities were found in the environment and how many certificates each one issued.
SaaS Detection and Response (SaaSDR): SaaSDR leverages the Qualys Cloud platform to provide continuous visibility into SaaS applications such as Office 365, Salesforce and Zoom for storage, processing,configuration posture management, activity monitoring and query.
Secure Enterprise Mobility (SEM): SEM extends the power of VMDR for in-depth inventory of mobile devices and their data, real time vulnerability and misconfiguration detection, and built-in remediation with patch orchestration for all Android and iOS/iPadOS devices across the enterprise.
Compliance Monitoring
Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and continuously ensure compliance with internal policies and external regulations. PC leverages out-of-the-box library content to fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different hosts. By automating requirement evaluation against multiple standards for OSes,operating systems, network devices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift. PC works to prioritize and track remediation and exceptions, while demonstrating a repeatable auditable process for compliance management.
Security Configuration Assessment (SCA): SCA provides automatic assessment of IT assets’ configurations using the latest Center for Internet Security (CIS) Benchmarks for operating systems, databases, applications and network devices. SCA provides intuitive workflows for assessing, monitoring, reporting and remediating security-related configuration issues. SCA’s CIS assessments are provided via a web-based user interface and delivered from the Qualys Cloud Platform, enabling centralized management with minimal deployment overhead. SCA users can automatically create downloadable reports and view dashboards.
PCI Compliance (PCI): PCI streamlines and automates compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements for protecting the collection, storage, processing and transmission of cardholder data. As an Approved Scanning Vendor, Qualys has been authorized by the PCI Security Standards Council to conduct the required quarterly scans. PCI scans all Internet-facing networks and systems with Six Sigma (99.9996%) accuracy, generates reports and provides detailed patching instructions. An auto-submission feature completes the compliance process once remediation is completed.
File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes. FIM provides customers with a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative tasks, change control exceptions or violations, or malicious activity - then reports on that system activity as part of compliance mandates. FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements.
Out-of-Band Configuration Assessment (OCA): The OCA sensor and Cloud App allows customers to achieve complete visibility of all known IT infrastructure by pushing vulnerability and configuration data to the Qualys Cloud Platform from systems that are otherwise difficult to assess, such as highly locked-down systems, systems on disconnected or “air gap” networks, or in environments that are highly sensitive to scans. OCA’s expanded data collection approach significantly broadens the types of technologies supported by the Qualys Cloud Platform and provides deeper assessment of configuration so that customers have better visibility into potentially critical vulnerabilities and misconfigurations across their entire environment.
Web Application Security
Web Application Scanning (WAS): WAS continuously discovers and catalogs web apps in your network -applications – including new and unknown ones --– and detects vulnerabilities and misconfigurations.misconfigurations in web apps and APIs. Scaling up to thousands of web apps,scans, it conducts incisive, thorough and precise scans, with few false positives. Its seamless integration with Web Application Firewall (WAF) enables one-click patchingtesting of browser-based web apps, including mobile appsapp backends, and Internet of things (IoT) services. WithIts seamless integration with the Qualys Web Application Firewall (WAF) enables verification of attack protection, ticket creation and one click mitigation of vulnerabilities. WAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with WAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites. By Integrating WAS with manual testing tools and bug bounty solutions, customers can also insert security into DevOps environments by detecting code security issues early and often in the app development and deployment pipeline. WAS also scans, identifies and removes malware infections from customers' websites using behavioral and static analysis.
Web Application Firewall (WAF): WAF permits the reduction of application security cost and complexity with a unified platform to detect and virtually patch web applicationprevent any attempt to exploit vulnerabilities. Simple, scalable and adaptive, WAF enables the quick blocking of attacks, prevents disclosure of sensitive information, and controls when and where customer applications are accessed. WAF and WAS work together seamlessly. Customers scan web apps with WAS, deploy one-click virtual patches for detected vulnerabilitiesif needed in WAF, and manage it all from a centralized cloud-based portal. WAF can be deployed in minutes on prem or in the cloud, as a virtual machine or a container, supports Transport Layer Security (TLS) and Secure Sockets Layer (SSL)load-balancing as well as TLS offloading, and does not require special hardware.
Asset Management
Global Asset View (GAV): GAV constantly gathers information on all assets, including system and hardware details, running services, open ports, installed software and user accounts. Asset discovery and inventory collection is done through a combination of Qualys network scanners, Cloud Agents and passive scanners, which together collect comprehensive data from on-premises or cloud infrastructure as well as remote endpoints. In order to create consistent and uniform asset data, GAV normalizes raw discovery data to standardize every manufacturer name, product name, model and software version using Qualys’ ever-evolving technology catalog as a reference. This catalog automatically extends IT asset inventory with non-discoverable metadata such as hardware and software release dates, end of life dates, and license categories. This new data layer allows teams to detect issues such as unauthorized software, outdated hardware or end-of-life software, which can help properly tag, support, and secure business-critical assets. Additionally, customers can sync their asset information with ServiceNow CMDB.
Cybersecurity Asset Management (CSAM): CSAM is an all-in-one solution that leverages the power of the Qualys Cloud Platform with its multiple native sensors and CMDB synchronization to continuously inventory known and unknown assets, discover installed applications, and overlay business and risk context to establish asset criticality. It identifies unauthorized or end-of-life and end-of-service software and the absence of required security tools, and assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal and delivers regulatory reporting in support of FedRAMP, PCI-DSS and other mandates.
Certificate Inventory (CRI): CRI continuously scans global IT assets from a single console to discover internal and external certificates issued from any certificate authority across all enterprise IT assets, both on premise and in the cloud. As a result, certificates can be renewed before they expire, which stops certificate-related outages and improves availability. It collects all certificate, vulnerability and configuration data required for certificate inventory and analysis. CRI also reveals how many certificates are out of compliance or do not follow organizational policies for key length, for signature algorithms or for the use of trusted and approved Certificate Authorities through the use of highly customizable dashboards and provides users a comprehensive overview of Qualys SSL Labs-caliber certificate grades for internal and externally facing certificates.
Cloud / Container Security
Cloud Inventory (CI): CI delivers continuous visibility into public cloud accounts. In one single-pane view, it inventories virtual machines, storage buckets, databases, security groups, Access Control Lists (ACLs), Elastic Load Balancers (ELBs) and users – across all regions, multiple accounts and multiple cloud platforms. CI continuously tracks assets and enables users to quickly understand the topography of their cloud environment and uncover the root cause of incidents.
Cloud Security Assessment (CSA): CSA provides a continuous assessment of the security posture of an organization’s cloud resources against misconfigurations, malicious behavior, and nonstandard deployments. CSA evaluates resources against CIS benchmarks and best practices to identify misconfigured storage buckets, security groups, Relational Database Service, exposing data and the resource for public exploitation. CSA correlates host vulnerabilities and compliance data into intelligent insights which allow users to quickly detect risks throughout their complex cloud environments. With CSA, users gain real-time visibility into their up-to-date security and compliance posture of public clouds in one single-pane view.
Container Security (CS): CS delivers container-native visibility and protection throughout the entire lifecycle of containerized applications. It incorporates scanning of container images for software composition and enforcement of hardened container stack configurations for continuous policy compliance, whether the images are on the build machines, in the container registries or in the runtime cluster nodes. CS uses a unique 'layered-in' approach to provide deep visibility into all the application activities and automatically creates a behavior profile, which is enforced on each container for runtime protection. By integrating with continuous integration and continuous delivery pipelines and toolchains, CS enables DevSecOps processes and transparent enforcement of security and compliance without compromising the speed and agility of containers and serverless deployment models. This leads to significant cost benefits for enterprises compared to certain legacy security solutions.
Free Services
We also offer organizations of all sizes free security and compliance services based on the Qualys Cloud Platform:
• | Qualys Global Asset View app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global IT footprint across on-premises, endpoints, multi-cloud, mobile, containers, operational technology and IoT. The app also automatically normalizes and categorizes assets to ensure clean, reliable, and consistent data. In-depth asset details provide fine-grained visibility on the system, services, installed software, network, and users. It also detects any device that connects to a user's networks, via passive scanning technology. Upon an unknown device detection, users can install a light-weight Qualys self-updating agent (3MB) to turn the device into a managed device or launch a vulnerability scan. |
• | Qualys Community Edition automatically gathers and analyzes security and compliance data from hybrid IT environments to provide a complete, continuously updated, and instant view of monitored IT assets on-premises or in the cloud, as well as web apps, from a single-pane-of-glass interface. The Community Edition is limited to one user with data retention for three months. |
• | Qualys CloudView continuously discovers and tracks assets and resources across public cloud deployments to provide users both real-time and historical views of cloud inventory. It collects metadata about cloud assets and resources to help users understand the relationships between public cloud assets and resources across different dimensions and then discover their threat posture based on those attributes and relationships. CloudView is limited to three accounts per public cloud platform. |
• | Qualys CertView inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions. |
Our Growth Strategy
We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions. The key elements of our growth strategy are:
• | Continue to innovate and enhance our cloud platform and suite of solutions. We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions. From inception through December 31, 2020, we have added the following Cloud Apps: PC, PCI, WAS, WAF, CM, SAQ, TP, FIM, GAV (including a free version), SCA, CS, CI, CSA, CRI, CRA, OCA, PM, VMDR, and EDR. In 2021, we introduced SaaSDR, SEM, and CSAM. |
• | Expand the use of our suite of solutions by our large and diverse customer base. With more than 10,000 customers, across many industries and geographies, we believe we have a significant opportunity to sell additional solutions to our customers and expand their use of our suite of solutions. Because our customers typically initially deploy one or two of our solutions in select parts of their IT infrastructures, our existing customers serve as a strong source of new sales as they expand their scope and increase their subscriptions or choose to adopt additional solutions from our integrated suite of IT, security and compliance offerings. In this regard, we continue to expand our sales execution and marketing functions to increase adoption of our newly developed solutions among our existing customers. |
• | Drive new customer growth and broaden our global reach. We are pursuing new customers by targeting key accounts, releasing free IT, security and compliance services and expanding both our sales and marketing organization and network of channel partners. We will continue to seek to make significant investments to encourage organizations to replace their existing security products with our cloud solutions. We intend to expand our relationships with key security consulting organizations, managed security service providers and value-added resellers to accelerate the adoption of our cloud platform. We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and market awareness of our cloud platform and target new geographic regions. We also plan to partner with such security providers that can host our private cloud offering within their data centers, helping us expand our reach in new markets and new geographies. |
• | Selectively pursue technology acquisitions to bolster our capabilities and leadership position. We may explore acquisitions that are complementary to and can expand the functionality of our cloud platform. We may also seek to acquire development teams to supplement our own personnel and acquire technology to increase the breadth of our cloud-based IT, security and compliance solutions. In 2021, we acquired certain intangible assets of Kandor Soft Labs Private Ltd. (TotalCloud), strengthening our cloud security solution by allowing customers to build user-defined workflows for custom policies and execute them on-demand for simplified security and compliance. In 2020, we acquired certain intangible assets of Spell Security Private Limited (Spell Security), expanding our endpoint behavior detection, threat hunting, malware research and multi-layered response capabilities for our EDR application. In 2019, we acquired Adya Inc. (Adya), enabling us to provide companies of all sizes with the ability to consolidate administration of their Software as a Service (SaaS) applications into one console, manage license costs across SaaS applications, set and enforce security policies in one place and report and audit on all activity with a single tool. |
Our Customers
We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2017,2021, we had over 10,30010,000 customers in more than 130 countries,worldwide, including a majority of each of the Forbes Global 100 and Fortune 100. In each of 2017, 20162021, 2020 and 2015,2019, no one customer accounted for more than 10% of our revenues. In 2017, 20162021, 2020 and 2015, 70%2019, 71%61%, 63% and 70%64%, respectively, of our revenues were derived from customers in the United States.States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally.
Sales and Marketing
Sales
We market and sell our IT, security and compliance solutions to customers directly through our sales teams as well as indirectly through our network of channel partners.
Our global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with more than 5,000 employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations with less than 5,000 employees. Both our field and inside sales teams are divided into three geographic regions, including the Americas; Europe, Middle East and Africa; and Asia-Pacific. We also further segmentassign each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers.
Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners offer our IT, security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which we can connect with these prospective customers to offer our solutions. Our channel partners include security consulting organizations, managed service providers and resellers, such as Accenture, BT Managed Security, Cognizant Technology Solutions, Deutsche Telekom, AG, Fujitsu, DXC Technology, InsightFujitsu, Hindustan Computers Limited (HCL) Technologies, Inc.International Business Machines (IBM), Infosys, Nippon Telegraph and Telephone Corporation (NTT), Optiv, Security, Inc., SecureWorks, Corp.,Tata Communications, Verizon, Wipro and Verizon Communications Inc.
For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves our sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, we sell the associated subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner earning a fee based on the total value of the order. Once the order is completed, we provide these customers with direct access to our solutions and other associated back-office applications, enabling us to establish a direct relationship as part of ensuring customer satisfaction with our solutions. At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2017, 20162021, 2020 and 2015,2019, 41%, 42% and 39%42%, respectively, of our revenues were generated by channel partners.
Marketing
Our marketing programs include a variety of online marketing, advertising, conferences, events, public relations activities and web-based seminar campaigns targeted at key decision makers within our prospective customers.
We have a number of marketing initiatives to build awareness and encourage customer adoption of our solutions. We offer free trials and services to allow prospective customers to experience the quality of our solutions, to learn in detail about the features and functionality of our cloud platform, and to quantify the potential benefits of our solutions.
Customer Support
Qualys Support delivers 24x7x365 day customer technical support from global centers located in Foster City, California; Raleigh, North Carolina; and Pune, India. We recruit senior level technical personnel and trained subject matter experts who work closely with engineering and operations personnel to resolve issues quickly. Our IT, security and compliance solutions can be deployed easily and are designed to be implemented and operated without the need for significant professional services. We also offer various training programs as part of our subscriptions to all of our customers. We believe that our customer support helps ensure customer satisfaction and is critical to retaining and expanding our customer base. In addition, we leverage the insights drawn from our customers to further improve the functionality of our IT, security and compliance solutions. Our mission is to ensure customer satisfaction and play a critical role in retaining and expanding our customer base.
Research and Development and Operations
We devote significant resources to maintain, enhance and add new functionality to our Qualys cloud platformCloud Platform and the integrated suite of solutions that we offer. Our development organization consists of agile engineering teams with substantial security expertise in specific areas of our solutions. In addition to our development teams, we have also built a sophisticated research team focused on identifying threats and developing signatures for vulnerabilities and compliance checks so that we can provide our customers with daily updates and enable them to scan their assets for the latest threats. We conduct our research and development in the United States, France India, and the United Kingdom,India, which gives us access to some of the best research and engineering talent in the world. Our focus remains to attract engineering talent as we continue to add new solutions and improve existing ones.
Our development team works closely with our customers and partners to gain valuable insights into their environments and gather feedback for threat research, product development and innovations. We typically release updates to our solutions, including enhancements and new features multiple times a year, and we measure the quality of our scan results on a frequent basis in an effort to maintain the highest level of scan accuracy.
The modular architecture of our cloud platform enables our engineering teams to simultaneously work on different features, accelerating the delivery of new functionalities to customers. Our research and development team also works collaboratively with our technical support team to ensure customer satisfaction and with our sales team to accelerate the adoption of our solutions.
Manufacturing Agreement
Our physical appliances are provided by SYNNEX Corporation, orTD SYNNEX, pursuant to a manufacturing services agreement dated March 1, 2011. Under this agreement, TD SYNNEX manufactures, assembles and tests our physical scanner appliances. This agreement has an initial term of one year, which is automatically renewed for additional one-year terms,annually, unless terminated (i) at any time upon the mutual written agreement of us and TD SYNNEX, (ii) by either party upon 90 days or more written notice, (iii) upon written notice, subject to applicable cure periods, if the other party has materially breached its obligations under the agreement or (iv) by either party upon the other party seeking an order for relief under the bankruptcy laws of the United States or similar laws of any other jurisdiction, a composition with or assignment for the benefit of creditors, or dissolution or liquidation.
Shared Cloud Platform Agreements
Our data centershared cloud platform operations are provided by large third-party data center vendors and are located in the United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, United Kingdom and India. Our data centershared cloud platform agreements have varying terms through 2020.
Competition
The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT, security and compliance market. We compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment.
We compete with large and small public companies, such as FireEye, Inc.Belden (Tripwire), Imperva, Inc.Broadcom (Symantec Enterprise Security), International Business Machines Corporation, Micro Focus International plc,CrowdStrike, Palo Alto Networks, Rapid7, Inc. and Symantec Corporation,Tenable Holdings, as well as privately held security providers including Barracuda Networks Inc., BeyondTrust Software, Inc., Carbon Black, Inc., CrowdStrike Inc.,Axonius, Checkmarx, Flexera, Ivanti, Netsparker, Tanium, Inc., Tenable Network Security, Inc., Tripwire, Inc. and Trustwave Holdings Inc.and Veracode. We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as web application scanning and firewalls, we expect to face additional competition in these new markets.
We believe that the principal competitive factors affecting the market for cloud-based security and compliance solutionsour markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform. We believe that our suite of solutions generally competes favorably with respect to these factors. However, many of our primary competitors have greater name recognition, longer operating histories, more established customer relationships, larger marketing budgets and significantly greater resources than we do.
Intellectual Property
We rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect our intellectual property rights and protect our proprietary technology. As of February 23, 2018,December 31, 2021, we have eleventwenty-six issued patents, which expire from 2029 to 2039, several pending U.S. patent applications and an exclusive license to four U.S. patents, which was obtained in connection with our acquisition of Nemean in 2010.patents. The inbound license remains in effect until the licensed patents are no longer enforceable, unless the applicable license agreement is first terminated by us or terminated by the licensor for a breach of the agreement or if we undergo certain bankruptcy events. The licenses are currently exclusive and will remain exclusive so long as we make an appropriately-timed written election and pay an annual fixed royalty for ten years thereafter. These exclusive licenses are subject to the licensor’s reservation of certain rightsrights in the patents and subject to the U.S. government’s reserved rights in the technology. We have a number of registered and unregistered trademarks. We require our employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. We view our trade secrets and know-how as a significant component of our intellectual property assets, as we have spent years designing and developing ourthe Qualys cloud platform,Cloud Platform, which we believe differentiates us from our competitors.
We expect that software and other solutions in our industry may be subject to third-party infringement claims as the number of competitors grows and the functionality of products in different industry segments overlaps. Any of these third parties might make a claim of infringement against us at any time.
Human Capital Resources
We take a holistic approach to our human capital management strategy, striving to create a culture where talented people want to come to work, develop their careers, become leaders, and make a difference for all our stakeholders and communities. Doing the right thing for our people, our communities and our environment upholds the trust of our customers, partners, employees, and stockholders, enabling us to grow our business profitably and meet the diverse needs of our constituents.
As of December 31, 2017,2021, we had 8691,823 full-time employees, including 384941 in research and development, 206308 in sales and marketing, 189402 in operations and customer support, and 90172 in general and administrative. As of December 31, 2017, we had 3812021, approximately 75% of our employees inwere located outside of the United States, and 488with 67% of our employees internationally.located in Pune, India. None of our U.S. employees are covered by collective bargaining agreements. Employees in certain European countries and Brazil have collective bargaining arrangements at the national level. We believe our employee relations are good, and we have not experienced any work stoppages.
Diversity and Inclusion
We are proud to be a leader in the promotion and practice of diversity and inclusion. In addition to having offices and employees all over the world, we take pride in our cultural diversity. Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills, experiences, and backgrounds. Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an inclusive environment.
Our board of directors and executive team are highly diverse. Three out of our current eight member board of directors are women, one is a man from an underrepresented community, and the board of directors seeks to identify strong candidates who provide a wide range of perspectives, competencies, and knowledge to complement the skills, diversity and experiences of the board of directors. Further, our executive team is gender and ethnically diverse, with more than 50% of the executive team from underrepresented communities.
Health and Safety
We recognize that a healthy environment and safe workplaces are critical to our business, strategy, and communities. We address environmental issues in an integrated manner to encompass protection of the environment as well as the health and safety of our workforce. For example, in response to COVID-19 and the significant increases in remote workforces in March 2020, we mandated a work from home policy to protect our employees and our communities. We also released a free cloud-based remote endpoint protection solution for 60 days that allowed IT and security teams to protect the computers of remote employees and support the health and safety of our communities.
With the ongoing COVID-19 pandemic, our workforce continues to operate remotely, and our top priority remains providing support for our employees, partners, and customers. We are fortunate that the nature of our business allows us to successfully operate in this dynamic work-from-home environment. We have been able to successfully adapt to the current challenges and deliver results despite the pandemic while continuing to protect the health and safety of our workforce and customers.
We require our employees and managers to participate in myriad training programs directed at maintaining a harassment-free, diverse, and secure workplace. With our diverse employee population, we uphold the rights to work in an environment that promotes equal opportunity and prohibits discriminatory practices against race, color, national origin, ancestry, medical condition, religious creed (including religious dress and grooming practices), marital status, registered domestic partner status, sex, sexual orientation, gender identity and expression, genetic characteristics and information, age, veteran status, or any other protected characteristic. Creating a respectful workplace and preventing harassment to our employees remain our on-going commitment.
Compensation and Benefits
We provide robust compensation and benefits to our employees. In addition to competitive base salaries, all qualified employees are eligible for variable pay and equity awards.
To support the health and wellness of our workforce, we offer premium health coverage with minimal out-of-pocket contributions for our global employees.
Training and Development
We have experience with managing and developing a rapidly growing employee base. We believe every employee makes a difference, so we empower them in their roles and support them for maximum professional growth. We assist employees in achieving their career goals by helping them improve their skillsets and transition to other challenging roles. To support career growth inside and outside Qualys, we offer free self-paced or instructor-led certified training on core Qualys topics giving employees and non-employees an opportunity to achieve certifications.
Available Information
Our principal executive offices are located at 919 E. Hillsdale Blvd., 4th Floor, Foster City, California 94404. The telephone number of our principal executive offices is (650) 801-6100, and our main corporate website is
www.qualys.com. Information contained on, or that can be accessed through, our website, does not constitute part of this Annual Report on Form 10-K and inclusion of our website address in this Annual Report on Form 10-K is an inactive textual reference only.We make available our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934, as amended, free of charge on our website,
www.qualys.com as soon as reasonably practicable after they are electronically filed with or furnished to theRisk Factors An investment in our common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, and all other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes, before making a decision to invest in our common stock. Our business, operating results, financial condition, or prospects could be materially and adversely affected by any of these risks and uncertainties. In that case, the trading price of our common stock could decline, and you might lose all or part Risks Related to Our Business and Industry The continued spread of COVID-19, or any similar widespread infectious disease outbreak, could harm our In December 2019, an outbreak of COVID-19 originated in Wuhan, China and has since spread to countries around the world. On March 11, 2020, the World Health Organization characterized COVID-19 as a pandemic. The continued spread of COVID-19 and the resurgence of infection rates in certain regions has resulted in authorities imposing, and businesses and individuals implementing, numerous unprecedented measures to try to contain the virus, such as travel bans and restrictions, quarantines, shelter-in-place/stay-at-home and social distancing orders, and shutdowns. These measures have impacted and may further impact our workforce and operations, the operations of our The ultimate extent of the impact of COVID-19 on our Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline. Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:
17
Further, the regulations. Each factor above or discussed elsewhere in this Annual Report on Form 10-K or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. In addition, a significant percentage of our operating expenses are fixed in nature and based on forecasted trends in revenues. Accordingly, in the event of shortfalls in revenues, we are generally unable to mitigate the negative impact on margins in the short term by reducing our operating expenses. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the trading price of our common stock could fall and we could face costly lawsuits, including securities class action suits. If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be harmed. The IT, security and compliance market is characterized by rapid technological advances, customer price sensitivity, short product and service life cycles, intense competition, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards and regulatory mandates. Any of these factors could create downward pressure on pricing and gross margins, and could adversely affect our renewal rates, as well as our ability to attract new customers. Our future success will depend on our ability to enhance existing solutions, introduce new solutions on a timely and cost-effective basis, meet changing customer needs, extend our core technology into new applications, and anticipate and respond to emerging standards and business models. We must also continually change and improve our solutions in response to changes in operating systems, application software, computer and communications hardware, networking software, data center architectures, programming tools and computer language technology. We may not be able to anticipate future market needs and opportunities or develop enhancements or new solutions to meet such needs or opportunities in a timely manner or at all. The market for cloud solutions for IT, security and compliance 18 Our solution enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:
Furthermore, diversifying our solutions and expanding into new IT, security and compliance markets will require significant investment and planning, require that our research and development and sales and marketing organizations develop expertise in these new markets, bring us more directly into competition with IT, security If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a timely manner, such failure could substantially decrease or delay market acceptance and sales of our present and future solutions and cause us to lose existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations. If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our operating results and our business would be harmed. Our future growth depends upon our ability to continue to meet the expanding needs of our customers as their use of our cloud platform grows. As these customers gain more experience with our solutions, the number of users and the number of locations where our solutions are being accessed may expand rapidly in the future. In order to ensure that we meet the performance and other requirements of our customers, we intend to continue to make significant investments to develop and implement new proprietary and third-party technologies at all levels of our cloud platform. These technologies, which include databases, applications and server optimizations, and network and hosting strategies, are often complex, new and unproven. We may not be successful in developing or implementing these technologies. To the extent that we do not effectively scale our platform to maintain performance as our customers expand their use of our platform, our operating results and our business may be harmed. If we harmed. We offer our Qualys In addition, our future growth depends in part upon increasing our customer base. Our ability to achieve significant growth in revenues in the future will depend, in large part, upon continually attracting new customers and obtaining subscription renewals to our solutions from those customers. If we fail to attract new customers, our revenues may grow more slowly than expected and our If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed. Our success depends to a significant extent on the willingness of organizations to increase their use of cloud solutions for their IT, security and compliance. To date, some organizations have been reluctant to use cloud solutions because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with these solutions. If other cloud service providers experience security incidents, loss of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole, including our solutions, may be negatively impacted. Moreover, many organizations have invested substantial personnel and financial resources to integrate on-premise software into their businesses, and as a result may be reluctant or unwilling to migrate to a cloud solution. Organizations that use on-premise security products, such as network firewalls, security information and event management products or data loss prevention solutions, may also believe that these products sufficiently protect their IT infrastructure and deliver adequate security. Therefore, they may continue spending their IT security budgets on these products and may not adopt our IT, security and compliance solutions in addition to or as a replacement for such products. If customers do not recognize the benefits of our cloud solutions over traditional on-premise enterprise software products, and as a result we are unable to Our current research and development efforts may not produce successful products or enhancements to our platform that result in significant revenue, cost savings or other benefits in the near future. We must continue to dedicate significant financial and other resources to our research and development efforts if we are to maintain our competitive position. However, developing products and enhancements to our platform is expensive and time consuming, and there is no assurance that such activities will result in significant new marketable products or enhancements to our platform, design improvements, cost savings, revenue or other expected benefits. If we spend significant resources on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected. Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales. We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), ransomware, social engineering, denial of service attacks, and phishing attempts. We and our service providers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform or our internal systems, misappropriate proprietary information and/or cause interruptions to our services. We and our service providers have experienced and may continue to experience security incidents and attacks of varying degrees from time to time. For example, in December 2020, we were notified by a service provider, Accellion, of a zero-day vulnerability affecting an Accellion FTA server that we deployed to transfer information as part of our customer support system. In response to this incident, we engaged third-party forensic experts to investigate and determined that attackers illegally obtained certain information from the Accellion FTA server. We notified affected customers, as we deemed was required or appropriate. We have incurred costs to respond to this incident and may continue to incur costs to support our efforts to enhance our security measures. Our solutions, platforms, and system, and those of our service providers, may also suffer security incidents as a result of non-technical issues, including intentional or inadvertent acts or omissions by our employees or service providers. With the increase in personnel working remotely during the current COVID-19 pandemic, we and our service providers are at increased risk for security breaches. We have taken and intend to continue to take steps to monitor and enhance the security of our solutions, cloud platform, and other relevant systems, IT infrastructure, networks, and data; however, the unprecedented scale of remote work may require additional personnel and resources, which nevertheless cannot be guaranteed to fully safeguard our solutions, our Although we maintain insurance coverage that may reputation. Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may vary from period to period, which may cause our operating results to fluctuate and could harm our business. The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large transactions. We sell subscriptions to our IT, security and compliance solutions primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, which has also made our sales cycle long and unpredictable. The length of the sales cycle for our solutions typically ranges from six to twelve months but can be more than eighteen months. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result we could lose other sales opportunities or incur expenses that are not offset by an increase in revenues, which could harm our business. 20 Adverse economic conditions or reduced IT spending may adversely impact our business. Our business depends on the overall demand for IT and on the economic health of our current and prospective customers. Economic weakness, customer financial difficulties, and constrained spending on IT security may result in decreased revenue and earnings. Such factors could make it difficult to accurately forecast our sales and operating results and could negatively affect our ability to provide accurate forecasts to our contract manufacturers. In addition, continued governmental budgetary challenges in the United States and Europe and geopolitical turmoil in many parts of the world have and may continue to put pressure on global economic conditions and overall spending on IT security. General economic weakness may also lead to longer collection cycles for payments due from our customers, an increase in customer bad debt, restructuring initiatives and associated expenses, and impairment of investments. Furthermore, the continued weakness and uncertainty in worldwide credit markets, including the sovereign debt situation in certain countries in the European Union, may adversely impact our customers' available budgetary spending, which could lead to delays in planned purchases of our solutions. Additionally, uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements as well as geopolitical turmoil and other disruptions to global and regional economies and markets in many parts of the world, have and may continue to put pressure on global economic conditions and overall spending on IT security. We have operations, as well as current and potential customers, throughout most of Europe. If economic conditions in Europe and other key markets for our platform continue to remain uncertain or deteriorate further, many customers may delay or reduce their IT spending. Uncertainty about future economic conditions also makes it difficult to forecast operating results and to make decisions about future investments. Future or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness, customer financial difficulties, and reductions in spending on IT security could have a material adverse effect on demand for our platform and consequently on our business, financial condition and results of operations. Our IT, security and compliance solutions are delivered from We currently host substantially all of our solutions from third-party Some of our Additionally, our existing Any disruptions or other performance problems with our solutions could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenues, cause us to issue credits to customers, subject us to potential liability and cause customers to terminate their subscriptions or not renew their subscriptions. 21 We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive position. We compete with a large range of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment. We face significant competition for each of our solutions from companies with broad product suites and greater name recognition and resources than we have, as well as from small companies focused on specialized security solutions. We compete with large and small public companies, such as We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform. Many of our existing and potential competitors have competitive advantages, including:
As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. With the introduction of new technologies, the evolution of our service and new market entrants, we expect competition to intensify in the future. In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our solutions and cause the average sales price for our solutions to decline. These larger competitors are also often in a better position to withstand any significant reduction in capital spending and will therefore not be as susceptible to economic downturns. Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors. The sales prices of our solutions are subject to competitive pressures and may decrease, which may reduce our gross profits and adversely impact our financial results. The sales prices for our solutions may decline for a variety of reasons, including competitive pricing pressures, discounts, a change in our mix of solutions and subscriptions, anticipation of the introduction of new solutions or subscriptions, or promotional programs. Competition continues to increase in the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increased pricing pressures. Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle them with other products and subscriptions. Additionally, although we price our products and subscriptions worldwide in U.S. Dollars, Euros, British Pounds, Canadian Dollars, Japanese Yen and Indian Rupee, currency fluctuations in certain countries and regions may negatively impact actual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reporting currency. We cannot assure you that we will be successful in developing and introducing new offerings with enhanced functionality on a timely basis, or that our new product and subscription offerings, if introduced, will enable us to maintain our prices and gross profits at levels that will allow us to maintain positive gross margins and profitability. 22 If our solutions fail to help our customers achieve and maintain compliance with regulations and industry standards, our revenues and operating results could be harmed. We generate a portion of our revenues from solutions that help organizations achieve and maintain compliance with regulations and industry standards. For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that store cardholder data. Industry organizations like the PCI Council may significantly change their security standards with little or no notice, including changes that could make their standards more or less onerous for businesses. Governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that could impact the demand for or value of our solutions. If we are unable to adapt our solutions to changing regulatory standards in a timely manner, or if our solutions fail to assist with or expedite our customers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to products offered by our competitors. In addition, if regulations and standards related to data security, vulnerability management and other IT, security and compliance requirements are relaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our solutions. In any of these cases, our revenues and operating results could be harmed. If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations. If our solutions fail to detect vulnerabilities in our customers’ IT infrastructures, or if our solutions fail to identify and respond to new and increasingly complex methods of attacks, our business and reputation may suffer. There is no guarantee that our solutions will detect all vulnerabilities. Additionally, our IT, security and compliance solutions may falsely detect vulnerabilities or threats that do not actually exist. For example, some of our solutions rely on information on attack sources aggregated from third-party data providers who monitor global malicious activity originating from a variety of sources, including anonymous proxies, specific IP addresses, botnets and phishing sites. If the information from these data providers is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliability or usability of our solutions and may therefore adversely impact market acceptance of our solutions and could result in negative publicity, loss of customers and sales, increased costs to remedy any incorrect information or problem, or claims by aggrieved parties. Similar issues may be generated by the misuse of our tools to identify and exploit vulnerabilities. Further, our solutions sometimes are tested against other security products, and may fail to perform as effectively, or to be perceived as performing as effectively, as competitive products for any number of reasons, including misconfiguration. To the extent current or potential customers, channel partners, or others believe there has been an occurrence of an actual or perceived failure of our solutions to detect a vulnerability or otherwise to function as effectively as competitive products in any particular test, or indicates our solutions do not provide significant value, our business, competitive position, and reputation could be harmed. In addition, our solutions do not currently extend to cover all mobile An actual or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our solutions, could adversely affect the market’s perception of our security solutions. If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed. We believe that our growth will depend, to a significant extent, on our success in recruiting and retaining a sufficient number of qualified sales personnel and their ability to obtain new customers, manage our existing customer base and expand the sales of our newer solutions. We plan to continue to expand our sales force and make a significant investment in our sales and marketing activities. Our recent hires and planned hires may not become as productive as quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the competitive markets where we do business. Competition for highly skilled personnel is frequently intense 23 We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution channels, our revenues could decline and our growth prospects could suffer. Our success significantly depends upon establishing and maintaining relationships with a variety of channel partners and we anticipate that we will continue to depend on these partners in order to grow our business. For the years ended December 31, In addition, the financial health of our channel partners and our continuing relationships with them are important to our success. Some of these channel partners may be unable to withstand adverse changes in economic conditions, which could result in insolvency and/or the inability of such distributors to obtain credit to finance purchases of our products and services. In addition, weakness in the end-user market could negatively affect the cash flows of our channel partners who could, in turn, delay paying their obligations to us, which would increase our credit risk exposure. Our business could be harmed if the financial condition of some of these channel partners substantially weakened and we were unable to timely secure replacement channel partners. A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could be harmed. We market and sell subscriptions to our solutions throughout the world and have personnel in many parts of the world. In addition, we have sales offices and research and development facilities outside the United States and we conduct, and expect to continue to conduct, a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. Therefore, we are subject to risks associated with having international sales and worldwide operations, including:
24 Our business, including the sales of subscriptions of our solutions, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Failure to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to ensure compliance with these laws and policies, there can be no assurance that all of our employees, contractors, channel partners and agents have complied or will comply with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our solutions and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected. In addition, as of December 31, 2021, approximately 75% of our employees were located outside of the United States, with 67% of our employees located in Pune, India. Accordingly, we are exposed to changes in laws governing our employee relationships in various U.S. and foreign jurisdictions, including laws and regulations regarding wage and hour requirements, fair labor standards, employee data privacy, unemployment tax rates, workers’ compensation rates, citizenship requirements and payroll and other taxes which may have a direct impact on our operating costs. We may continue to expand our international operations and international sales and marketing activities. Expansion in international markets has required, and will continue to require, significant management attention and resources. We may be unable to scale our infrastructure effectively or as quickly as our competitors in these markets and our revenues may not increase to offset any increased costs and operating expenses, which would cause our results to suffer. We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations. Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2021, we incurred approximately 28% of our expenses in foreign currencies, primarily Euros, British Pounds, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations. Additionally, for the year ended December 31, 2021, approximately 23% of our revenues were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. We expect that a majority of our revenues will continue to be generated in U.S. dollars for the foreseeable future and that a significant portion of our expenses, including personnel costs, as well as capital and operating expenditures, will continue to be denominated in the Euro, British Pound and Indian Rupee. The results of our operations may be adversely affected by foreign exchange fluctuations. We use derivative financial instruments to reduce our foreign currency exchange risks. We use foreign currency forward contracts to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated net asset positions, to date primarily cash, accounts receivable and operating lease liabilities (non-designated), as well as to manage foreign currency fluctuation risk related to forecasted transactions (designated). However, we may not be able to purchase derivative instruments that are adequate to insulate ourselves from foreign currency exchange risks. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets. Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or are unable to improve our systems and processes, our operating results may be negatively affected. We have experienced significant growth over the last several years. Our revenues grew from $321.6 million in 2019 to $411.2 million in 2021, and our headcount increased from 1,194 employees at the beginning of 2019 to1,823 employees as of December 31, 2021. We rely on information technology systems to help manage critical functions such as order processing, revenue recognition and financial forecasts. To manage any future growth effectively we must continue to improve and expand our IT systems, financial infrastructure, and operating and administrative systems and controls, and continue to manage headcount, capital and processes in an efficient manner. We may not be able to successfully implement improvements to these systems and processes in a timely or efficient manner. Our failure to improve our systems and processes, or their failure to operate in the intended manner, may result in our inability to manage the growth of our business and to accurately forecast our revenues, expenses and earnings, or to prevent certain losses. In addition, as we continue to grow, our productivity and the quality of our solutions may also be adversely affected if we do not integrate and train our new employees quickly and effectively. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth effectively could result in increased costs, harm our results of operations and lead to investors losing confidence in our internal systems and processes. We depend on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition. Our future performance depends on the continued services and continuing contributions of our senior management and other key employees, to execute on our business plan and to identify and pursue new opportunities and product innovations. We do not maintain key-man insurance for any member of our senior management team. Our senior management and key employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. From time to time, there may be changes in our senior management team resulting from the termination or departure of executives. For example, our former chief executive officer resigned for health reasons in March 2021, and our current chief executive officer was appointed to the role in April 2021. The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations. If we are unable to hire, retain and motivate qualified personnel, our business may suffer. Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. The loss of the services of any of our key personnel, the inability to attract or retain qualified personnel or delays in hiring required personnel, particularly in engineering and sales, may seriously harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for highly skilled personnel is frequently intense, especially within our industry, and we may not be able to compete for such personnel. We are required under accounting principles generally accepted in the United States (U.S. GAAP) to recognize compensation expense in our operating results for employee stock-based compensation under our equity grant programs, which may negatively impact our operating results and may increase the pressure to limit stock-based compensation that we might otherwise offer to current or potential employees, thereby potentially harming our ability to attract or retain highly skilled personnel. In addition, to the extent we hire personnel from competitors, we may be subject to allegations that they have been improperly solicited or divulged proprietary or other confidential information, which could result in a diversion of management's time and our resources. A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks. Government entities have historically been particularly concerned about adopting cloud-based solutions for their operations, including security solutions, and increasing sales of subscriptions for our solutions to government entities may be more challenging than selling to commercial organizations. Selling to government entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense without any assurance that we will win a sale. We have invested in the creation of a cloud offering certified under the Federal Information Security Management Act for government usage but we cannot be sure that we will continue to sustain or renew this certification, that the government will continue to mandate such certification or that other government agencies or entities will use this cloud offering. Government demand and payment for our solutions may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions. Government entities may have contractual or other legal rights to terminate contracts with our channel partners for convenience or due to a default, and any such termination may adversely impact our future results of operations. Governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our solutions, a reduction of revenues or fines or civil or criminal liability if the audit uncovers improper or illegal activities. Any such penalties could adversely impact our results of operations in a material way. Our success in acquiring and integrating other businesses, products or technologies could impact our financial position. In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products, services or technologies. For example, we acquired Adya on January 10, 2019, certain intellectual property of Spell Security on July 24, 2020, and certain intellectual property of TotalCloud on August 19, 2021. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices may exceed what we would prefer to pay. Moreover, achieving the anticipated benefits of future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner, and even if we achieve benefits from acquisitions, such acquisitions may still be viewed negatively by customers, financial markets or investors. The acquisition and integration process is complex, expensive and time-consuming, and may cause an interruption of, or loss of momentum in, product development and sales activities and operations of both companies, as well as divert the attention of management, and we may incur substantial cost and expense. We may issue equity securities which could dilute current stockholders’ ownership, incur debt, assume contingent or other liabilities and expend cash in acquisitions, which could negatively impact our financial position, stockholder equity and stock price. We may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful. If we consummate a transaction, we may be unable to integrate and manage acquired products and businesses effectively or retain key personnel. If we are unable to effectively execute acquisitions, our business, financial condition and operating results could be adversely affected. We rely on software-as-a-service vendors to operate certain functions of our business and any failure of such vendors to provide services to us could adversely impact our business and operations. We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human resource management. If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business. Delays or interruptions in the manufacturing and delivery of our physical scanner appliances by our sole source manufacturer may harm our business. Upon customer request, we provide physical or virtual scanner appliances on a subscription basis as an additional capability to the customer’s subscription for use during their subscription term. Our physical scanner appliances are built by a single manufacturer. Our reliance on a sole manufacturer involves several risks, including a potential inability to obtain an adequate supply of physical scanner appliances and limited control over pricing, quality and timely deployment of such scanner appliances. In addition, replacing this manufacturer may be difficult and could result in an inability or delay in deploying our solutions to customers that request physical scanner appliances as part of their subscriptions. Furthermore, our manufacturer’s ability to timely manufacture and ship our physical scanner appliances depends on a variety of factors, such as the availability of hardware components, supply shortages or contractual restrictions. In the event of an interruption from this manufacturer, we may not be able to develop alternate or secondary sources in a timely manner. If we are unable to purchase physical scanner appliances in quantities sufficient to meet our requirements on a timely basis, we may not be able to effectively deploy our solutions to new customers that request physical scanner appliances, which could harm our business. Incorrect or improper implementation or use of our solutions could result in customer dissatisfaction and harm our business and reputation. If our customers are unable to implement our solutions successfully, customer perceptions of our platform and solutions may be impaired or our reputation and brand may suffer. Our customers have in the past inadvertently misused our solutions, which triggered downtime in their internal infrastructure until the problem was resolved. Additionally, any failure to implement and configure our solutions correctly may result in our solutions failing to detect vulnerabilities or compliance issues, or otherwise to perform effectively, and may result in disruptions to our customers’ IT environments and businesses. Any misuse of our solutions, including any failure to implement and configure them appropriately, could result in disruption to our customers’ businesses, customer dissatisfaction, negative impacts on the perceived reliability or effectiveness of our solutions, and claims and litigation, and may result in negative press coverage, negative effects on our reputation and competitive position, a loss of sales, customers, and channel partners, and harm our financial results. We recognize revenues from subscriptions over the term of the relevant service period, and therefore any decreases or increases in bookings are not immediately reflected in our operating results. We recognize revenues from subscriptions over the term of the relevant service period, which is typically one year. As a result, most of our reported revenues in each quarter are derived from the recognition of deferred revenues relating to subscriptions entered into during previous quarters. Consequently, a shortfall in demand for our solutions in any period may not significantly reduce our revenues for that period, but could negatively affect revenues in future periods. Accordingly, the effect of significant downturns in bookings may not be fully reflected in our results of operations until future periods. We may be unable to adjust our costs and expenses to compensate for such a potential shortfall in revenues. Our subscription model also makes it difficult for us to rapidly increase our revenues through additional bookings in any period, as revenues are recognized ratably over the subscription period. Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by man-made problems such as terrorism. A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. Our corporate headquarters and a significant portion of our operations are located in the San Francisco Bay Area, a region known for seismic activity. In addition, natural disasters could affect our business partners’ ability to perform services for us on a timely basis. In the event we or our business partners are hindered by any of the events discussed above, our ability to provide our solutions to customers could be delayed, resulting in our missing financial targets, such as revenues and net income, for a particular quarter. Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenues, customers in that region may delay or forego subscriptions of our solutions, which may materially and adversely impact our results of operations for a particular period. In addition, acts of terrorism could cause disruptions in our business or the business of our business partners, customers or the economy as a whole. All of the aforementioned risks may be exacerbated if the disaster recovery plans for us and our suppliers prove to be inadequate. To the extent that any of the above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be adversely affected. Risks Related to Intellectual Property, Legal, Tax and Regulatory Matters Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability. Our solutions may contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or defects in the past in connection with new solutions and solution upgrades and we expect that these errors or defects will be found from time to time in the future in new or enhanced solutions after commercial release of these solutions. Since our customers use our solutions for IT, security and compliance reasons, any errors, defects, disruptions in service or other performance problems with our solutions, or any other failure of our solutions to detect vulnerabilities or compliance problems or otherwise to perform effectively, may result in disruptions or damage to the business of our customers, including security breaches or compliance failures. Additionally, any such issues, or the perception that they have occurred, whether or not relating to any actual or perceived error or defect in our solutions, could hurt our reputation and competitive position and we may incur significant costs, the attention of key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew, we could face a loss of sales, customers, and channel partners, and other significant problems with our relationships with customers and channel partners may arise. We may also be subject to liability claims for damages related to actual or perceived errors or defects in our solutions. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our solutions may harm our business, competitive and financial position, and operating results. Although we maintain insurance coverage that may be applicable to certain liabilities in connection with these matters, we cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation. Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacy and other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions. We collect the names and email addresses of our customers in connection with subscriptions to our solutions. Additionally, the data that our solutions collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of our customers’ employees and their customers. Personal privacy has become a significant issue in the United States and in many other countries where we offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use, disclosure and retention of personal information. In the United States, these include, for example, rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and state breach notification laws. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. Additionally, new laws and regulations relating to privacy and data protection continue to be proposed and enacted. For example, the European Union has adopted the Global Data Protection Regulation (“GDPR”). This regulation, which took effect in May of 2018, provides for substantial obligations relating to the handling, storage and other processing of data relating to individuals and administrative fines for violations, which can be up to four percent of the previous year’s annual revenue or €20 million, whichever is higher. The GDPR may be subject to new or changing interpretations by courts, and our interpretation of the law and efforts to comply with the rules and regulations of the law may be ruled invalid. Similarly, the California Consumer Privacy Act (“CCPA”) requires covered companies to, among other things, provide new disclosures to California consumers and affords such consumers new rights to opt-out of certain sales of personal information. The CCPA also creates a private right of action for statutory damages for certain breaches of information. Certain aspects of the CCPA and its interpretation remain uncertain and are likely to remain uncertain for an extended period. Additionally, a new privacy law, the California Privacy Rights Act (“CPRA”), was approved by voters in the November 3, 2020 election. The CPRA modifies the CCPA significantly, creating obligations relating to consumer data beginning on January 1, 2022, with implementing regulations expected on or before July 1, 2022, and enforcement beginning July 1, 2023. Passage of the CPRA has resulted in further uncertainty and may require us to incur additional costs and expenses in an effort to comply. In addition, other states have enacted or proposed legislation that regulates the collection, use, and sale of personal information, and such regimes might not be compatible with the GDPR, the CCPA or the CPRA or may require us to undertake additional practices. Accordingly, we cannot yet predict the impact of the CCPA, CRPA or other evolving privacy and data protection obligations on our business or operations, but it may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply. The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, the United Kingdom enacted a Data Protection Act in May 2018 that substantially implements the GDPR, but the United Kingdom's exit from the European Union, commonly referred to as “Brexit,” could lead to further legislative and regulatory changes. It remains unclear how United Kingdom data protection laws or regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. Additionally, we have joined the EU-U.S. Privacy Shield Framework and a related program, the Swiss-U.S. Privacy Shield Framework and make use of certain standard contractual clauses (the “SCCs”) approved by the European Commission, with regard to certain transfers of personal data from the European Economic Area (“EEA”) to the U.S. Both the EU-U.S. Privacy Shield Framework and SCCs have been subject to legal challenge. We continue to analyze the July 2020 “Schrems II” decision by the Court of Justice of the European Union (“CJEU”) and its impact on our data transfer mechanisms as well as subsequent guidance from data privacy regulators and new SCCs published by the European Commission in June 2021, and we may find it necessary or appropriate to take different or additional steps with respect to transfers of personal data, which may result in increased costs of compliance and limitations on our customers and us. We may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA or Switzerland. We may experience reluctance or refusal by current or prospective European customers to use our products, and we and our customers may face a risk of enforcement actions by data protection authorities in the EEA relating to personal data transfers to us and by us from the EEA. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, operating results and financial condition. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of delivering our services. In addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different privacy standards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws, regulations, standards and contractual obligations are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions. If so, in addition to the possibility of regulatory investigations and enforcement actions, fines, lawsuits and other claims, other forms of injunctive or operations-limiting relief, and damage to our reputations and loss of goodwill, we could be required to fundamentally change our business activities and practices or modify our solutions and may face limitations in our ability to develop new solutions and features, any of which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or any actual or perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and privacy standards that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy concerns, whether valid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries. Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our solutions. Our solutions contain software licensed to us by third-parties under so-called “open source” licenses, including the GNU General Public License, Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our solutions to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions. In this event, we could be required to seek We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers or harm to our reputation and our operating results. We license third-party software as well as security and compliance data from various third parties to deliver our solutions. In the future, this software or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in the provisioning of our solutions until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software or data could result in errors or defects in our solutions or cause our solutions to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation and increase our operating costs. We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain any errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results. Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results. The success of our business depends in part on our ability to protect and enforce our trade secrets, trademarks, copyrights, patents and other intellectual property rights. We attempt to protect our intellectual property under copyright, trade secret, patent and trademark laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection. We primarily rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. The contractual provisions that we enter into with employees, consultants, partners, vendors and customers may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, solutions and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights. The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner, if at all. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. In addition, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. As a result, we may not be able to obtain adequate patent protection or to enforce our issued patents effectively. From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition. If we are unable to protect our intellectual property rights, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative solutions that have enabled us to be successful to date. 29 Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our business and operating results. Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or channel partners whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business. The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past. An adverse outcome of a dispute may require us to:
In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations. Governmental export or import controls could subject us to liability if we violate them or limit our ability to compete in foreign markets. Our solutions are subject to U.S. export controls, specifically, the Export Administration Regulations and economic sanctions enforced by the Office of Foreign Assets Control. We incorporate encryption technology into certain of our solutions. These encryption solutions and the underlying technology may be exported only with the required export authorizations, including by license, a license exception or other appropriate government authorizations. U.S. export controls may require submission of an encryption registration, product classification and/or annual or semi-annual reports. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues. Compliance with applicable regulatory requirements regarding the export of our solutions, including with respect to new releases of our solutions, may create delays in the introduction of our solutions in international markets, prevent our customers with international operations from deploying our solutions throughout their globally-distributed systems or, in some cases, prevent the export of our solutions to some countries altogether. In addition, various countries regulate the import of our appliance-based solutions and have enacted laws that could limit our ability to distribute solutions or could limit our customers’ ability to implement our solutions in those countries. Any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could result in decreased use of our solutions by existing customers with international operations, declining adoption of our solutions by new customers with international operations and decreased revenues. If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, includingIf we are required to collect higher sales and Taxing jurisdictions, including state and 30 Changes in our We are subject to income taxes in the United States and various foreign jurisdictions, and our domestic and international tax liabilities are subject to the allocation of expenses in differing jurisdictions. Our tax rate is affected by changes in the mix of earnings and losses in countries with differing statutory tax rates, certain non-deductible expenses Additionally, significant judgment is required in evaluating our tax positions and our worldwideRisks Related to Ownership of Our Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation. The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including:
In addition, the stock market in general, and the stocks of technology companies such as ours in particular, have experienced substantial price and volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations may cause the trading price of our common stock to decline. In the past, securities class action litigation has often been brought against a company after a period of volatility in the trading price of its common stock. We may become involved in this type of litigation in the future. Any securities litigation claims brought against us could result in substantial expenses and the diversion of our management’s attention from our business. 31 Our actual operating results may differ significantly from our guidance. From time to time, we have released, and may continue to release, guidance in our quarterly earnings conference calls, quarterly earnings releases, or otherwise, regarding our future performance that represents our management's estimates as of the date of release. This guidance, which includes forward-looking statements, has been and will be based on projections prepared by our management. These projections are not prepared with a view toward compliance with published guidelines of the American Institute of Certified Public Accountants, and neither our registered public accountants nor any other independent expert or outside party compiles or examines the projections. Accordingly, no such person expresses any opinion or any other form of assurance with respect to the projections. Projections are based upon a number of assumptions and estimates that, while presented with numerical specificity, are inherently subject to significant business, economic and competitive uncertainties and contingencies, many of which are beyond our control and are based upon specific assumptions with respect to future business decisions, some of which will change. We intend to state possible outcomes as high and low ranges which are intended to provide a sensitivity analysis as variables are changed but are not intended to imply that actual results could not fall outside of the suggested ranges. The principal reason that we release guidance is to provide a basis for our management to discuss our business outlook with analysts and investors. We do not accept any responsibility for any projections or reports published by any such third parties. Guidance is necessarily speculative in nature, and it can be expected that some or all of the assumptions underlying the guidance furnished by us will not materialize or will vary significantly from actual results. Accordingly, our guidance is only an estimate of what management believes is realizable as of the date of release. Actual results may vary from our guidance and the variations may be material. In light of the foregoing, investors are urged not to rely upon our guidance in making an investment decision regarding our common stock. Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors” section in this Annual Report on Form 10-K could result in Future sales of shares by existing stockholders could cause our stock price to decline. The market price of shares of our common stock could decline as a result of substantial sales of our common stock, particularly sales by our directors, executive officers, employees and significant stockholders, a large number of shares of our common stock becoming available for sale, or the perception in the market that holders of a large number of shares intend to sell their shares. As of December 31, In addition, as of December 31, 32 We cannot guarantee that our On February 12, 2018, we announced a $100.0 million stock repurchase program. On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021, we announced that our board of directors had authorized an increase of $100.0 million, and on November 3, 2021, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $700.0 million to date. Although our board of directors authorized this stock repurchase program, we are not obligated to repurchase any specific dollar amount or to acquire any specific number of shares. The stock repurchase program could affect the price of our common stock, increase volatility and diminish our cash reserves. In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. During the year ended December 31, 2021, we repurchased 1.1 million shares of our common stock for approximately $130.0 million in total. As of December 31, 2021, approximately $271.8 million remained available for share repurchases pursuant to our share repurchase program. We do not intend to pay dividends on our common stock and therefore any returns will be limited to the value of our stock. We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to the value of their stock. Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management. Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may delay or prevent an acquisition of us or a change in our management. These provisions include:
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us. Although we believe these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiate with our board of directors, they would apply even if an offer rejected by our board of directors were considered beneficial by some stockholders. In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management. General Risk Factors Disruptive technologies could gain wide adoption and supplant our cloud-based IT, security and compliance solutions, thereby weakening our sales and harming our results of operations. The introduction of products and services embodying new technologies could render our existing solutions obsolete or less attractive to customers. Our business could be harmed if new IT, security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or to convince our customers and potential customers of the value of our solutions even in light of new technologies, our business could be harmed and our revenues may decline. We may not maintain profitability in the future. We may not be able to sustain or increase our growth or maintain profitability in the future. We plan to continue to invest in our infrastructure, new solutions, research and development and sales and marketing, and as a result, we cannot assure you that we will maintain profitability. We may incur losses in the future for a number of reasons, including without limitation, the other risks and uncertainties described in this Annual Report on Form 10-K. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed and we may not again achieve or maintain profitability in the future. Forecasts of market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no assurance that our business will grow at similar rates, or at all. Growth forecasts relating to the expected growth in the market for IT, security and compliance and other markets are subject to significant uncertainty and are based on assumptions and estimates which may prove to be inaccurate. Even if these markets experience the forecasted growth, we may not grow our business at similar rates, or at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject to many risks and uncertainties. Accordingly, forecasts of market growth should not be taken as indicative of our future growth. Our financial results are based in part on our estimates or judgments relating to our critical accounting policies. These estimates or judgments may prove to be incorrect, which could harm our operating results and result in a decline in our stock price. The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the amounts reported in the consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Part II, Item 7 - Management’s Discussion and Analysis of Financial Condition and Results of Operations,” the results of which form the basis for making judgments about the carrying values of assets, liabilities, equity, revenues and expenses that are not readily apparent from other sources. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of securities analysts and investors, resulting in a decline in our stock price. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to revenue recognition, accounting for income taxes and stock-based compensation. Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations. We prepare our financial statements in accordance with U.S. GAAP. These principles are subject to interpretation by the SEC and various bodies formed to interpret and create appropriate accounting principles. A change in these accounting standards or practices could harm our operating results and could have a significant effect on our reporting of transactions and reported results and may even retroactively affect previously reported transactions. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may harm our operating results or require that we make significant changes to our systems, processes and controls or the way we conduct our business. If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired. As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, or the Exchange Act, the Sarbanes-Oxley Act of 2002, or the Sarbanes-Oxley Act, and the rules and regulations of the NASDAQ Stock Market. To continue to comply with the requirements of being a public company, we may need to undertake various actions, such as implementing additional internal controls and procedures and hiring additional accounting or internal audit staff. Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with U.S. GAAP. Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business. Any failure to maintain effective controls, or any difficulties encountered in their improvement, could harm our operating results or cause us to fail to meet our reporting obligations. Any failure to maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports we file with the SEC under Section 404 of the Sarbanes-Oxley Act. While we were able to assert in this Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2021, we cannot predict the outcome of our testing in future periods. If we are unable to assert in any future reporting period that our internal control over financial reporting is effective (or if our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal controls), investors may lose confidence in our operating results and our stock price could decline. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NASDAQ Stock Market.
None.
Our principal executive offices are located in Foster City, California, where we occupy a 76,922 square-foot facility under a lease expiring on April 30, 2028. We also have 281,787 square feet of office space in Pune, India under a non-cancellable lease expiring in February 2025. We have additional U.S. offices in We operate
|